Writing Policies for IT Strategies _and_amp; Planning 2212

  • Can someone help me with this. I’m trying to write a policy for ‘IT Strategies and Planning’ for IT Sox compliance. I’m have trouble with what exactly should be included in this policy. This company has no such policy at all. If anyone can help me, it will be highly appreciated.

  • Hi - As a starting point, policies should be brief and fairly static (reflecting goals and key control points), rather than being highly detailed and subject to change like standards or procedures are. Below are some older threads discussing how to write IT policies
    The following ideas might help, as it’s easy to get ‘writers block’ when developing something new like this 😉 🙂

    1. Brainstorm on the goals of SOX, where IT Financial systems must be controlled from a security standpoint as well as through other best practices to mitigate and control risk factors
    2. Then think of about the goals associated with IT Strategies and Planning, where you develop future plans and directions for your technological infrastructure and application systems
      Combining points 1 and 2 into a related policy might read as follows:

    SOX Policy - IT Strategies and Planning Framework
    As technology and application systems are subject to constant change, the company must assess and document it’s future directions. When systems are either directly or indirectly associated with financial results, special care must be taken to ensure they meet the requirements associated with Sarbanes-Oxley (SOX) regulatory controls.
    Some related policy guidelines include:

    • Identify and document all SOX requirements within all future IT planning and strategy proposals.
    • Ensure technological, security, and human behavorial controls are stated goals and requirements for new applications affected by SOX requirements.
    • Ensure special SOX requirements are met for backloading master files and history into new applications
    • Ensure SOX requirements and controls are part of the SDLC, change control, and change management processes during implementation of new applications.
    • Ensure SOX requirements will be met in any vendor supplied solution implemented

    I’m not certain if these ideas fully covers all needs and hopes this provides a starting point for the process

  • Thank you so much, that will give me a starting point for this paticular one. I appreciate the help.

  • How many entity level policies should i have?.. should i have one and then sub policies for each section/area…does anyone knows if there is a different approach for JSOX?

Log in to reply