Evolving IT Framework Standards

1
Evolving IT Framework Standards (Compliance and
IT)
2
Sarbanes-Oxley

• The United States has clear legislation for
  Compliance in Information Technology.
• It is called Sarbanes-Oxley and here is the
  basis of that law

3
Regulatory and Standards Compliance Sarbanes-Oxley

• The Sarbanes-Oxley Act of 2002 Establishes new
  standards for Corporate Boards and Audit
  Committees
• Section 404 Management Assessment of Internal
  Control
• Sarbanes compliance is based on effective and
  efficient business processes including IT
  environment, enabled by properly designed and
  implemented technology, executed by competent
  people
• Electronic paper trails" are necessary to ensure
  compliance
• From an IT perspective,
  
  the key to compliance
  
  is the documentation, monitoring,
  
  and management of
  
  the compliance control architecture

4
Regulatory and Standards Compliance21 CFR Part 11

• 21 CFR Part11 - Electronic Records and Electronic
  Signatures
• FDA specified its requirements for accepting
  electronic records in lieu of paper records
• Requires IT to design and qualify networks and
  the associated infrastructure and to operate them
  in a compliant manner

5
Regulatory and Standards ComplianceISO 17799 and
BS7799 gt ISO 27000 series

• ISO/IEC 17799 Information Technology Code of
  Practice for Information Security Management
  offers guidelines and voluntary directions for
  information security management.
• BS7799-22002 Information Security Management
  Specification with Guidance for Use is a
  standard specification for Information Security
  Management Systems (ISMS)
• ISMS is the means by which Senior Management
  Monitor and control their security, minimizing
  residual business risk and ensuring that security
  continues to fulfill corporate, customer and
  legal requirements. It forms part of an
  organizations internal control system.

6
Regulatory and Standards ComplianceISO 17799 gt
ISO 27000 Series

• 132 Controls under 11 sections Major Headings
• Security policy
• Organization of information security
• Asset management
• Human resources security
• Physical and environmental security
• Communications and operations management
• Access control
• Information systems acquisition, development and
  maintenance
• Information security incident management
• Business continuity management
• Compliance

7
Regulatory and Standards ComplianceISO 17799 gt
ISO 27000 Series

• Section 5 Physical and Environmental Security
  (Objectives)
• To reduce risks of human error, theft, fraud or
  misuse of facilities
• To ensure that users are aware of information
  security threats and concerns and are equipped to
  support the corporate security policy in the
  course of their normal work
• To minimize the damage from security incidents
  and malfunctions and learn from such incidents

8
Regulatory and Standards ComplianceISO 17799 gt
ISO 27000 Series

• Section 6 Computer Network Management
  (Objectives)
• To ensure the correct and secure operation of
  information processing facilities
• To minimize the risk of systems failures
• To protect the integrity of software and
  information
• To maintain the integrity and availability of
  information processing and communication
• To ensure the safeguarding of information in
  networks and the protection of the supporting
  infrastructure
• To prevent damage to assets and interruptions to
  business activities

9
Regulatory and Standards ComplianceISO 17799 gt
ISO 27000 Series

• Section 9 Business Continuity and Disaster
  Recovery Planning
  (Objectives)
• To counteract interruptions to business
  activities and interruptions to critical business
  processes from the effects of major failures or
  disasters