COBIT/Sarbanes-Oxley Security Policy Solutions
Organizations can save thousands of dollars and hundreds of man-hours using our publications to help comply with Sarbanes-Oxley or other corporate governance laws. Organizations adopting the COBIT™ framework for internal audit and control can use our library of pre-written information security policies and job descriptions to build, document and maintain a culture of IT governance.
Control activities are the policies, procedures and practices that are put into place to ensure that business objectives are achieved and risk mitigation strategies are carried out. Control activities are developed to specifically address each control objective to mitigate the risks identified. – IT Control Objectives for Sarbanes-Oxley, ISACA
Information Security Policy Library
Information security policies are the documented control objectives that form the foundation of IT governance. Information Security Policies Made Easy provides a complete set of security policies that cover each of the CoBIT control areas. Organizations can save time and money by customizing our library of over 1500 pre-written information security policies.
» Learn More » Request a Sample
Define and Document Security Roles and Responsibilities
According to the PCAOB Auditing Standard, effective governance requires information security roles and responsibilities to be defined and documented. Information Security Roles and Responsibilities Made Easy provides expert guidance and pre-written templates that can save your organization hundreds of hours of effort in developing your information security security organization.
Security Policies and Sarbanes-Oxley Controls
Information Shield publications are focused on the controls in Sarbanes-Oxley, Section 404. Information Security Policies Made Easy (ISPME) provides a comprehensive list of over 1500 security controls via detailed security policy and standard statements. Information Security Roles and Responsibilities Made Easy (ISRRME), provides expert advice on building a security organization that can effectively manage these security controls.
As both the COBIT and COSO frameworks define a proper control environment, both written information security policies and documented roles and responsibilities are critical to success. Policies and procedures with no defined security roles guarantee non-compliance. Security personnel without clear responsibilities and a tie to the overall compliance organization will be ineffective.
The following specific sections (marked with a **) of the COBIT Framework are addressed by specific controls in Information Shield publications:
PLAN and ORGANISE
1.0 Define a Strategic IT Plan
2.0 Define the Information Architecture **
3.0 Determine Technological Direction
4.0 Define the IT processes, organization and relationships **
5.0 Manage the IT Investment
6.0 Communicate Management Aims and Direction **
7.0 Manage IT Human Resources **
8.0 Manage Quality
9.0 Assess and Manage IT Risks **
10.0 Manage Projects
ACQUIRE and IMPLEMENT
1.0 Identify Automated Solutions
2.0 Acquire and Maintain Application Software **
3.0 Acquire and Maintain Technology Infrastructure **
4.0 Enable operation and use **
5.0 Procure IT resources
6.0 Manage Changes **
7.0 Install and Accredit Solutions and Changes **
DELIVER and SUPPORT
1.0 Define and Manage Service Levels
2.0 Manage Third-Party Services **
3.0 Manage Performance and Capacity **
4.0 Ensure Continuous Service **
5.0 Ensure Systems Security **
6.0 Identify and Allocate Costs
7.0 Educate and Train Users **
8.0 Manage Service Desk and Incidents **
9.0 Manage the Configuration
10.0 Manage Problems
11.0 Manage Data **
12.0 Manage the physical environment **
13.0 Manage Operations **
MONITOR and EVALUATE
1.0 Monitor and evaluate IT performance **
2.0 Monitor and evaluate Internal Control**
3.0 Ensure regulatory compliance **
4.0 Provide IT Governance **
Our publications provide the security thread that runs through the various controls requirements of COBIT. For example, in Install and Accredit Systems, ISPME provides detailed policies and standards for defining a secure baseline for new systems. ISRRME provides detailed job requirements for security personnel who are responsible for installing and accrediting systems.
For more information on using Information Shield solutions for your compliance efforts, please contact us.