60 likes | 282 Views
Sarbanes-Oxley compliance and the RFI/RFP development process set an international standard in the industry. This article clearly states the happenings.<br>Read More...<br>http://goo.gl/7cfs5T
E N D
Sarbanes-Oxley Compliance and the RFI/RFP Process In 2001, most of the world became familiar with Enron, an energy company from Houston, Texas. The company gained notoriety as the largest bankruptcy up to that point due to irregular accounting practices that were bordering on fraud. Because of public outrage over this and several other accounting scandals, such as the WorldCom that followed shortly after Enron, the United States federal law “Sarbanes-Oxley Act of 2002”, commonly known as SOX, was enacted on July 30, 2002 (Addison-Hewitt Associates, 2006). The law introduced major changes to the way public companies were to conduct and report their business, and held upper management personally accountable for the information reported to the investors. The law consists of eleven titles, six of which concern compliance, namely sections 302, 401, 404, 409, 802, and 906. Sections 302 “Corporate Responsibility for Incident Report” and 404” Management Assessment of Internal Controls” are very important to IT operations and are concerned with accuracy, privacy, and security of financial records. Cannon and Byers (2006) state that verification is the essence of compliance and it is simply a matter of ensuring that company’s processes are executed as intended. Cannon and Byers (2006) recommend a four-step process for the compliance: the first step in ensuring compliance within the organization is to perform compliance assessment. The next step is to create a high-level corporate policy that can be adapted by individual departments to meet their needs. The third
step is to use the technology to automate the compliance with the law. Finally, through regular review and auditing procedures should be evaluated. However, the real-life compliance with various laws is not clear-cut. Depending on the nature of the business, in addition to SOX, Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS) may need to be considered. If company does business in European Union (EU), organization may be required to comply with European Union Data Protection Directive (EUDPD). All these laws and compliance requirements, on top of previously required Generally Accepted Privacy Principles (GAAP) may force companies to seek alternatives. Many organizations view Government Required Compliance (GRC) as an overwhelming task with little return and as a result may choose to outsource some or all of their compliance requirements to an outside provider. As an example, Capital Automotive REIT, a real estate investment trust, decided to outsource all of its IT operations to an outside company, Alteritech, which ensured SOX compliance for the Capital Automotive REIT (Allbusiness, 2005). When deciding to outsource some or all IT operations, public companies must be aware of the GRC and should dedicate required time to perform needs analysis with the business plan. This will ensure clear understanding what the organization is trying to achieve and why, and among other things, upper management’s buy-in. Once identified, requirements should be briefly stated within Request for Information (RFI), Request for Proposal (RFP), or Request for Quote (RFQ). Within RFI, RFP, and RFQ, the client organization should specify its requirements for SOX compliance such as an audit of vendor’s internal information controls, oversight procedures, and problem resolution. Consequently, the outsourcing supplier should spell out their organization’s implementation of SOX compliance policies within their information package or proposal sent to the potential customer. As stated earlier, compliance requires validation; however, validation of SOX compliance with third-party provider requires greater efforts because the company distances itself from IT operations through large-scale outsourcing (Hall and Liedtka, 2007). When outsourcing large-scale IT operations, it is important to make sure that security and compliance with various laws and regulations are considered. Organizations may decide to adopt and adapt internationally accepted standards in order to deal with their IT security management. Alexrod (2004) suggests following CISSP body of knowledge, which defines ten security classifications. In addition, newer
standard of ISO 17799, ISO 27002 can be used by as well. This standard deals broadly with security for electronic files, paper documents, all types of communication and business continuity planning. Companies may also decide to use Control Objectives for Information and related Technology (COBIT) that provides framework for generic management principles that organization may adapt it to its own unique needs. Axelrod (2004) combined CISSP and ISO 17799 into ten security considerations, namely: Security Management Practices covers various security management aspects, including, among other things, personnel physical and emotional security. Asset Management Practices discusses importance of data classification protection when considering IT outsourcing. Data, and identify theft in particular, has been a regular headline in recent times with thieves stealing thousands of sensitive records. As an example, consider a 2005 case, when Card Systems Solutions, a third-party processor for credit cards and other