Sarbanes Oxley and IT small business - PowerPoint PPT Presentation

1 / 36

About This Presentation

Title:

Sarbanes Oxley and IT small business

Description:

... other IT Audits by Michelle Johnston Sollicito michellesollicito_at_exceptiona.com ... IT Audits by Michelle Johnston Sollicito michellesollicito_at_exceptiona. ... – PowerPoint PPT presentation

Number of Views:67

Avg rating:3.0/5.0

Slides: 37

Provided by: MichelLe384

Category:

more less

Transcript and Presenter's Notes

Title: Sarbanes Oxley and IT small business

1
Sarbanes Oxley and other IT Audits
2
What Is Sarbanes Oxley?

Became law on 30 July 2002
Response to Enron scandal etc.
Aims to prevent fraud primarily
Also to protect the interests of workers and
shareholders
Only issuers must comply (i.e. companies that
must file periodic reports with SEC)
Small companies must comply by July 31, 2005
Listed (Public) companies had to be compliant by
end of 2004

3
What Is Sarbanes Oxley?

Non-issuers not affected?
Public Companies have to assert that their
partners / suppliers systems are secure /reliable
SAS70s (or other certifications) may be required
in takeover situations, asserting the state of
the smaller companys IT/Security
SAS70 Audit is very similar to a Sarbanes Audit
in many ways
SAS70 Audits can take 3-6 mths and cost anything
from 60k to 200k

4
What Is Sarbanes Oxley?

11 Sections in total
Sections 302, 401, 404, 409, 802 and 906 are key
404 is key to IT, requiring review of Internal
Controls (General Controls and Key Controls)
20 of the 2.5 billion spent on Sarbanes Oxley
is directly spent on IT

5
What Is Sarbanes Oxley?

Early stages right now, not mature
No standards to measure by
Audits are therefore relatively subjective right
now
Difficult to anticipate what Auditors will look
for
SEC, PCAOB and Accounting firms are trying to
work out the rules

6
What If We Dont Comply?

The buck stops with the CEO
The CFO should be worried too!
Both CEO and CFO must certify accuracy of
Financial statements
Must also disclose material changes to financial
considerations/operations
External Auditors disclose any Material
Weaknesses found in their letter accompanying
Financial Statements
Failure to do so can theoretically end up with
the CEO / CFO in jail
More likely to result in fines

7
How to Comply (Business Side)?

Be committed to ethical behavior in all areas of
business
Make sure Sales people are not overestimating
income to make themselves look good
Make sure it is clear what is real income and
what is forecast/predicted income
Make sure computer applications reflect reality
of financial info
Provide employees with a means of anonymously
reporting issues

8
How To Comply (IT Side)?

Conform to IT Best Practices
Carry out your own Internal IT Audit before the
Auditors arrive
Make this process repeatable as you will need to
do it at least annually

9
How To Comply (IT Side)?

Because no standards exist, rely on existing
frameworks to evaluate performance internally
COBIT
COSO
ISO 17789
Agree framework and approach with Auditors if
possible
Get advice from Independents and other Auditors
if possible
CISA
CISSP
CPA professionals

10
How To Comply (IT Side)?

Quick Overview of Solutions
Be committed to Best Practices / Industry
Standards
Take IT and Security very seriously at all levels
Keep staff well-trained/informed
Do regular internal audits and scans
Use Audit tools (see resources at the end)
Use Industry standard software where possible

11
How Real Is The Risk?

31 of all companies (private and public) have
experienced 1-3 major security breaches in the
past 6 months (CompTIA, early 2004)
Real number is HIGHER! Companies keep breaches
secret!

12
What Is The Biggest Risk?

Not having good security procedures?
Having good security procedures that are not
followed?
Terrorism?
Hackers?
Internal misuse/errors?
Viruses/worms?
Trojan Horses?

13
Biggest Risk? Internal Users!

Human error is the most significant cause of IT
security breaches (63)
Research shows that good training would be the
most effective way of improving security in most
organizations
Employee fraud is
next on the list

Computing Technology Industry Assoc (CompTIA)
14
Biggest Risk? Internal

Internal security breaches seen as a much bigger
threat than external ones by 51 of respondents
to an Oracle/Institute of Directors survey

Threat can be to
Fraud
Data theft
Privacy of data
Corruption of data
Loss of data integrity
Loss of data altogether
Loss of whole system!

