SOX Compliance and BS7799 Part 2: 2002 150

  • By way of background, my work has been with evaluating security programs to determine compliance with regulations like HIPAA, GLB and Sarbanes. Section 404, which is the most pertinent part of the regulation that ‘requires’ security controls is being interpreted in a number of ways -based on the intent of the assesor, auditor or reviewer.
    So let me answer the question in a few different ways.
    If you are executing a risk analysis effort on the part of your company in order to create a unified approach to meet all of your organization’s security and privacy requirements and you are wondering if the activity that you are undertaking in being an ISO 17799 organization is allowing you to meet the intent of the Sarbanes Oxley security requirements - then the answer is yes.
    If you are wondering if the work that you have done in being an ISO 17799 organization will meet the requirements for the IT portion of the formal Sarbanes Oxely audit then the answer is no or very likely no since it depends on your auditor.
    As one of the other commenters mentioned the focuse is heavily on the creation, management and distribution of fiancial information which is stored in your core enterprise applications. Your auditors will want to know not just what your controls are, but do they ensure segregation of duties in maintaining the security and intergrity of financia data – and oh by the way do you audit or monitor those applications to ensure your controls work.
    If you believe that your ISO security program provides demonstrable proof of everything that in mentioned in the above paragraph then you will be in good shape.
    I think you should take alook at ISACA’s CoBIT based interpretation of the Sarbanes requirements. At a strategic level this is a great means to ensure the work that you do on behalf of ISO and Sarbanes is as closely aligned as possible.
    Best of luck.

  • Well put. Good first post newbie 😉

  • Nothing left to comment on. Perfectly right.

Log in to reply