Sarbanes Oxley Compliance Kit
The audit spotlight now shines on IT. After years of regulation and embarrassing data breaches, the highest levels of management now comfortably discuss IT controls and audit results. However, their quality expectations are rising. Where IT once performed audits annually, many now support quarterly, monthly, and ad hoc exercises. Each audit expands the scope of the technologies assessed, measured, and proven compliant. Broader scope means more complexity and more work. With the Sarbanes Oxley Compliance Kit you can increase timeliness and accuracy of audit data while reducing IT audit effort, disruption, and cost.
Sarbanes-Oxley Section 404 requires that:
- Enterprises have an enterprise wide security policy;
- Enterprises have enterprise wide classification of data for security, risk, and business impact;
- Enterprises have security related standards and procedures;
- Enterprises have formal security based documentation, auditing, and testing in place;
- Enterprise enforce separation of duties; and
- Enterprises have policies and procedures in place for Change Management, Help Desk, Service Requests, and changes to applications, policies, and procedures.
To meet these needs the Sarbanes Oxley Compliance Resource Kit, which comes in four editions (Standard, Silver, Gold, and Platinum) contains:
- Security Policies (all editions);
- Threat & Vulnerability Assessment Tool (all editions);
- Business & IT Impact Questionnaire Risk Assessment Tool (all editions);
- Safety Program Template (all editions);
- Disaster Recovery Template (all editions);
- Outsourcing guide update to reflect what you vendors need to do (all editions);
- Software tool to monitor key data files (all editions);
- Internet and IT Job Descriptions (Silver, Gold, and Platinum Editions) and;
- IT Service Management Template (Platinum Edition).
The Disaster Recovery Plan template (DRP) can be used for any enterprise. DRP Template is sent to you via e-mail in WORD and/or PDF format. Included is a Business Impact Questionnaire as well as a full Job Description for the Disaster Recovery Manager
The plan is 178 pages and includes everything needed to customize the Internet and Information Technology Security Manual to fit your specific requirement. The electronic document includes proven written text and examples for your security plan.
The 220 Internet and IT Position Descriptions are in Word for Windows format. Includes positions from CIO and CTO to Wireless and Metrics Managers. All of the positions in the book have been created to reflect the technology world of today.
The IT Service Management Template contains policies, standards, procedures and metrics for Change Control, Help Desk and Service Request processing. ITSM template also contains several easy to implement forms and conforms with ITIL.
The plan is 60 pages and includes everything needed to customize the Safety Program to fit your specific requirement. The Safety was updated in December of 2004 and reflects the latest issues associated with the most recent legislation (Sarbanes Oxley).
Sarbanes-Oxley Issues and News
IT Pros can advance in general company managementFebruary 24th, 2014
Because technology touches so many aspects of most organizations, an IT background can be an advantage, a steppingstone to other areas of your business. To advance, look at change as an opportunity to grow. Sure, change means stepping out of your comfort zone, but you'll likely be glad you altered your career mindset.
Once you become known as an able business chameleon, you'll have a good shot at being offered new opportunities. What's more, there's no better training to be a CIO -- if that's even your goal -- than to work in many areas of business.
Understanding the business goals of different branches of an organization is the most important nontechnical skill a senior IT leader can master.
If you follow this kind of career path, look for experienced mentors to help you along the way.- more info
How Compliance Impacts Backup StrategyFebruary 17th, 2014
Given the concurrent explosion of digital information and compliance requirements, having a sound, workable backup and restore policy is essential. When a disaster occurs whether that be a terrorist attack, hurricane, or just human error having and enforcing a backup strategy can get you quickly back in business.
- more info
Target breach described in detailFebruary 6th, 2014
According to Krebs, sources close to the investigation said the attackers first gained access to Target's network on Nov. 15, 2013 with a username and password stolen from Fazio Mechanical Services, a Sharpsburg, Pa.-based company that specializes in providing refrigeration and HVAC systems for companies like Target.
Fazio apparently had access rights to Target's network for carrying out tasks like remotely monitoring energy consumption and temperatures at various stores.
The attackers leveraged the access provided by the Fazio credentials to move about undetected on Target's network and upload malware programs on the company's Point of Sale (POS) systems.
The hackers first tested the data-stealing malware on a small number of cash registers and then, after determining that the software worked, uploaded it to a majority of Target's POS systems. Between Nov. 27 and Dec. 15, 2013, the attackers used the malware to steal data on about 40 million debit and credit cards. U.S., Brazil and Russia.more info
Social Media Digest - Current ArticlesJanuary 20th, 2014
Social Media Digest - Current Articles
- Include Social Media in Your Business Continuity Plans 6 Ways to Utilize Social Media Before a Disaster Strikes by Adam Crowe When creating a disaster recovery plan include social media. Simple things like...
- Social media policy needed to meet internal audit requirements Social Media Policy is Missing in Over 50% of all Organizations Internal audit has never been easy, and a recent survey shows that 43% of...
- CIO challenge how to manage the social media risks CIO challenge how to manage the social media risks CIOs are faced with new social media risks. Analysts are predicting that by 2016 as...
- 10 steps to jump start your business continuity planning business continuity planning 10 steps to jump start your BCP Business Continuity For many businesses there is some technology component that allows them...
- 10 best practices in managing social networks and relationships 10 Best Practices in Managing Social Networks and Social Relationship Social networks provide an opportunity to communicate electronically with both personal and business associates. Done...
