Presentation is loading. Please wait.

Presentation is loading. Please wait.

SOX & ISO 27001 Protect your data and be ready to be audited!!!

Published byScot Little Modified over 8 years ago

Similar presentations

Presentation on theme: "SOX & ISO 27001 Protect your data and be ready to be audited!!!"— Presentation transcript:

1 SOX & ISO 27001 Protect your data and be ready to be audited!!!

2  What is SOX Compliance?  Why audit IT controls?  IT Controls  Failure of SOX controls  What is ISO 27001?  Why be ISO 27001 compliant?  Certification timeline  Security Domains + More  Risk Assessment 1 of 17 Agenda

3 SOX Compliance SOX stands for “Sarbanes–Oxley” Legislation formed in 2002 All about Financial Data It was designed to: – to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise – Improve the accuracy of corporate disclosures. 2 of 17 Image Source: Google Images

4 All public companies in the U.S. International companies that have registered equity or debt securities with the SEC Accounting firms that provide auditing services to them. Information Source: web.cba.neu.edu Image Source: Google Images SOX Compliance 3 of 17

5 Financial Data Is the data reliable? Is the data complete & accurate? Can we trust the data coming out of the systems? Why audit IT Controls? System A System B 4 of 17

6 GENERAL IT CONTROLS (GITCSs) GITCs KEY DOMAINS Access to program and data Program Changes Program Development Computer Operations Databases (Stores or processes Financial data) Report Application A E.g. “Flight tickets sold” report is complete and accurate. Application Controls 5 of 17 IT Controls

7 1.Password policy (best practices) 2.SoD (restricted access) 3.Terminations; New Hires; Transfers Controls tested: IT Control Access to Programs & Data 1.Test of Design 2.Test of Effectiveness Steps Key Inputs: – Password settings – List of users/administrators with full/admin access - List of new hires/terminated/transferred users Control is effective or Not effective Outputs: Testing technique used: Sampling Impact on Financials? 6 of 17

8 Changes are: 1.Tested 2.Approved Controls tested: 7 of 17 IT Control Program Changes 1.Test of Design 2.Test of Effectiveness Steps Key Inputs: – Change Management Process – List of system generated Database changes Outputs: Testing technique used: Sampling Impact on Financials? Control is effective or Not effective

9 Deficiency: A control breakdown prevents management or employees from preventing or detecting financial misstatements within a reasonable time frame. Significant deficiency: An important control is not working and the organization's ability to initiate, record, process, or report financial data to the public is compromised. In addition, a significant deficiency may prevent compliance with generally accepted accounting principles (GAAP). A significant deficiency must be reported to the audit committee of the board of directors. Material weakness: One or more control failures at this level will result in a 404 failure. A material weakness represents, according to the AICPA, "more than a remote likelihood that a material misstatement of the financials will not be prevented or detected." The control failure must be reported to the audit committee of the board of directors as well as the investing public (via the 10K). Material weaknesses usually, but not always, arise from business practices rather than IT control failures. IT is expected to pass with few deficiencies, no significant deficiencies, and certainly no material weaknesses. Source: http://www.ittoday.info Failure of SOX Controls (IT & Non-IT) 8 of 17

10 Database Administrators – You are responsible for security of the databases! – Follow enterprise wide processes for adding/removing/ updating access – Follow enterprise wide process around Password Management – Follow enterprise wide process for Change Management – Do not use shared accounts – Make sure logging/auditing is available on the databases – Be prepared to provide audit evidence & support 9 of 17 Key Points to remember… For a successful SOX audit

11 ISO 27001 2-3 minutes break before we proceed Image Source: http://www.glasbergen.com 10 of 17 Next Topic

12  What is SOX Compliance?  Why audit IT controls?  IT Controls  Failure of SOX controls  What is ISO 27001?  Why be ISO 27001 compliant?  Certification timeline  Security Domains + More  Risk Assessment 11 of 17 Agenda

13  ISO 27001:2013 is an information security standard  It is a specification for an information security management system (ISMS)  It is designed to protect ANY* kind of required information *scope is defined by the organization 12 of 17 ISO 27001

14 Some reasons may include: Maintain ISO 27001 Certification Protect Employee PII Data Protect Consumer PII Data Comply with applicable privacy and security laws Satisfy contractual obligations Be prepared to deal with changing threats with respect to new cloud based services Streamline Processes and adopt best practices 13 of 17 Why be ISO 27001 compliant?

