Professional Documents
Culture Documents
Best Practices For World-Class I/T Governance
Best Practices For World-Class I/T Governance
2.
Section 302 requires reporting any act of fraud; a data breach would
require that it be included in a companys annual and quarterly reports;
3.
FINANCIAL
SOX
JSOX
Loi de Scurit
Financire
(LSF)
Combined
Code
German
Corporate
Governance
Code
Bill 198
PRIVACY
GLBA
PIPEDA
EU Data
Directive
HIPAA
California SB
1386
INDUSTRY
OSHA
NRC Title 10
CFR Part II
Basel II
NASD
OMB A-123
Solvency II
IT CONTROLS
NIST
FISMA
FFIEC
PCI
(VISA/MC
CISP)
ISO 17799
AML
Bank Secrecy
Act
PATRIOT Act
OFAC
Guidelines
Money
Laundering
Control Act
12 CFR 21.21
HR/LEGAL
AntiDiscrimination
FLSA
COBRA
Harassment
Medicare/Medi
caid
Stock Options
Policies
28%
26%
Reported control
weakness 2004-05
No control
weaknesses
in 2004 -05
Control weakness
in 2004, but none
in 2005
$10 million in
higher cost of
equity capital
6%
$1
$5
Source: General Counsel Roundtable, 2006
The GAIT** guidance is based on a set of four IT principles that the IIA says are consistent
with the top-down, risk-based approach advocated by PCAOB. Two of those principles are:
IT risks that need to be identified exist in processes at various IT layers:
application program code, databases, operating systems, and networks; and
Risks in IT control processes are mitigated by the achievement of IT control
objectives, not individual controls.
IT Governance Defined
It is the Board and Senior Managements responsibility in relation to IT to
ensure:
IT Risk Management
Application/Access Control
Management
Enforce Enterprise-wide
Application Access Controls.
Confidential-Oracle Highly Restricted
10
The Problem:
Must verify that employees do not have the ability to execute functions or
access applications that should be logically separated.
User functions which also include access to the underlying
technology/data which should also be segregated.
Companies must institute an enterprise provisioning process that will
prevent incompatible functions from being assigned upon hiring or upon
an internal job transfer
Library of potential vulnerabilities.
Confidential-Oracle Highly Restricted
11
Niche Solution
No central repository of rules across applications
Enterprise integration & upgradeability
Service/
Resource
Management
Change Control
Management
Definition and management
of change control policies
Ensure that change controls
policies are being adhered to.
Project Portfolio Management
IT Service/Resource
Management
Map and report on
applications/infrastructure and
supported service and
business processes
GRC Solution/Framework
Corporate Performance Management
Financial
Consolidation Hub
Balanced
Scorecard
Portal,
Daily BI
Policy Management
iLearning
Stellent UCM
Reveleus
iSurveys
BAM
Project Portfolio
Management
Content Management
Tutor
Stellent
URM
Identity
Manager / UMX
Access
Manager
GRC
Intelligence
Hyperion
Stellent
UCM
Identity Management
Identity & Role
Administration
Identity
Federation
Audit
Vault
GRC
Intelligence
Data Protection
Directory
Security
Data
Vault
Database
Security
Sealed
Media
Data
Encrypted
Classification-based
access so users see
only data authorized to
view
Encrypted
Data on
Backup Media
External
SOA
Apps
Internal
Customers Partners
Auditing
and
Reporting
IT Staff Employees
Access
Management
Identity
Administration
Directory
Services
Identity
Provisioning
Applications
SOA
Apps
Monitoring
and
Mgmt
ERP
CRM
OS (Unix) HR
Mainframe NOS/Directories
Lockdown
Systems/
Processes
Provisioning policy
Denial policy
Approval workflow
Provisioning wrkflow
Request process
Identity mapping
Role management
SoD enforcement
Policy driven
attestation
Centralized control
Delegated admin
Control
Access
Points
Access policy
Single-sign-on
Password mgmt
Session logging
AuthN provider
AuthZ provider
Federation
Multi-factor authN
Manage
Exceptions
Rogue account
discovery
Exception based
process automation
Alerts
Event management
SoD monitoring
Exception reporting
Exception attestation
Deploy
Safety
Mechanisms
Attestation of
entitlements
Attestation of access
logs
Redundant controls
Matrix attestation
Trending analysis
Baselining &
benchmarking
Scheduled reports
Compliance
dashboard
Validate
Controls
Attestation of roles
Attestation of policies
Attestation of rules
Attestation of
workflow
Attestation gap
analysis
Access-entitlement
comparison analysis
SoD policy
synchronization
Reduce/Eliminate Access
Document New Change Policies
Notify all Stakeholders
Create Change Windows
Stabilize
Environment
Repeatable
Build
Libraries
Infrastructure
Applications
Lockdown
Changes
Inventory all
Services &
Assets
Incident Mgmt
Resolution Mgmt
Change Mgmt
Release Mgmt
Project Portfolio
Mgmt
Gather
Centrally collect
configuration
information and track
changes
Model
Reconcile
Evaluate configurations
against best practice
policies
Enforce
Audit
Recipient Policy
Recipient Policy
Recipient Policy
Deploy certified
configurations, patches,
and images across all
systems
Oracle Solutions
Process
IT Service
ITIL Category
Sub-Process
Control Objective
Risk
Applications People
Infrastructure
Control
KRI Values
Test Plan
Test Results
AAC
Incidents
ACC
Questions