SOX COBIT COSO - Center for IT and e
advertisement
SOX, CoBIT, COSO Project Subra Krishnan _______________________________________________________________________ Abstract: The grand framework of SoX, COSO, CoBIT and their future trends with some managerial caveats are introduced. Trustworthy computing usage model from Microsoft is summarized to indicate the direction where modern software development is heading. This would become a de facto standards for all software corporations. In COSO framework, ideas on Enterprise Risk management is touched upon. ERM not an end in itself, but rather an important means and helps an entity achieve its performance and profitability targets, and prevent loss of resources. It helps an entity get to where it wants to go and avoid pitfalls and surprises along the way. Under CoBIT, CRM and the Key Performance Indicators using Dashboard techniques to help top management evaluate the projects is discussed and IT is a major component of it. Some managerial intuition and how corporation are turning this new compliance into financial opportunity. In that regard the concept of Single Compliance platform will be the wave of the future. Keywords: Business Risk Management, Information Trust and Compliance Issues (SOX), Trustworthy Systems Development. Cross Link keywords: Dependable & Trustworthy Enterprises Systems, Enterprise Information Security Policy. ________________________________________________________________________ Trustworthy Computing Page 1 of 18 3/6/2016 SOX, CoBIT, COSO Project Subra Krishnan _______________________________________________________________________ Executive Summary All public companies must comply with Sarbanes-Oxley. Compliance is hard work and expensive as well, to establish effective internal controls for good corporate governance. Good governance can be good for business. By complying, some fortune 500 companies are turning the unavoidable costs of Sarbanes-Oxley into an opportunity, to improve business processes and distinguish themselves in the financial community. Whatever governance you have in place today, be ready to adapt it to make the most of future business conditions. With that in mind this project will touch upon the grand frame work of SOX and their flow from COSO to CoBIT. The pillars of Trustworthy Computing are essential to have robust internal controls and essential for good governance. A case study on Microsoft’s software security with emphasis on Security Development Lifecycle is discussed, to underscore the importance of inclusion of Security in the initial stages of software development. Under the CoBIT umbrella, some of it’s best practices in the form of, IT governance implementation roadmap, is discussed at length. In particular the usage model for metrics measurement using Dashboard concept, will help the readers to see the big picture, using ING’s as a case study. Under the COSO framework, Enterprise Risk Management talks about providing a framework for management, to effectively deal with uncertainty, risk and opportunity and thereby enhance its capacity to build value. Since no entity operates in a risk-free environment, enterprise risk management fills the need to enable management to operate more effectively in these environments. No new materials are being presented here. This report is a collection of best practices and their implementation methods. The content that follows are: 1.Overview SOX , CoBIT, COSO 2. Trust Worthy Computing 3. Case Studies Microsoft (Security) ING (CoBIT) 4. Emerging Trends SOX, CoBIT ________________________________________________________________________ Trustworthy Computing Page 2 of 18 3/6/2016 SOX, CoBIT, COSO Project Subra Krishnan _______________________________________________________________________ 1. Overview Compliance is a form of standardization that different industry sectors have to adhere to when doing business, by following metrics or when implementing a process. Protocols also come under this wing. For instance when countries hosts dignitaries certain regulations are followed. As suspected there are different kinds of regulations in the business world: Regulations around financial controls such as Sarbanes-Oxley, Basel II. Regulations around privacy such as the EU Data Protection Act and Regulations around fraud such as anti-money-laundering legislation. IT departments generally have two different roles in compliance: 1) Making sure of the availability of technology that can enable people to adhere to compliance and 2) Ease of use of this technology. IT needs to deal with compliance because compliance affects all businesses. Hence the pervasiveness of IT departments. Figure 1, below illustrates the broad frame work of the regulations in place. Figure 1: Control Frameworks of SOX Source: CIO guide to SOX Reymann Group Inc., Jan 2005 ________________________________________________________________________ Trustworthy Computing Page 3 of 18 3/6/2016 SOX, CoBIT, COSO Project Subra Krishnan _______________________________________________________________________ Sarbanes Oxley (SOX) Overview: Thousands of companies face the task of ensuring their accounting operations are in compliance with the Sarbanes Oxley Act. Auditing departments typically have a comprehensive external audit (by a SOX compliance specialist) performed to identify areas of risk. Next, specialized software is installed that provides the "electronic paper trails" necessary to ensure SOX compliance. The most important Sarbanes-Oxley sections for compliance are listed below. Certification and specific public actions are now required by companies to remain in SOX compliance. SOX Section 302 - Corporate Responsibility for Financial Reports a) CEO and CFO must review all financial reports. b) Financial report does not contain any misrepresentations. c) Information in the financial report is "fairly presented". d) CEO and CFO are responsible for