Sarbanes-Oxley
Compliance Auditing Tools
The audit spotlight now shines on IT. After years of regulation and embarrassing data breaches, the highest levels of management now comfortably discuss IT controls and audit results. However, their quality expectations are rising. Where IT once performed audits annually, many now support quarterly, monthly, and ad hoc exercises. Each audit expands the scope of the technologies assessed, measured, and proven compliant. Broader scope means more complexity and more work. With the Sarbanes Oxley Compliance Kit you can increase timeliness and accuracy of audit data while reducing IT audit effort, disruption, and cost.
Sarbanes-Oxley challenges the Information Technology function with requirements that impact day-to-day activities.
SOX compliance monitoring and auditing tools put in place the infrastructure that every enterprise that must comply with the requirements of this and other mandated security needs addresses. Each of the components in this tool kit are easy to implement and meets the most stringent needs that you face.
-
Security Audit Program - Contains over 400 unique tasks divided into 11 areas of audit focus which are the divided into 38 separate task groupings. The audit program is one that either an external auditor, internal auditor can use to validate the compliance of the Information Technology and the enterprise to ISO 27000, Sarbanes-Oxley, HIPAA, and PCI-DSS.
The results are posted to a 22 page Excel worksheet that graphically summarizes the strengths and weaknesses of the enterprises security and compliance to best security practices. (Read on...)
-
Job Descriptions - Director Sarbanes-Oxley Compliance and Manager Sarbanes-Oxley Compliance job descriptions.
Sarbanes Oxley Auditing News
Major Disaster Recovery Failure with an Outsource Provider
Virginias Department of Motor Vehicles along with 25 other state agencies hasnt been able to process requests for licenses and ID cards. These systems are supposed to be up and running six days after the outages started to appear.Northrop Grumman manages Virginias IT infrastructure under a $2.3 billion IT services contract.
The Virginia Information Technologies Agency (VITA) said in a statement that teams have been working throughout the weekend to restore data. In a nutshell, the IT infrastructure of the state of Virginia was reportedly crushed by an EMC storage area network failure. The Richmond Times-Dispatch reports that several systems are still down. The same paper said that Northrop Grumman will have to pay a fine for the failure. And the real kicker is that recently revised its contract with Northrop Grumman and extended the deal for three years. The state paid an additional $236 million for better service from Northrop Grumman.
Highlights of the Revised Contract - Operational Efficiencies
- Consolidates and strengthens Performance Level Standards with a 15% increase in penalties across the board if Northrop Grumman fails to perform on clearly identified and measured performance standards. - PAY-UP
- Improves Incident Response teams to determine technology failures and expedite repair - FAILED
- Institutes clear performance measurements for Northrop Grumman that agencies can easily track - FAILED
- Adds new services to contract such as improved disaster recovery and enhanced security features - FAILED
Among the key parts of the VITA statement:
Successful repair to the storage system hardware is complete, and all but three or possibly four agencies out of the 26 agency systems have been restored. Agencies continue to perform verification testing.
Progress continues, but work is not yet complete for the three or four agencies that have some of the largest and most complex databases. These databases make the restoration process extremely time consuming. The unfortunate result is the agencies will not be able to process some customer transactions until additional testing and validation are complete.
According to the manufacturer of the storage system (EMC), the events that led to the outage appear to be unprecedented. The manufacturer reports that the system and its underlying technology have an exemplary history of reliability, industry-leading data availability of more than 99.999% and no similar failure in one billion hours of run time.
The outage was blamed on the failure of two circuit boards installed and maintained by EMC. It is a big disconcerting that two circuit boards can bring down a states IT infrastructure for nearly a week.
Among the things that dont add up in the Virginia IT outage:
- Why wouldnt these boards be replaced quickly?
- Why was there a single point of failure?
- Service was restored for 16 agencies, but 10 require a lengthy restoration of data. Where was the disaster planning? After all, Northrop Grumman touted its disaster recovery for the state just two years ago.
- Where did the IT management fail?
How to request funding for DRP BCP
In these tough economic times how can CIOs get the budget
necessary to support Disaster Recovery and Business Continuity Planning.
The following steps should be taken when planning a presentation
seeking to gain management support of a Disaster Recovery and Business
Continuity program.
-
Define the scope, objectives, and requirement - It is not enough to have an objective of getting more funding or gaining executive support. Define exactly how much funding is needed, or exactly what form the executive support should take.
-
Verify expectations - Define what management's expectations for the meeting are.
-
Focus on business continuity - It makes more sense to get the commitment for resources to achieve a 24-hour recovery time objective (RTO) than to demand the resources for a two-hour RTO and get nothing.
