Evolving IT Framework Standards
(Compliance and IT)
Sarbanes-Oxley
• The United States has clear legislation for
Compliance in Information Technology.
• It is called ‘Sarbanes-Oxley’ and here is the basis
of that law…
Jim Hulsey
Regulatory and Standards Compliance
Sarbanes-Oxley
•
•
•
•
•
The Sarbanes-Oxley Act of 2002 Establishes new standards for
Corporate Boards and Audit Committees
Section 404: Management Assessment of Internal Control
Sarbanes compliance is based on effective and efficient business
processes including IT environment, enabled by properly designed
and implemented technology, executed by competent people
“Electronic paper trails" are necessary to ensure compliance
From an IT perspective,
the key to compliance
is the documentation, monitoring,
and management of
the compliance control architecture
Jim Hulsey
Regulatory and Standards Compliance
21 CFR Part 11
 21 CFR Part11 - Electronic Records and
Electronic Signatures
 FDA specified its requirements for
accepting electronic records in lieu of
paper records
 Requires IT to design and qualify networks
and the associated infrastructure and to
operate them in a compliant manner
Jim Hulsey
Regulatory and Standards Compliance
ISO 17799 and BS7799 > ISO 27000 series
•
ISO/IEC 17799 “Information Technology – Code of Practice for
Information Security Management” offers guidelines and voluntary
directions for information security management.
•
BS7799-2:2002 “Information Security Management – Specification
with Guidance for Use” is a standard specification for Information
Security Management Systems (ISMS)
• ISMS is the means by which Senior Management Monitor and
control their security, minimizing residual business risk and
ensuring that security continues to fulfill corporate, customer
and legal requirements. It forms part of an organization’s
internal control system.
Jim Hulsey
Regulatory and Standards Compliance
ISO 17799 > ISO 27000 Series
132 Controls under 11 sections Major Headings
•
•
•
•
•
•
•
•
•
•
•
Security policy
Organization of information security
Asset management
Human resources security
Physical and environmental security
Communications and operations management
Access control
Information systems acquisition, development and maintenance
Information security incident management
Business continuity management
Compliance
Jim Hulsey
Regulatory and Standards Compliance
ISO 17799 => ISO 27000 Series
Section 5: Physical and Environmental Security (Objectives)
•
•
•
To reduce risks of human error, theft, fraud or misuse of facilities
To ensure that users are aware of information security threats and
concerns and are equipped to support the corporate security policy
in the course of their normal work
To minimize the damage from security incidents and malfunctions
and learn from such incidents
Jim Hulsey
Regulatory and Standards Compliance
ISO 17799 => ISO 27000 Series
Section 6: Computer & Network Management (Objectives)
•
•
•
•
•
•
To ensure the correct and secure operation of information processing
facilities
To minimize the risk of systems failures
To protect the integrity of software and information
To maintain the integrity and availability of information processing
and communication
To ensure the safeguarding of information in networks and the
protection of the supporting infrastructure
To prevent damage to assets and interruptions to business activities
Jim Hulsey
Regulatory and Standards Compliance
ISO 17799 > ISO 27000 Series
Section 9: Business Continuity and Disaster Recovery Planning
(Objectives)
•
To counteract interruptions to business activities and interruptions
to critical business processes from the effects of major failures or
disasters
Jim Hulsey