the internal accounting controls. e) CEO and CFO must report any deficiencies in internal accounting controls, or any fraud involving the management of the audit committee. f) CEO and CFO must indicate any material changes in internal accounting controls. SOX Section 404: Management Assessment of Internal Controls All annual financial reports must include an Internal Control Report stating that management is responsible for "adequate" internal control structure, and an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls must also be reported. In addition, registered external auditors must attest to the accuracy of the management’s assertion that internal accounting controls are in place, operational and effective. SOX Section 409 - Real Time Issuer Disclosures Companies are required to disclose on a almost real-time basis, information concerning material changes, in its financial condition or operations. SOX Section 902 - Attempts & Conspiracies to Commit Fraud Offenses It is a crime for any person to corruptly alter, destroy, mutilate, or conceal any document with the intent to impair the object’s integrity or availability for use in an official proceeding. [http://www.aicpa.org/info/sarbanes_oxley_summary.htm] ________________________________________________________________________ Trustworthy Computing Page 4 of 18 3/6/2016 SOX, CoBIT, COSO Project Subra Krishnan _______________________________________________________________________ CoBIT: Control Objectives for Information and related Technologies CoBIT was developed in 1996 by the Information Systems Audit and Control Association (ISACA) and is now issued and maintained by the IT Governance Institute (ITGI) as a framework for providing control mechanisms over the information technology domain. Now in its third version, CoBIT has been extended to serve as an IT governance framework by providing maturity models, critical success factors, key goal indicators, and key performance indicators for the management of IT. At the heart of CoBIT are 34 high-level control objectives. These control objectives are grouped into four main domains: planning and organization, acquisition and implementation, delivery and support, and monitoring. More recently, CoBIT added a set of action-oriented management guidelines to provide management direction for monitoring achievement of organizational goals, for monitoring performance within each IT process, and for benchmarking organizational achievement. Overall, CoBIT represents a comprehensive framework for implementing IT governance with a very strong auditing and controls perspective, which has increasing resonance in the era of SOX and other compliance-related regulations and legislation. [IT governance institute and CoBIT, http://www.itgi.org] COSO: Committee of Sponsoring Organizations (of the Treadway Commission) The underlying premise of Enterprise Risk Management (ERM) is that every entity, whether for-profit, not-for-profit, or a governmental body, exists to provide value for its stakeholders. All entities face uncertainty, and the challenge for management is to determine how much uncertainty the entity is prepared to accept, as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management provides a framework for management to effectively deal with uncertainty and associated risk-opportunity and thereby enhance its capacity to build value. As entities cannot operates in a risk-free environment, enterprise risk management enables management to operate more effectively in environments filled with risks. ________________________________________________________________________ Trustworthy Computing Page 5 of 18 3/6/2016 SOX, CoBIT, COSO Project Subra Krishnan _______________________________________________________________________ Benefits of Enterprise Risk Management Align risk appetite and strategy – Management considers the risk affinity by evaluating strategic alternatives, then setting objectives aligned with strategy and in developing mechanisms to manage the related risks. Link growth, risk and return – ERM provides an enhanced ability to identify and assess risks, and establish levels of risk relative to growth and return objectives. Enhance risk response decisions – ERM provides the rigor to identify and select among alternative risk responses – risk avoidance, reduction, sharing and acceptance. ERM provides methodologies and techniques for making these decisions. Minimize operational surprises and losses – Entities have enhanced capability to identify potential events, assess risk and establish responses, thereby reducing the occurrence of surprises and related costs or losses. Identify and manage cross-enterprise risks – Every entity faces many risks affecting different parts of the organization. Management needs to not only manage individual risks, but also understand interrelated impacts. Provide integrated responses to multiple risks – Business processes carry many inherent risks, and ERM enables integrated solutions for managing the risks. Seize opportunities – Management considers potential events, rather than just risks, and by considering a full range of events, management gains an understanding of how certain events represent opportunities. Rationalize capital – More robust information on an entity’s total risk allows management to more effectively assess overall capital needs and improve capital allocation. [ER Management Framework, http://www.erm.coso.org] Enterprise risk management is not an end in itself, but rather an important means. It cannot and does not operate in isolation in an entity, but rather is an enabler of the management process. Enterprise risk management is interrelated with corporate governance by providing information to the board of directors on the most significant risks and how they are being managed. And, it interrelates with performance management by providing risk-adjusted measures, and with internal control, which is an integral part of enterprise risk management. Enterprise risk management helps an entity achieve its performance and profitability targets, and prevent loss of resources. It helps ensure effective reporting. And, it helps ensure ________________________________________________________________________ Trustworthy Computing Page 6 of 18 3/6/2016 SOX, CoBIT, COSO Project Subra Krishnan _______________________________________________________________________ that the entity complies with laws and regulations, avoiding damage to its reputation and other consequences. In short, it helps an entity get to where it wants to go and avoid pitfalls and surprises along the way. We shall now see how Trust worthy Computing fits into the IT governance model. 