15 2012 Original Certification: Full Audit 2013 2014 Surveillance Audit: High level Audit 2015 Re-Certification: Full Audit Maintaining the certificate Example timeline: 3 year cycle 14 of 17 Certification Timeline

16 Security Domains – ISO 27001:2013 version Annex A 1.Scope, Information Security Management System 2.Information Security Policies (A.5) 3.Organization of Information Security (A.6) 4.Human Resource Security (A.7) 5.Asset Management (A.8) 6.Access Control (A.9) 7.Cryptography (A.10) 8.Physical and Environmental Security (A.11) 9.Operations Security (A.12) 10.Communications Security (A.13) 11.System Acquisition, Development, and Maintenance (A.14) 12.Supplier Relationships (A.15) 13.Information Security Incident Management (A.16) 14.Information Security Aspects of Business Continuity Management (A.17) 15.Compliance (A.18) & risk assessment… Total 114 Controls 15 of 17 Security Domains + more

17 #DocumentPurposeOwner 1Asset RegisterIdentify critical business information, where it exists, and who owns it Database Team 2Risk AssessmentIdentify potential data loss or security threats and resulting impact to the business InfoSec, Database Team Asset Based Risk Assessment – Applicable to the Database Team 3Risk Treatment Plan (RTP)Define the preferred procedure the organization should follow in the event of a security breach. Additional security controls to be implemented are recommended here. Database Team 4 Implementation ProcedureLists all current controls in place to ensure security. Once additional controls from RTP are implemented, they will be added here. Database Team Lists all applicable controls from the previous slide Accept Mitigate Transfer Avoid 16 of 17 Risk Assessment

18 Discussion 17 of 17 Image Source: http://www.glasbergen.com

Download ppt "SOX & ISO 27001 Protect your data and be ready to be audited!!!"

Similar presentations

Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
8 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Audit Planning and Analytical Procedures Chapter 8.

8 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Audit Planning and Analytical Procedures Chapter 8.
Auditing Computer Systems

Auditing Computer Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Sarbanes-Oxley Act. 2 What Is It? Act passed by Congress in response to the recent and continuing corporate scandals. Signed into law July 30, 2002. Established.

Sarbanes-Oxley Act. 2 What Is It? Act passed by Congress in response to the recent and continuing corporate scandals. Signed into law July 30, Established.
Learning Objectives LO1 Describe the finance and investment process: risk assessment, typical transactions, source documents, controls, and account balances.

Learning Objectives LO1 Describe the finance and investment process: risk assessment, typical transactions, source documents, controls, and account balances.
Security Controls – What Works

Security Controls – What Works
Audit Planning and Analytical Procedures Chapter 8.

Audit Planning and Analytical Procedures Chapter 8.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Geneva, Switzerland, 14 November 2014 Data Protection for Public Cloud (International Standard ISO 27018) Stéphane Guilloteau Engineer Expert, Orange Labs.

Geneva, Switzerland, 14 November 2014 Data Protection for Public Cloud (International Standard ISO 27018) Stéphane Guilloteau Engineer Expert, Orange Labs.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
UCSD Office of the Controller1 SAS112 Implementation UCSD Status Update.

UCSD Office of the Controller1 SAS112 Implementation UCSD Status Update.
Auditing II Unit 1 : Audit Procedures Unit 2: Audit of Limited Companies Unit 3: Audit of Government Companies.

Auditing II Unit 1 : Audit Procedures Unit 2: Audit of Limited Companies Unit 3: Audit of Government Companies.
The Camp Audit “Keep your friends close and your auditor closer”

The Camp Audit “Keep your friends close and your auditor closer”

Similar presentations

Ads by Google