Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall

Information Technology SOX Industry Specific Regulations (Pharmaceuticals, Oil sands) International Regulations – Security & Forensics Privacy Laws – (Canada, EEC) 5-2

© 2009 Pearson Education, Inc. Publishing as Prentice Hall Recent regulations impact a greater number of systems. Systems are more interconnected. (Interpol, Banks, CIA) Organizations are more dependent on Information Systems. (Banks, IBM e- commerce, Facebook, Amazon & EBay) Systems are more global and are affected by many countries. (EEC, US(SOX)) [GAPP] 5-3

© 2009 Pearson Education, Inc. Publishing as Prentice Hall Requires an annual evaluation of internal controls and procedures for financial ethics Requires the CEO and CFO personally certify controls. Requires independent auditors test control effectiveness. Controls must be designed to achieve ethical objectives using established criteria. Controls and control objectives must be documented. COBIT – Control Objectives for Information & related technologies 5-4

© 2009 Pearson Education, Inc. Publishing as Prentice Hall 1. Increasing Cost and Challenges 1. $5.5 Billion for SOX targets Benefits and Opportunities 1. SOX is good for IT 5-5

© 2009 Pearson Education, Inc. Publishing as Prentice Hall Compliance to say SOX requires a significant resource investment. Compliance adds new project costs and lengthens development schedules. (Syncrude, IBM) CIOs must personally attest to the effectiveness of IT’s internal controls and the quality of information. 5-6

© 2009 Pearson Education, Inc. Publishing as Prentice Hall Compliance requires that IT staff have adequate training and excellent written communication skills. Compliance requires the organization adopt a document retention strategy. 5-7

© 2009 Pearson Education, Inc. Publishing as Prentice Hall Compliance provides an opportunity to enhance business processes. Compliance has enhanced IT visibility with executives and the board of directors. (Maybe offering strategic direction) Compliance has increased the importance of security, quality, data architecture, and change management. 5-8

© 2009 Pearson Education, Inc. Publishing as Prentice Hall Improved overall IT governance Enhanced understanding of IT by senior executives Better business decisions based on more accurate information Improved IT-Business alignment Reduced risk of system security breaches 5-9

© 2009 Pearson Education, Inc. Publishing as Prentice Hall Reduced difficulty complying with new regulations More efficient and effective operations An integrated approach to security Enhanced risk management competencies Overall effective ethical practices 5-10

© 2009 Pearson Education, Inc. Publishing as Prentice Hall 5-11 Figure 5.1 New Systems Daily operation Information (Enabling IT Work)

© 2009 Pearson Education, Inc. Publishing as Prentice Hall 1. Enabling IT Work 2. New Systems 3. Information 4. Daily Operations 5. Controlling IT Work 5-12

© 2009 Pearson Education, Inc. Publishing as Prentice Hall Physical and Virtual Access across corps, new staff hires with access privileges Security Architecture requires practices Business Continuity Planning and Disaster Recovery (9/11, 2003 blackout) IT Governance (awareness & training required for compliance) HR Management and Training IT Finance (involving IT mgrs.) 5-13

© 2009 Pearson Education, Inc. Publishing as Prentice Hall IT Strategic Planning to be aligned with business strategy system Risk Assessment system Project Management system 5-14

© 2009 Pearson Education, Inc. Publishing as Prentice Hall Information Architecture Who has access to Data Document Retention Data Administration How to create, collect, organize, analyze, maintain & archive data 5-15

© 2009 Pearson Education, Inc. Publishing as Prentice Hall Operations and Infrastructure Support Help Desk Change Management Change Control Board (CCB) Change Management database 5-16

© 2009 Pearson Education, Inc. Publishing as Prentice Hall Testing and Validation Documentation Management Quality Assurance All are elements of quality Management Everyone is responsible 5-17

© 2009 Pearson Education, Inc. Publishing as Prentice Hall Organize for Compliance 1. Reduce cost Ensure procedures are followed React with new regulation Use Standards and Frameworks Emphasize Training and Awareness for compliance Ensure Appropriate Business Resources Business strategy is communicated so that IT strategy can support it 5-18

© 2009 Pearson Prentice Hall Plan and organize (IT environment) IT strategic planning Information architecture Determine technological direction IT organization and relationships Manage the IT investment Communication of management aims and direction Management of human resources Compliance with external requirements Assessment of risks Manage projects Manage quality 5-19

© 2009 Pearson Prentice Hall Acquire and implement (program development and program change) Identify automated solutions Acquire or develop application software Acquire technology infrastructure Manage changes Deliver and support (computer operations and access to programs and data) Define and manage service levels Manage third-party services 5-20

© 2009 Pearson Prentice Hall Manage performance and capacity Ensure continuous service Ensure systems security Identify and allocate costs Educate and train users Assist and advise customers Manage the configuration Manage problems and incidents Manage data Manage facilities Manage operations 5-21

© 2009 Pearson Prentice Hall Monitor and evaluate (IT environment) Monitoring Adequacy of internal controls Independent assurance Internal audit 5-22

© 2009 Pearson Education, Inc. Publishing as Prentice Hall New laws and regulations have had a significant impact on IT. IT managers are struggling to implement new controls to support these regulations. IT in the future will be controlled, standardized, and bureaucratized. 5-23