2. Trust Worthy Computing (TWC) The four pillars of TWC namely Security, Privacy, Reliability and Business Integrity as illustrated below (Table A) forms the framework of TWC. These goals form the trust in any business. All these goals raise issues related to engineering, business practices and public perceptions although not all to the same degree. These are goals from an user point of view. Table A: The four pillars of Trust Worthy Computing Goals The basis for a customer's decision to trust a system Security The customer can expect that systems are resilient to attack, and that the confidentiality, integrity, and availability of the system and its data are protected. Privacy The customer is able to control data about themselves, and those using such data adhere to fair information principles Reliability The customer can depend on the product to fulfill its functions when required to do so. Business Integrity The vendor of a product behaves in a responsive and responsible manner. Source: UIUC TWC class Lecture slide-01 The means to achieve TWC goals of Security, Privacy, Reliability and Business Integrity is shown on Table B. A white paper on Microsofts’ own TWC environment encompasses the following “Means” to meet the goals. These are perspectives from an IT point of view. ________________________________________________________________________ Trustworthy Computing Page 7 of 18 3/6/2016 SOX, CoBIT, COSO Project Subra Krishnan _______________________________________________________________________ Table B: Means to achieve the Goals Means The business and engineering considerations that enable a system supplier to deliver on the Goals Secure by Design, Steps have been taken to protect the confidentiality, integrity, and Secure by Default, availability of data and systems at every phase of the software Secure in development process—from design, to delivery, to maintenance. Deployment Fair Information Principles End-user data is never collected and shared with people or organizations without the consent of the individual. Privacy is respected when information is collected, stored, and used consistent with Fair Information Practices. Availability The system is present and ready for use as required. Manageability The system is easy to install and manage, relative to its size and complexity. (Scalability, efficiency and cost-effectiveness are considered to be part of manageability.) Accuracy The system performs its functions correctly. Results of calculations are free from error, and data is protected from loss or corruption. Usability The software is easy to use and suitable to the user's needs. Responsiveness The company accepts responsibility for problems, and takes action to correct them. Help is provided to customers in planning for, installing and operating the product. Transparency The company is open in its dealings with customers. Its motives are clear, it keeps its word, and customers know where they stand in a transaction or interaction with the company. Source: Trustworthy Computing White paper, Craig Mundie – Oct 2002 The execution of “Means” is based on Intent, Implementation and evidence. This must reflect in managerial practices as well to have a holistic view of the concepts. This is from an organizational point of view as is shown in Table C. ________________________________________________________________________ Trustworthy Computing Page 8 of 18 3/6/2016 SOX, CoBIT, COSO Project Subra Krishnan _______________________________________________________________________ Table C: Execution of Means Intents Company policies, directives, benchmarks, and guidelines Contracts and undertakings with customers, including Service Level Agreements (SLAs) Implementation Corporate, industry and regulatory standards Government legislation, policies, and regulations Risk analysis Development practices, including architecture, coding, documentation, and testing Training and education Terms of business Marketing and sales practices Operations practices, including deployment, maintenance, sales & support, and risk management Evidence Enforcement of intents and dispute resolution Self-assessment Accreditation by third parties External audit Source: Trustworthy Computing White paper, Craig Mundie – Oct 2002 We shall now look at some case studies from a learning perspective and how corporations have implemented them successfully to their business models. A successful integration makes it socially responsible form of business. 