Need your help 1143



  • Once again, I am reaching out for some support and help with this.
    As many of you are aware, getting top management support for SOX (or even to follow best practices) is sometimes very difficult. They want see the SOX requirements to justify why they should support any control being in place.
    One recent example is for us to justify why we need a secure data center. Using COBIT as the framework and addressing this risk:

    Inappropriate or unauthorized access to the organizations computer facilities including the computer room, increases the risk of accidental or intentional damage to business critical servers, which could ultimately affect processing capabilities and system availability.
    Still, that is not enough for the top management. They want to ‘see the compliance regulations that mandate a secure data center’ for their ERP system.
    Can someone PLEASE assist me on how I can convince them and address the quoted statement??
    Any insight on how you’ve handled this type of inquiries to convince the skeptical ones, I’d really appreciate it.
    Thanks,
    SG



  • I’ve not seen a regulation spell out specifically ‘secure data center’. However there are many companies that are also performing efforts to be PCI compliant (security standards for companies accepting credit cards), which does require this level of security.
    I don’t think you can win the arugment if you only focus on finding the specific words in existing regulations because those are written to be broad in nature.
    I think you can persuade management to assess the risk of not having a secured data center. After all we are supposed to be taking a risk based approach to SOX. If they spend a bit of time evaluating the risk they may see the light. You may have to help them brainstorm on risks and consequences because they may think they are invincible (nothing could ever happen to them).
    Even if they don’t see the light, then they will have to document the risk of an unsecured data center and why they are choosing to accept the risk. If they can’t justify it and get upper managment’s agreement to it, then they will have to address it. Also, they will have to discuss this with their external auditor who will probably not let them get away with it.
    You can also pose the question to the external auditor as to whether an unsecured data center would be viewed by them as a material weakness.
    There are many many articles on physical security. A couple of links below may be helpful to review.
    searchcio.techtarget.com/originalContent/0,289142,sid19_gci968591,00.html?bucket=NEWS
    sans.org/rr/whitepapers/awareness/416.php
    Good luck.


Log in to reply