SOX & ISO 27001

Protect your data and be ready to be audited!!!

 Agenda
 What is SOX Compliance?

 Why audit IT controls?

 IT Controls

 Failure of SOX controls

 What is ISO 27001?

 Why be ISO 27001 compliant?

 Certification timeline

 Security Domains + More

 Risk Assessment

1 of 17
 SOX Compliance

• SOX stands for “Sarbanes–Oxley”

• Legislation formed in 2002

• All about Financial Data

• It was designed to:

– to protect shareholders and the general public from accounting
errors and fraudulent practices in the enterprise

– Improve the accuracy of corporate disclosures.

Image Source: Google Images

2 of 17
 SOX Compliance

• All public companies in the U.S.

• International companies that have

registered equity or debt securities with
the SEC

• Accounting firms that provide auditing

services to them.

Information Source: web.cba.neu.edu

Image Source: Google Images
3 of 17
 Why audit IT Controls?

System A

System B

Is the data
reliable?

Financial Data

Is the data complete &

accurate?
Can we trust the data
coming out of the systems?

4 of 17
 IT Controls
Application
A Report

E.g. “Flight tickets sold” report is complete and accurate.

Application Controls

 GENERAL IT CONTROLS (GITCSs)

GITCs KEY DOMAINS

• Access to program and data
Databases
(Stores or processes
Financial data)
• Program Changes

• Program Development

• Computer Operations

5 of 17
 IT Control
Access to Programs & Data

Controls tested: Steps

1. Password policy (best practices)

1. Test of Design
2. SoD (restricted access)
3. Terminations; New Hires; Transfers 2. Test of Effectiveness

Key Inputs:
– Password settings
– List of users/administrators with full/admin
access
- List of new hires/terminated/transferred users
Testing technique used:
Sampling
Outputs:
Control is effective
or
Not effective

Impact on Financials?
6 of 17
 IT Control
Program Changes

Steps
Controls tested:
Changes are:
1. Tested 1. Test of Design
2. Approved 2. Test of Effectiveness

Key Inputs:
– Change Management Process
– List of system generated Database
changes

Testing technique used:

Sampling
Outputs:
Control is effective
or
Not effective

Impact on Financials?
7 of 17
 Failure of SOX Controls (IT & Non-IT)
• Deficiency: A control breakdown prevents management or employees from preventing or detecting
financial misstatements within a reasonable time frame.

• Significant deficiency: An important control is not working and the organization's ability to initiate, record,
process, or report financial data to the public is compromised. In addition, a significant deficiency may
prevent compliance with generally accepted accounting principles (GAAP). A significant deficiency must be
reported to the audit committee of the board of directors.

• Material weakness: One or more control failures at this level will result in a 404 failure. A material
weakness represents, according to the AICPA, "more than a remote likelihood that a material
misstatement of the financials will not be prevented or detected." The control failure must be reported to
the audit committee of the board of directors as well as the investing public (via the 10K). Material
weaknesses usually, but not always, arise from business practices rather than IT control failures.

IT is expected to pass with few deficiencies, no significant deficiencies, and certainly no material weaknesses.

Source: http://www.ittoday.info

8 of 17
 Key Points to remember…
For a successful SOX audit

Database Administrators
– You are responsible for security of the databases!

– Follow enterprise wide processes for adding/removing/ updating access

– Follow enterprise wide process around Password Management

– Follow enterprise wide process for Change Management

– Do not use shared accounts

– Make sure logging/auditing is available on the databases

– Be prepared to provide audit evidence & support

9 of 17
 Next Topic

ISO 27001
2-3 minutes break before we proceed

Image Source: http://www.glasbergen.com

10 of 17
 Agenda
 What is SOX Compliance?

 Why audit IT controls?

 IT Controls

 Failure of SOX controls

 What is ISO 27001?

 Why be ISO 27001 compliant?

 Certification timeline

 Security Domains + More

 Risk Assessment

11 of 17
 ISO 27001

 ISO 27001:2013 is an information security standard

 It is a specification for an information security management system (ISMS)

 It is designed to protect ANY* kind of required information

*scope is defined by the organization

12 of 17
 Why be ISO 27001 compliant?
Some reasons may include:

• Maintain ISO 27001 Certification

• Protect Employee PII Data

• Protect Consumer PII Data

• Comply with applicable privacy and security laws

• Satisfy contractual obligations

• Be prepared to deal with changing threats with respect to new cloud based services

• Streamline Processes and adopt best practices

13 of 17
 Certification Timeline

Example timeline: 3 year cycle

2012 Original Certification: Full Audit

2013 Surveillance Audit: High level Audit Maintaining

the certificate
2014 Surveillance Audit: High level Audit

2015 Re-Certification: Full Audit

14 of 17
 Security Domains + more

Security Domains – ISO 27001:2013 version

Annex A

1. Scope, Information Security Management System

2. Information Security Policies (A.5)
3. Organization of Information Security (A.6)
4. Human Resource Security (A.7)
5. Asset Management (A.8)
6. Access Control (A.9) Total
7. Cryptography (A.10) 114
8. Physical and Environmental Security (A.11) Controls
9. Operations Security (A.12)
10. Communications Security (A.13)
11. System Acquisition, Development, and Maintenance (A.14)
12. Supplier Relationships (A.15)
13. Information Security Incident Management (A.16)
14. Information Security Aspects of Business Continuity Management (A.17)
15. Compliance (A.18)

& risk assessment… 15 of 17

 Risk Assessment
Asset Based Risk Assessment – Applicable to the Database Team
# Document Purpose Owner

1 Asset Register Identify critical business information, Database

where it exists, and who owns it Team
2 Risk Assessment Identify potential data loss or security InfoSec,
threats and resulting impact to the Database
business Team
3 Risk Treatment Plan (RTP) Define the preferred procedure the Database
organization should follow in the event of Team
a security breach. Additional security
controls to be implemented are
recommended here.
4 Implementation Procedure Lists all current controls in place to Database
ensure security. Once additional controls Team
from RTP are implemented, they will be
added here.

• Accept Lists all applicable controls from the previous slide

• Mitigate
• Transfer
• Avoid 16 of 17
 Discussion

Image Source: http://www.glasbergen.com

17 of 17