3. Case Studies & White Papers Microsoft case study for TWC: This case discusses the Trustworthy Computing Security Development Lifecycle (SDL), a process that Microsoft has adopted for the development of software that needs to withstand malicious attack. The process encompasses the addition of a series of security-focused activities and deliverables to each of the phases of Microsoft's software development process. These activities and deliverables include the development of threat models during software design, the use of static analysis code-scanning tools during implementation, ________________________________________________________________________ Trustworthy Computing Page 9 of 18 3/6/2016 SOX, CoBIT, COSO Project Subra Krishnan _______________________________________________________________________ the conduct of code reviews and security testing during a focused "security push" and, before the software release it must undergo a final security review by a team independent from its development group. Figure 2 represent the traditional or Base model and Figure 3 represents the SDL model currently becoming a de-facto in the software industry. Figure 2: Standard process Figure: 3 Newer process with built in SDL Results: When compared to software that has not been subject to the SDL, software that has undergone the SDL has experienced a significantly reduced rate of external discovery of security vulnerabilities. The paper as shown in the italics, describes the SDL and experience with its implementation across Microsoft software [Trustworthy computing security Development white paper, Steve Lipner – Mar 2005] Key concepts and managerial issues Security must be considered from the initiation phase of a software development project. Management should ALSO decide the release of the software based on security viewpoint Key techniques, components and models Secure by Design and Secure by default provide the most security benefit. Threat modeling must be continued even after the release of the software Difficult to measure security metrics, hence use proxy metrics to measure software security; such as threat modeling, code review, and independent Final Release Testing. ING’s CoBIT case study (Case study on ING financial corporation): Case Summary: ING Group is a global financial services institution of Dutch origin offering banking, insurance and asset management to 60 million private, corporate and institutional clients worldwide. ING is a multi product, multi distribution company, approaching the customer ________________________________________________________________________ Trustworthy Computing Page 10 of 18 3/6/2016 SOX, CoBIT, COSO Project Subra Krishnan _______________________________________________________________________ through their channel of choice. The company comprises a broad spectrum of prominent businesses that increasingly serve their clients under the ING brand. The ING case study indicates co-variance between ING’s business performance and the robustness of the IT governance structure supported by innovative IT portfolio analysis (investment management approach of enterprise IT). A strong execution capability is the hidden force behind these activities. Apart from the CoBIT requirements, the implementation of CoBIT regulations gave the management a clearer view of their weakness and what solutions could be adopted to mitigate their risks and weaknesses. The key questions that can be addressed by CoBIT are: • Is there a framework to guide business and technology management leaders to change IT’s role within the organization and to close the gap between IT and the business? Is IT going to support and drive this initiative? • What are the responsibilities at the board and management levels? • Is this a governance issue? Figure 4 describes the IT management and governance structure in ING while Figure 5 depicts the generic IT implementation roadmap as given by the committee. Key elements of Figure 5, are identification of needs, envisioning the solution, planning for the same and its execution. Identify needs: Phase 1 of the roadmap Identifies the needs. The CoBIT Management Guidelines offer key goal indicators (KGI) and critical success factors to help define IT goals. The CoBIT Control Objectives and Control Practices provides guidance on critical control requirements. The information criteria described in the Framework help define the business value and risk mitigation. The IT resources help define the resources required to manage the risks and value. Figure 4: IT management and Governance structure in ING Source: Enterprise Value: Governance of IT investments – ING case study Figure 5: ING’s IT governance implementation roadmap ________________________________________________________________________ Trustworthy Computing Page 11 of 18 3/6/2016 SOX, CoBIT, COSO Project Subra Krishnan _______________________________________________________________________ Source: IT governance implementation guide Envision the solution: Phase 2 of the road map envisions the solution based on the current standings. The current maturity of the IT processes (as-is) must be assessed and the appropriate target maturity levels (to-be) are to be set. Based on the maturity attributes in the CoBIT Control Objectives and Control Practices, the analysis of the gaps between the as-is and to-be positions are translated into improvement opportunities. This phase uses the critical success factors and the maturity models from the CoBIT Management Guidelines. Plan the solution: The third phase of the road map will suggest improvement and translate them into justifiable projects. After approval, these projects should be integrated into an overall improvement strategy with a detailed plan to roll out the solution. The CoBIT Control Objectives and Control Practices can be used to prioritize improvement opportunities and the CoBIT Management Guidelines’ Key Performance Index and Key Goal Index are available for defining process metrics for the IT and business goals. Implement the solution: The sustainability of the delivery is guaranteed by the feedback provided by the postmortem briefing and the monitoring the improvements on the corporate and IT balanced scorecards. In this phase the KGIs and KPIs from the CoBIT Management Guidelines can be used to establish an IT balanced scorecard and to document a post-implementation review. Putting It Into Practice: In looking at a complete IT project portfolio, care is taken to ensure that project dependencies and links are taken into account. For example, infrastructure