IT Governance, Controls and Security:
description
Transcript of IT Governance, Controls and Security:
![Page 1: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/1.jpg)
IT Governance, Controls and Security:
Supporting Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA Compliance
Jim Haggard
Inovis
![Page 2: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/2.jpg)
Topics
• Current State of Compliance• Regulatory Requirements• Security and Privacy Tenants• Sarbanes Oxley• Sarbanes-Oxley Compliance Frameworks• Solutions for Data/Document Security and
Integrity
![Page 3: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/3.jpg)
Current State of Compliance
• Has your organization been working hard over the past year (or more) to comply with government compliance mandates?
• Do the terms Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, COSO and COBiT sound familiar?
• Are the IT controls currently in place within your company lacking in areas that raise serious questions?
![Page 4: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/4.jpg)
Current State of Compliance
• How many security gaps exist because of multiple systems with little to no integration and less than adequate data security?
• How many different technology solutions addressing the same purpose are implemented throughout your company?
• How many processes and systems may compromise the integrity of the data?
• How many possible points of failure may negatively impact the flow and integrity of data that will ultimately be used to produce financial reports?
• How many technology vendors are you dealing with?
![Page 5: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/5.jpg)
Regulatory Requirements
• Sarbanes-Oxley Act (SOX)– Holds Senior Executives accountable (CEO and CFO) – Includes implementation of Controls and Procedures– SOX applies directly to public companies– Public companies are scrutinizing private companies
• Gramm-Leach-Bliley (GLB)– “Financial Privacy Rule” and “Safeguards Rule” – Applies directly to Financial organizations– GLB may impact companies in the extended Financial Services Value
Chain (FSVC)
• HIPAA– Privacy of personal health information– Applies to all companies/organizations that maintain or exchange personal
health information
![Page 6: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/6.jpg)
Key Security and Privacy Tenants
• Privacy – Message content privacy is provided via data encryption
• Authentication – Provided via the Sender’s digital signature
• Integrity – Hash totals are enclosed in Message Disposition
Notifications (MDNs)
• Non-repudiation – Provided via signed MDN receipt acknowledgment
![Page 7: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/7.jpg)
Key Infrastructure Security Fundamentals
• User login, authentication, password/access policy
• Connections to internal systems are NOT initiated from the DMZ
• Connections through the firewall MUST be managed from inside the firewall
• HTTP messages (data/documents) are NOT stored on the hard disk in the DMZ
• Messages (data/documents) MUST be pulled inside the firewall, NOT pushed in
![Page 8: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/8.jpg)
H-R 3763: “Sarbanes-Oxley Act of 2002”
• Purpose: Executive accountability
• Why: Reaction to corporate scandals
• What: Requires high levels of accountability from companies and their senior executives
• Who: Publicly traded companies and near IPO companies, and specifically named CEO and CFO
![Page 9: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/9.jpg)
Sarbanes-Oxley Titles
• I - Public Company Accounting Oversight Board
• II - Auditor Independence
• III - Corporate Responsibility
• IV - Enhanced Financial Disclosures
• V - Analyst Conflicts of Interest
• VI - Commissions Resources and Authority
• VII - Studies and Reports
• VIII - Corporate and Criminal Fraud Accountability
• IX - White Collar Crime Penalty Enhancements
• X - Corporate Tax Returns
• XI - Corporate Fraud Accountability
![Page 10: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/10.jpg)
SOX Title I:Public Company Accounting Oversight Board
BriefDescription
• Establish and Oversight Board• Audit quality, standards, investigation and
disciplinary actions• Accounting standards, foreign public
accounting FundingIT Issues • Section 103: IT can contribute to the quality
control and related security and systems needed to maintain source data that could be accessed and used for audit purposes
![Page 11: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/11.jpg)
SOX Title III:Corporate Responsibility
BriefDescription
• CEO and CFO (signing officers) are required to sign and attest to the accuracy of financial reports
• The signing officers are responsible for internal controls and for disclosing any internal control shortcomings
IT Issues • Section 302: Corporate Responsibility for Financial Reporting, implies that the CEO and CFO will require IT to provide strong proof that internal controls are in place
![Page 12: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/12.jpg)
SOX Title IV:Enhanced Financial Disclosures
BriefDescription
• Title IV establishes requirements for enhanced disclosures in financial reports includes conflict of interest provisions
• Disclosures of transactions and management assessment of internal controls
IT Issues • Section 404: The most important Sarbanes-Oxley provision as it applies to IT - Control structures and procedures on the transport, exchange, processing, tracking, security and integrity of data/ documents
![Page 13: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/13.jpg)
SOX Notes
• Will vary from industry to industry and on the ability of a company to address “internal controls” (plans and execution)
• Conservative and risk adverse interpretation:
– Any internal control structure or procedure that may have an impact on the financial reporting
– Any internal control structure and procedure that may impact a companies ability to operate
– Applies to supporting IT infrastructure, data security, auditablity
• Applies to mission critical systems/apps such as:
– Financial software applications
– Applications that handle the data/file transfer of business docs & transactions (intra/inter-company)
![Page 14: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/14.jpg)
Compliance Frameworks
• COSO • Committee of Sponsoring Organizations of the
Treadway Commission
• Originally formed 1985 to study and define practices to preserve accuracy in financial reporting.