-
Anticipate objections - realize that the number one objection is the cost, and prepare accordingly. Let the results of the business impact analysis (BIA) justify the "investment" (not "cost").
-
Prepare a competitive analysis - Executives care what their competition is doing. Annual benchmark studies and surveys are good sources of information on the investments in DPR/BCP being made by industry, by size of organization, etc.
-
Prepare examples of what has happened to others - Remind the executives of the regulations that affect their business, and the impact of not complying with them. Examples of such regulations are Sarbanes-Oxley, HIPAA, Foreign Corrupt Practices Act, and Gramm-Leach-Bliley. In addition, research companies that have been damaged significantly in highly publicized news stories because of their failure to act responsibly.
-
Define the Risk/Reward of DRP/BCP - Research and develop the business continuity program's return on investment.
-
Package Resources - Work with vendors like Janco Associates who can package infrastructure solutions like the Disaster Recovery Business Continuity Template to accelerate the process and minimize the cost.
-
Get buy-in for key decision makers before you meet to ask for a decision - The effort will have greater success if key decision makers and other departments within the organization support the DRP/BCP program. The power of a presentation supported by key executives, marketing, IT security, physical security, human resources, facilities, and risk management is highly significant.
Backup requirments defined
CIOs, CSO's, Disaster Recovery Managers, and Business Continuity Mangers constantly are working to improve their recovery point objective (RPO) and recovery time objectives (RTO) by performing fast, non-disruptive backups, and by performing data restoration. All comprehensive data protection solutions involve many considerations and contingencies.
Here are some of the things that can go wrong with your data and the backup requirements that need to be addressed:
-
Accidental or malicious deletion of critical data - Requirement that provides the ability to quickly and easily restore individual files and folders.
-
Data that is lost or corrupted over a period of time - Requirement to roll back individual records to fix database corruptions. The ability to recover data from any previous point in time, and have it as granular as possible.
-
A crashed disk - Requirement to recover a disk volume is different than recovering a single file, but it should be done just as quickly, and with automation to help keep operational disruptions to a minimum.
-
A server failure - Requirement to restore operations when replacing a broken server may be complicated by the need to install different drivers on the new system if the hardware is not an exact match. It helps to have the capability to move the application workload to a standby server (with different hardware) or virtual server while the system is being replaced or repaired.
-
A local or regional disaster - Requirement when you lose an entire office to fire, flood, or other disaster, have a current copy of your important information in another location that is outside the disaster zone.
-
Remote offices and branch offices - Requirement to have a process in place to restore with minimal technical support as remote and branch offices often do not have the luxury of having an on-site technical resource to assist in backups and restores.
-
Resource-intensive backup processes - Requirement frequent or even continuous backup that is not resource-intensive .
-
Security breaches - Requirement to secure data. When moving data between sites, it needs to be protected from potential security breaches. A breach of data security, whether actual damage is done or not, can be devastating to your company's reputation, as dozens of large enterprises and government agencies have found in recent years.
DRP versus BCP
Disaster recovery planning is one of the most important jobs of the IT professional. It includes working with upper management and winning the cooperation of all departments to make a working recovery plan. The two main parts are the Business Continuity Plan (BCP) and the Disaster Recovery Plan (DRP). These have to go hand-in-hand procedurally. The BCP focuses more on the schedule and timing of the DRP, so that in the event of a disaster the business can function normally. The three stages of a DRP are Prevent, Detect and Correct. - more infoDisaster Recovery and Business Continuity a critical part of enterprise operations
Disaster recovery is becoming an increasingly important aspect of enterprise computing. As devices, systems, and networks become ever more complex, there are simply more things that can go wrong. As a consequence, recovery plans have also become more complex. According to Janco Associates (the author of the Disaster Recovery Business Continuity Template). For example, fifteen or twenty years ago if there was a threat to systems from a fire, a disaster recovery plan might consist of powering down the mainframe and other computers before the sprinkler system came on, disassembling components, and subsequently drying circuit boards in the parking lot with a hair dryer. Current enterprise systems tend to be too large and complicated for such simple and hands-on approaches, however, and interruption of service or loss of data can have serious financial impact, whether directly or through loss of customer confidence.
Appropriate plans vary from one enterprise to another, depending on variables such as the type of business, the processes involved, and the level of security needed. Disaster recovery planning may be developed within an organization or purchased as a software application or a service. It is not unusual for an enterprise to spend 25% of its information technology budget on disaster recovery.
Nevertheless, the consensus within the DR industry is that most enterprises are still ill-prepared for a disaster. According to the Janco Associates Disaster Recover Business Continuity web site, Despite the number of very public disasters since 9/11, still only about 50 percent of companies report having a disaster recovery plan. Of those that do, nearly half have never tested their plan, which is tantamount to not having one at all.
- more info