changes (which may be defined as separate projects) may be needed to provide a platform for a new customer relationship management (CRM) system. ING evaluates the portfolio in terms of a series of programs, each containing a number of linked projects, rather than as a collection of totally ________________________________________________________________________ Trustworthy Computing Page 12 of 18 3/6/2016 SOX, CoBIT, COSO Project Subra Krishnan _______________________________________________________________________ independent, stand-alone projects. Value proposition using the overall benefits accruing from the ING approach include: • Increased financial and risk transparency resulting in improved decision making on an investment portfolio. • Reduction of false positives (over-optimistic business cases) and false negatives (overpessimistic business cases) resulting in more accurate project selection, safer investments and reduction of opportunity cost. • Early identification of obsolete or non-performing projects resulting in significant cost savings and avoidance of future budget overruns. • More disciplined (operational) risk approach resulting in risk optimization and a reduction of the need for costly provisions (economic capital). • Identification of quality (investment grade) projects from a risk and return perspective resulting in more focused and increased investment in promising business opportunities (upside risk). [Enterprise Value: Governance of IT investments – ING case study] ING believes in the adage “you cannot manage what you cannot measure.” To that regard, to help the management in its quest for business accountability, the IT teams came out with an IT dashboard. The IT dashboard process, which is carried out at the same time as ING’s annual medium-term business planning exercise, provides the information necessary to: • Enable ING to develop and benchmark appropriate metrics on IT dollars, performance and value • Help identify trends and enable best practices to be shared and also help managerial actions to be taken • Enable bench marking of metrics among different business units • Assist senior business and IT management to exercise their governance responsibilities over IT investments IT Metrics: The metrics that are collected and analyzed include the obvious yardsticks. Below are few such instances. • IT costs by category and by activity ________________________________________________________________________ Trustworthy Computing Page 13 of 18 3/6/2016 SOX, CoBIT, COSO Project Subra Krishnan _______________________________________________________________________ • IT staff numbers and activity based cost analysis • Outsourcing ratios • IT costs as a percentage of total operating costs • IT related operational risk incidents (number and value) • IT security incidents (number and value) Before providing an approval, ING looks at the financial transparency and risk/return metrics. This information, together with the metrics collected, including its own solutions delivery performance, results in a risk/return rating of ING’s IT investment portfolio and its ability to actively manage the portfolio on the basis of the capability maturity model (CMM). How ING’s IT dashboard was helpful for it’s IT governance: The metrics collected through the dashboard process are merely a means to an end. The results obtained from the analysis helped to answer such questions as: • Why are IT expenditure forecasting out of synch with majority of competitors? This is needed further as to ascertain whether is it a positive or negative trait. • What is the reason for unclear financial transparency of many IT investments? This will affect ING during consultations to scope out the clarity of the projects. • Why the anomalies have in the IT investment portfolio in terms of risk versus return? Therefore ING started reexamine existing IT investment portfolio. • Why the uncertainty in project delivery time? The need for CMM was understood and the board has taken action to require all business units to attain a defined higher level within a specified and challenging time frame. [Enterprise Value: Governance of IT investments – ING case study] ING Conclusion: 1) Shareholder’s ROI is partly related to how much is spent on IT. Equally important is how the money is spent. In the short term, best shareholder return is generated by transactional (cost saving) projects because they emphasize standardization and efficiency, which result in lower cost per transaction. ________________________________________________________________________ Trustworthy Computing Page 14 of 18 3/6/2016 SOX, CoBIT, COSO Project Subra Krishnan _______________________________________________________________________ 2) Strategic IT investments must also be pursued to create future revenue growth and to improve sustainable financial performance for all stakeholders. 3) With a demonstrated success on IT dashboard analysis development by ING, it is considering the potential benefits to any organization in providing similar IT value and performance as a commercial service. Key techniques, components and models ING’s IT management and governance structure shows that IT is melded well within the business strategy of ING. Figure 4 shows how ING strives to ensure that the business leaders of the firm are informed and committed and the organization structure is established to do that. Key concepts and managerial issues ‘Portfolio management helps overcome the disconnect in communications between the business and IT communities. It is an excellent way to deal with the perennial questions about IT value and IT alignment with the business’. —Bill Rosser, Gartner The link between the leadership council and the policy board is important, and to a great extent, the leadership council have the prime responsibility for the implementation and execution of the IT strategy approved and led by the policy board - thus joint ownership is essential. 