US India Information Security Conference October 12 and 13, 2004 Initiatives for Corporate Governanc

1
US India Information Security ConferenceOctober
12 and 13, 2004 Initiatives for Corporate
Governance and Security Yogita Parulekar,
Director, Global Information Security, Policy
2
Agenda
Agenda

• Corporate governance initiatives in the US
• Relevance to Indian organizations
• Initiatives within Oracle Corporation

3
Corporate governance initiatives in the US

• Based on various
• Laws
• Sarbanes Oxley
• Industry regulations such as GLB and HIPAA
• State laws such as SB 1386
• Regulations /standards for governmental agencies
• Standards and guidelines
• ISO 17799, BS7799
• COBIT
• Self regulation initiatives
• Information Security Governance framework by
  Corporate Governance Task Force

4
Sarbanes-Oxley

• Sweeping regulation impacting a variety of areas
  of corporate governance including security
• The words computer and security do not appear
  in the Act, but.
• Section 302 requires your financial numbers to be
  accurate and free of any material misstatement
  due to fraud or error
• Section 404 requires management and companys
  external auditors to attest to operating
  effectiveness of internal control over financial
  reporting to ensure financial statements are
  free of material misstatements
• PCAOB standard 2 governs external auditors
  assessment of operating effectiveness of these
  controls
• Applies to even those companies which did not
  have an industry regulation governing security

5
Impact of SOX on security

• Need to develop a security structure, policies,
  processes, auditing and reporting mechanisms
• Speedier adoption of frameworks such as ISO 17799
  and COBIT
• Enhancements to software and SOX specific products

6
Relevance to Indian organizations

• Parent company reporting needs
• Customer /partner reporting needs
• Reporting needs for those listed on the US stock
  exchanges
• Strengths of Indian organizations
• Reporting on Internal controls under CARO 2003
  (previously MAOCARO)
• Requirement of Company Secretary /secretarial
  audit
• Information Technology Act
• BS7799 certifications by most tier one IT and
  ITeS companies

7
Relevance to Indian organizations

• Areas where Indian companies /subs can gear up on
  for better corporate governance and security
• BOD /Audit Committee role
• Accountability for the Audit Committee and CEOs
  CFOs
• Controlling staff turnover
• Awareness and training programs along with
  disciplinary action
• Areas for public-private joint initiatives
• Privacy initiatives
• Resources and training to the law enforcement
  agencies
• Regulations and /or standards for governmental
  agencies
• Information systems auditing and security in
  University bachelors programs with major in
  management information system
• Availability of criminal records for background
  checking of potential employees

8
Initiatives within Oracle Corporation

• SOX program office reporting to the Audit
  Committee
• SAS 70 for On Demand customers
• ISO 17799 alignment
• COBIT
• ICM
• Whitepapers
• Closer interaction of audit and security
  professionals with product development
• BCMP initiatives
• Privacy initiatives

9
Corporate Governance Task Force recommendations

• National Cyber Security Summit public private
  partnership
• Self regulation by private sector over government
  regulation
• Recommendations in April 2004
• Adoption of Information Security Governance
  framework
• Signal commitment to ISG with statement on
  website
• Encouraging members to show commitment
• Department of Homeland Security to endorse ISG
• COSO to revise internal controls-integrated
  framework