Some say IT spending to rise in 2014January 6th, 2014
Global spending on information technology is expected to rise 3.1% to $3.8 trillion in 2014, up from growth of just 0.4% last year according to one research firm.
The enterprise software group is expected to show the fastest growth, with sales rising 6.8% to $320 billion, a plus for industry leaders that include Oracle (ORCL) and Salesforce.com (CRM).
The increased spending on enterprise software is coming partly from the growth in Big Data, a term used to describe how companies are using software and related services to better comprehend massive inflows of digital information from numerous sources.
- more info
Compliance is driven from the top downDecember 15th, 2013
Compliance is driven from the top down. Executive Management is the prime mover.
The tone at the top is vital with communication from top management into the middle management team. Some best practices that can periodically reinforce compliance of various policies include middle management facilitating a short time of staff meeting to discuss a specific policy relative to actual business behavior. Training is great yet people need to know what compliant behavior looks to their daily work.more info
Anonymous moves from net to physical spaceNovember 6th, 2013
Hundreds of protests around the world sparked up on in what the hacking collective Anonymous called the "Million Mask March." Donning Guy Fawkes masks, the demonstrators' goal was to "defend humanity."
The protests were scheduled for 450 cities and towns worldwide -- from Tampa, Fla., to Amsterdam to Mumbai. According to the group's Facebook page, the demonstrations were meant to help people "remember who your enemies are: billionaires who own banks and corporations who corrupt politicians who enslave the people in injustice."
In Washington, D.C., demonstrators chanted "Obama. Come out. We've got some **** to talk about," according to NBC News. In Chicago, police and protesters exchanged hugs. While in Denver, a handful of arrests were made after it was reported that a building was being vandalized, according to the Denver Post.
In promoting the march, Anonymous said that violence would not be tolerated. The group even published an "advance disclaimer" saying, "Anonymous is a peaceful movement and is not affiliated with the rogue DC Citizen's Action to take the United States President, Congress, and US Supreme Court Justices Hostage."
Despite a few arrests here and there, it appears the protests have stayed relatively peaceful.- more info
SLA is key to transforming IT InfrastructureOctober 29th, 2013
Midmarket organizations are transforming their IT infrastructure to better accommodate the needs of the business. Two major pieces of this transformation are virtualization and cloud computing, which rely heavily on network performance to ensure success. However, in many cases, these organizations lack the tools to properly monitor virtualized environments in order to meet SLAs.
- In many organizations less than 10% of the IT budget is actually spent on initiatives and IT Service Management (ITSM) that bring value to the enterprise.
- It is not a question of how much is invested in computer systems but the effectiveness of the spending and the service levels provided.
- Focusing the ways that IT is measured (Metrics) on an enterprises value drivers improves competitiveness.
- ROI/TCO type measurements should not be used in isolation because they ignore elements such as service levels provided, risk and IT capability.
- IT investment must be measured not only at the inception of initiatives but also throughout the project life cycle and service delivery process.
Delivering quality IT service and measuring IT's performance cost effectively is a difficult and time consuming exercise. Many enterprises believe that they do not have the time, money, or resources to initiate and monitor the necessary processes. However, enterprises cannot determine how much something is worth unless its value can be quantified.- more info
CIO ChallengesOctober 7th, 2013
In the face of rapidly and unpredictably changing technologies, success in IT is driven by leadership and delivery skills that take full advantage of these changes. Big data, cloud, mobility and the consumerization of IT are just current examples of this technological change.
IT has been caricaturized as being slow, expensive, operationally obsessed and rabid-dog opposed to experimentation. The IT mind it is said flees from change, loathes ambiguity, delights in absolutes and insists on .999 certainties. This is wrong! CIOs are uniquely situated to create value in a world defined by uncertainties, business model disruption and frequent Black Swan events.
To thrive in a dynamic industry you must keep learning. Since organizations learn when their teams learn, the real action is in the team. How does a healthcare CIO lead a learning organization and what are the first steps?
Federal healthcare reform laws oblige hospitals, clinics, insurance companies and employers to adopt uncertain business models. And in an industry where the person receiving the service is not the one paying for it, determining a working model for the future is fraught with alligators. Health system executives across the country are taking up the challenge with serious deliberation and urgency.
- more info
Near Field Communications (NFC) vs Touch IDSeptember 11th, 2013
Apple has chosen to implement a unique new fingerprint sensor, the Touch ID, which allows a simple touch of a finger to unlock the phone or to make purchases from the App Store and the iTunes and iBooks retail sites. It's faster than typing a password.
Leaving out near field communication (NFC) technology in the newest iPhone also creates challenges for Google Wallet and Isis, a consortium of wireless carriers that are trying to roll out an NFC mobile payment system nationally.
Apple has once again dismissed the mobile wallet and data-sharing capabilities of NFC technology. Meanwhile, NFC is being used in dozens of new Android phones, such as the Samsung Galaxy S4, and in phones running the BlackBerry and Windows Phone operating systems.
Apple's decision is clearly the result of a long-term competitive strategy based on a projection of how the mobile payments business will evolve. The move serves to benefit Apple most of all, analysts said.
Touch ID will help push purchases to Apple's content stores and the company's decision to use that technology says that Apple has decided that fingers are better than near field radios for ensuring that transactions are secure.