4. Emerging trends, applications and issues Single Compliance Platform Present day compliance effort is not well orchestrated. What this means is that companies are trying to make multiple compliances work together by workarounds. This is similar to ERP application sometime back (4-5 years ago) when everyone was buying applications and trying to stitch them together. But the more systems you use, the more fragmented is your approach, and the less accurate it is and you create more problems. Companies are wasting time and effort on these kind of compliances. Instead they are looking for a single system integrated into their architecture which runs as part of their IT infrastructure, and hopefully these controls will be ________________________________________________________________________ Trustworthy Computing Page 15 of 18 3/6/2016 SOX, CoBIT, COSO Project Subra Krishnan _______________________________________________________________________ embedded into their business controls. This means we need to be looking into a service-oriented architecture. [http://www.itcinstitute.com/display.aspx?id=1174] Right now, compliance functions are being handled by about three different applications. The consolidation of these applications could solve about 80 percent of our present day compliance issues, in terms of ease of use, security and control measures. This would help in a big way when financial institutions are acquiring and merging with their competitors etc., [http://www.itcinstitute.com/display.aspx?id=1174] SOX future compliance: The need for tighter access control is now a reality for the third year into SOX compliance. Auditors are looking into availability of things like process controls (business controls) such as order to cash, procurement, closing and like. Few software controls can automate such needs as of today. Process controls are used for key business processes, such as provisioning, giving people access, and then de-provisioning them. This will act as a security deterrent. The right software can accomplish this by having many different levels of built in controls. Two common scenarios that demand a control be put in place are: A process which does not allow someone to be able to create and pay a fictitious vendor, preventing duplicate invoicing. Another instance where these features can help would be in setting the threshold inventory level to determine if the inventory is being pilfered. One of the common ways the inventory can be pilfered is when companies scrutinize purchase requirements based on certain amount. If an employee purchases below the threshold level that purchase is not monitored closely and without these control an employee an place multiple purchases below the threshold limit and get away with it in terms of lost inventory. IT controls can prevent such problems. CoBIT 4.0: CoBit like the other controls will evolve as IT control objectives change and refined. The newest additions to 4.0 are the Maturity models, Key goal indicators, key performance indicators, critical success factors. This provides the management to assess IT’s environment with CoBIT’s 34 level control objectives. The IT governance management guideline also touch ________________________________________________________________________ Trustworthy Computing Page 16 of 18 3/6/2016 SOX, CoBIT, COSO Project Subra Krishnan _______________________________________________________________________ upon the governance of IT with the business goals of adding value while balancing risk and return. The following chart shows the components and their relationships under CoBIT 4.0 Figure 6: Components and relationships under CoBIT 4.0 5. Conclusion and findings I started out this project, naively, to get an idea of how to coherently knit the different regulations mandated by the government to prevent fraudulent practices and to have a secure transactions in all levels of business. This goal was not accomplished. Instead I got caught in the regulations such as SOX, CoBIT, COSO. I do understand that these regulatory boards address different issues, but the thought of unifying them under a common scheme was tempting. But I am glad to see that some industry stalwarts have the same unifying theme and are putting them to work slowly under the banner of “Single Compliance Platform”. The case studies I picked (however varied), gave me an insight into why the goal of single platform under one system is important. It would simplify the maintenance of the system and reduce the learning curve to adhere to practices. The key lesson I saw was Regulations are dual edged sword. They can hurt you and/or make your processes transparent. It can be a rewarding experience in the hands of a consultant or a nightmare. But overall I do agree with the concept and implementation of Trust Worthy Computing to be a very necessary goal for all corporations. If only the world was a bit more honest place to live in …….. 6. Annotated references 1. Trustworthy Computing White paper, Craig Mundie – Oct 2002 2. Trustworthy computing security Development white paper, Steve Lipner – Mar 2005 3. Single compliance platform: http://www.itcinstitute.com/display.aspx?id=1174 4. IT governance framework, Craig Symons, Mar 29, 2005 5. ER Management Framework, http://www.erm.coso.org 6. CIO guide to SOX, Reymann Group Inc., Jan 2005 ________________________________________________________________________ Trustworthy Computing Page 17 of 18 3/6/2016 SOX, CoBIT, COSO Project Subra Krishnan _______________________________________________________________________ 7. http://www.aicpa.org/info/sarbanes_oxley_summary.htm 8. Enterprise Value: Governance of IT investments – ING case study 9. IT governance institute and CoBIT, http://www.itgi.org ________________________________________________________________________ Trustworthy Computing Page 18 of 18 3/6/2016
