As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Sarbanes-Oxley Act Forum: Forums
The Sarbanes Oxley Act :: View topic - Which Cobit Processes Most Relate to SOX
COBIT 4.0 does not affect SOX efforts. I have utilized those Appendix C illustrative controls on a variety of client in different industries viz. Courier, Franchise, Manufacturing, Transit, Public Transportation, Education etc. They are indeed pervasive.
So go ahead fine tune those controls to suit your environment.
All the best.
Nothing is out of scope in those controls. For e.g. those illustrative controls do not cover disaster recovery, as disaster recovery (business contingency planning) is out of scope for SOX.
Joined: Nov 25, 2004 Posts: 787 Location: London, UK
Posted: Wed Mar 08, 2006 6:05 am Post subject:
I'm nervous about whether Appendix C is complete, for a multinational NYSE listed company with about $600M turnover in the medical area. I can see a lot more that could be in scope (devil in the detail).
We have applied Cobit in a company 50 times larger than yours, you shouldn't worry about that.
I'm also interested whether any of the illustrative controls have been shown to be weak or out of scope.
The illustrative controls are..... well.... just illustrative. This may the reason you are getting frustrated with the lack of a firm answer to your questions.
What is important is the control objectives as these represent the risks that you are expected to control, the ITGI paper narrows down the list of Cobit objectives to the ones that you need to meet for Sox. The illustrative controls represent, typically, how you might control those risks and many companies have sought to include these in their organisational IT standards. However you could implement none of these and still be controlled or all of them and not be. What is required is on a system by system basis to determine what controls are appropriate for that system in your organisation the illustrative controls can help you in this but it ultimately requires judgement.
I know that life would be much easier if you could just follow a checklist, but sorrylife ain't like that any more. _________________ "The art of life is to deal with problems as they arise, rather than destroy one's spirit by worrying about them too far in advance" - Cicero
All times are GMT - 6 Hours Goto page Previous1, 2
Page 2 of 2
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.