• PCAOB (formed by the Sarbanes-Oxley Act) determined that COSO would be used as the primary set of guidelines & framework for SOX
• For more information on COSO:– The COSO website at www.coso.org
![Page 15: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/15.jpg)
Compliance Framework
• COBiT • Control Objectives for Information and Related
Technology• An internationally accepted standard presented in non-
technical language. • COBiT has been crossed referenced directly to COSO • COBiT controls and procedures extend beyond the COSO• For more information on COBiT:
– The IT Governance Institute website at www.itgi.org – The Information Systems Audit and Control Association website
at www.isaca.org/cobit
![Page 16: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/16.jpg)
Compliance Frameworks
This chart is provided courtesy of the IT Governance Institute the Information Systems Audit and Control Association.
![Page 17: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/17.jpg)
Compliance Framework
• SAS-70• Statement on Auditing Standards No 70 (SAS 70)• Defined by American Institute of Certified Public
Accountants (AICPA)• For all entities that use a service company for conducting
transactions and maintaining related accountability and/or for recording transactions and information processing
• Provides guidelines to auditors engaged by service organizations to report on the internal control policies and procedures
• For more information on SAS-70:– The AICPA website at www.aicpa.org
![Page 18: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/18.jpg)
B2B Gateway - Business Integration
• A B2B gateway provides more than operational efficiency
• Backbone for the secure exchange of documents/data
• Internal and external integration• Secure managed file transfer• Audit trail of document flow and setup changes• Will interact with a myriad of business
processes• Will handle all business integration
– Application-to-application– Internal department-to-department– Business-to-business with external parties
![Page 19: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/19.jpg)
Benefits of a B2B Gateway
• Focus resources
• Streamline operations
• Real-time visibility into business activities
• Real-time event management & alerts
• Audit trail & dashboard
• Improve security and control
• IT Control for Sarbanes-Oxley
![Page 20: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/20.jpg)
Secure File and Data Transfer
Transaction Management
Community Management
Data Mapping and Transformation
Rules Event Mgmt
Process Mgmt Workflow
AnalysisBAM
Performance Mgmt
Dashboards
J2EE Compatible Service Oriented Architecture
Adaptive Layer
Internal Infrastructure and Systems
Perimeter Security Services
External Trading and Business Partners
![Page 21: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/21.jpg)
Inovis BizManager
• Supports IT governance, controls and security needed for Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley
• Audit trail of all business data/documents exchanged • Integrated business-to-business and secure file transfer• Several secure managed file transfer options:
– Secure transports that include AS2, AS3, FTP/s, HTTP/s, ebXML
– Secure transaction mailbox (MailLink)
• Non-repudiation with proof of transmission and receipt– Message Disposition Notifications and mailbox
acknowledgements
• Integrity of business data/documents– Signed and encrypted documents – Encrypted HTTP/s and FTP/s connections
![Page 22: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/22.jpg)
BizManager: Business Benefits
• Cut inefficiencies and reduce cycle times• Minimize transaction-processing costs• Decrease operational costs• Address security and IT control issues related to
Sarbanes Oxley and other regulatory initiatives
• Perform real-time, any-to-any “secure” data/document exchange
• Consolidate systems, control and management• Simplify business trading community management with
integrated solutions• Gain real-time visibility into business activity and
performance• Plan for future growth with a flexible, scalable solution for
companies of any size
![Page 23: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/23.jpg)
Inovis Solution Set
BizManager
![Page 24: IT Governance, Controls and Security:](https://reader035.fdocuments.us/reader035/viewer/2022062613/54540a32b1af9f95228b48ae/html5/thumbnails/24.jpg)
IT Governance, Controls and Security:
Supporting Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA Compliance
Jim HaggardInovis