15
What Are IT/Security Audits?

Security is the sum of
Access controls
Authentication methods
Availability of data/systems
Confidentiality of data/info
Data Integrity
Non-repudiation of transactions
Policies
Reliability of data/systems
IT Controls include
Documentation
Source code control/change mgt
Hardware/software management
Testing

16
What Are IT/Security Audits?

Determine Policy
Use documents (Policies, Standards, Guidelines
etc)
Ask those at the top of the company
Audit
Determine if the policy is followed
Use testing to determine this
Perimeter scans
Sample testing
Code reviews
Automated tools
Report (to Mgt first, then Auditors)
Exceptions
Remediation
Action
Determine a plan for putting right exceptions
Determine project plans for Remediation work

17
Solutions? Company Policies

Chase up references
Do background/ security checks on staff
Check out Temp staff carefully
Give Temp staff limited access
Get staff to signup to security policy
Switch off rights of ex-employees
Ensure it is very clear which staff have which
roles and responsibilities, and try to limit the
power of individuals

18
Solutions? Training

Good, effective training
Training is an ongoing process
Train employees in what NOT to say to an Auditor
too!
Poster campaigns, newsletter updates etc. can
provide effective security training

66 per cent believe that staff training/certificat
ion has improved their IT security, primarily
through increased awareness, as well as through
proactive risk identification (sourceCompTia)
19
Solutions? Company Policies

IT Security Policies
Lock sensitive documents/disks away
Physically secure laptops and PCs
Ensure passwords are not written down
Employee records/contracts etc hidden
No wireless access to the network unless
using secure protocols

20
Solutions? Physical Security

Visitors/guests accompanied at all times
Reception area manned at all times
All staff must wear a pass
Access to work areas by pass only
Access to sensitive areas by keycode
Servers housed in a room with no windows,
inaccessible to unauthorised personnel, air
conditioned with failover power, fire prevention
and a failover facility

21
Solutions? Access Controls

Use roles and groups
Restrict access to minimum possible
Use VPNs to allow external access
Keep intranet protected from internet using
Firewalls

Enforce policy on passwords
change regularly
not easy to guess
minimum length
must contain numerics
cant reuse

22
Solutions? Application Security

Access Controls
Authentication (userid and password)
Digital keys (public and private)
Access to info by user class

Code quality
Programmers should be well-trained and security
aware
Code walkthroughs
Testing/QA procedures
Source code control/version control
Bug/defect tracking

23
Solutions? Browser and Mail

Internet Explorer Permissions
Internet Options -Security Zones
Internet Options-Privacy
Internet Options-Advanced
Enforce default policy for IE across company
Dont open email from anyone you dont know
Dont download files/attachments from emails or
web pages unless from a trusted source (esp
.exe or .vbs files)

24
Solutions? Network Security

Ensure your network staff are well-trained
Keep software/patches up to date
Ensure your network is protected via Firewalls,
NATs, Port controls etc.

25
Solutions? Web Server Security
26
Solutions? Software

Install protection software
Firewalls
Proxy Servers
Anti-Virus software
Update key software regularly
Web servers
Operating systems
Mail software
Anti-virus software
Dont forget patches!!

27
Solutions? Software

Use SSL (Secure Socket Layer)
Protects private information
Encrypted using digital key
Especially for payment data
Use public/private keys
To authenticate parties
To encrypt data
To digitally sign documents
Some have whole infrastructures

Verisign Onsite Managed Trust Services
28
Solutions? Spreadsheets

Access Controls
Stored in directories accessible only by
authorized users
Sensitive spreadsheets should be password
controlled
Lock formulae so that they cant be changed

Reviews
Someone should be responsible for checking
formulas, testing spreadsheet results at regular
intervals
Backup/recovery
Ensure backed up regularly
Test restores

29
Solutions? Disaster Recovery

Redundancy essential
Of servers, firewalls, hubs, routers, air
conditioning, power
Of ISP (in case ISP fails!)
Physically separate location for failover
Have disaster recovery plans
Test those plans!
Test those plans regularly!

Video on Security and Company Policies
http//webevents.broadcast.com/ZDAUwebcast/enemy/i
ndex.asp?loc1
30
Solutions? Documentation

Clearly document procedures esp Finance or IT
related
Ensure documentation is up to date
Ensure staff know where to locate documentation
Ensure staff follow company procedures and know
what to do in exception circumstances
Keep full document trails of everything
Ensure system audits are generated by software,
are kept and are reviewed regularly

31
Solutions? Monitor Usage