IT Policies 2132

  • Hi all -
    I know policies vary from company to company and it covers a wide sprectrum. I am curious to know the following:

    1. Which ones are SOX critical (eg. IT Security Policy vs. Acceptable Use)
    2. Within the IT Security Policy, what deems critical in terms of content?
      If you could share your own experience and thoughts on this, I would greatly appreciate that. I am curious to know what the consensus and philosophies are regarding the above items.
      Thank you in advance for your feedback.

  • Hi SG - Some brief comments are shared below:

    1. All policies that protect financial data or access to the related systems are critical from a SOX perspective. As security is only as strong as it’s weakest link, every IT or general security policy can play a role in protecting the overall financial environment. Special SOX related controls will be present and can be handled separately by the SOX compliancy team (e.g., SOD, controls testing, autonomy levels, e-library, 7-year retentions, special workflows, etc.)
    2. Where possible SOX related standards should be blended into the overall policy and security framework, so that there is a single set of guidelines for both financial and non-financial systems. For example, if there are two different change management or production release systems it can create confusion, (e.g., one for financial and another for non-financial systems).
    3. COBIT 4 is widely used by external auditors to help validate SOX 404 compliancy. Research of these guidelines can be beneficial.
    4. Where possible, companies should try to exceed the minimum security guidelines and implement the best levels of security protection possible. While meeting SOX guidelines are critical, it’s even more important to keep the ‘bad guys’ out and ensure your business environment is protected from the adverse risks present in email, the Internet, and other areas. Certainly, security needs to be balanced, so users don’t have to go through ‘Fort Knox’ to access their applications, but where possible err on the side of sound security principles everywhere you can.
    5. Security awareness plays an important role in complementing good technological controls. We must teach users that they play an important role in safeguarding the intellectual and financial assets for a company. In formal presentations in the past, I’ve used an opening slide of SEC-U-R-IT-Y (‘You are it’) to illustrate that they must be careful with information (e.g., whether it’s email or even in conversations with others).
    6. Policies, procedures, and standards should be placed on the corporate Intranet as a ‘living breathing document’ so they can be changed easily, shared in email links, and referenced easily by anyone who needs to know. They must written and organized in a manner that’s easy to understand by everyone (e.g., avoid technical terms, keep it simple, etc)

  • Some of them which comes to mind immediately are:

    1. SDLC
    2. Change Management
    3. IT Security policy ( focus on access for in-scope applications and systems)
    4. Operational policies - especially around Batch Processes, backup/restore (handling of storage media included)
      Some of these policies may be tested themselves for the fact that they are established and approved by proper authority.

Log in to reply