payments for banks and merchants, had its network hacked and 40 million credit card accounts stolen and sold all over the world (CCRC, 2005). Application and System Development provides an overview of what is happening during the application and system development outsourcing. Currently, there is a movement towards educating software developers on security aspects in order to improve application security from the bottom-up (North, North, and North, 2009). Operations Security and Operations Risk involves controlling processes and making sure that the third party to which the task is outsourced follows set standards. Government laws and regulations are increasingly mandating these standards. Security Models and Architecture presents solid foundation upon which the rest of processes can be built and includes architecture framework and set of industry-accepted design standards and implementation adaptations by the organization. Physical and Environmental Security is by far the strongest security measure for the organization and current trends present companies integrating logical and physical security in order to provide complete environmental security (Axelrod, 2004). CxT Group Michigan,2415 E.Hammond Lake DriveSte,219 BloomfieldHills, MI 48302 Contact No:(248) 282-5599 Toll Free:(877) 439-2539
Telecommunications and Network Security describes various aspects of communication lines and network security, including such activities as wire-tapping and induction loops. Axelrod (2004) also describes the convergence of voice and data providers into a single carrier, aid discusses risks of relying on a single vendor. Cryptography provides an extra level of protection to messages sent and received without wrong eyes viewing it. There are three types of cryptography algorithms, namely: 1). Secret Key Cryptography (SKC); 2). Public Key Cryptography (PKC); and 3). Hash functions. By far, the most popular is PKC, though not without problems. Disaster Recovery and Business Continuity – Organizations big and small, private, public and government must do everything in their power to avert and defend against disasters – manmade or acts of God. However, statistical probabilities dictate that some events cannot be prevented and organizations need to be prepared to contain the damages and be able to proceed with business as usual. Hall and Liedtka (2007) describe a case of the Montreal Urban Community that was not able to perform any business functions for two months as they were switching from one outsourcing vendor to another one. The success of Business Continuity Plan is based on the thorough and accurate security risk assessment. “Risk cannot be mitigated if not defined.” (Carlson, n.d., p. 13). ISO/IEC 1799 requires an organization to: identify and prioritize its business processes; identify and assess possible security risks that could threaten business operations; estimate likelihood of the risk exposure; and, analyze the impact that risk can cause on the business, including operational interruptions, slow down, or shut down. Legal Action – Axelrod (2004) suggests consulting a lawyer at the beginning of an outsourcing relationship in order to ensure proper contract negations. In addition, if problems do arise, legal advice will be necessary. Since 2002, many companies, including Microsoft, have been creating compliance software applications aimed to help companies manage their policies. Microsoft Operations Framework (MOF) is an IT control framework that allows companies to avoid overlapping efforts in addressing common IT control
objectives (Microsoft, 2008). As stated earlier in the paper, SOX was created as a government’s response to rising number of investor and government fraud by few crooked corporate citizens. As a result, all public organizations must comply with the law in order to avoid investor losses and rebuild their confidence. However, a company that is able to exhibit its full compliance with various GRCs may gain a competitive advantage, as other compliant companies would prefer doing business with another GRC company. Organizations may also include their GRC into marketing material. References Addison-Hewitt Associates. (2006). SARBANES-OXLEY ACT 2002. Retrieved June 12, 2010, from www.soxlaw.com/ All Business. (2005, March 14). Capital Automotive REIT Outsources Information Technology Management to Alteritech. Retrieved June 13, 2010, from www.allbusiness.com/banking-finance/financial-markets-investing/5038651-1.html Cannon, J. C., & Byers, M. (2006, September). Compliance Deconstructed. ACM Queue , 30-38. Carlson, T. (n.d.). Information Security Management: Understanding ISO 17799. Lucent Technologies Worldwide Services. CCRC Staff. (2005, July 08). Computer Crime Research Center. Retrieved June 14, 2010, from Russia, Biggest Ever Credit Card Scam : www.crime-research.org/news/08.07.2005/1349/ Hall, J. A., & Liedtka, S. L. (2007). The Sarbanes-Oxley Act: IMPLICATIONS FOR LARGE-SCALE IT OUTSOURCING. Communications of the ACM , 50 (3), 95-100. Microsoft. (2008). IT Compliance Management Guide. Redmont, WA: Microsoft. North, M. M., North, S. M., & North, M. M. (April 2009). Security from the Bottom-up: Compliance Regulations and the trend towards design-oriented web applications. CCSC: South Central Conference (pp. 65-71). Atlanta: ACM. CxT Group Michigan,2415 E.Hammond Lake DriveSte,219 BloomfieldHills, MI 48302 Contact No:(248) 282-5599 Toll Free:(877) 439-2539