IT Compliance and Controls - PowerPoint PPT Presentation

Loading...

PPT – IT Compliance and Controls PowerPoint presentation | free to view - id: 86652-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

IT Compliance and Controls

Description:

How to Comply with the Rules. Hidden Benefits of Complying ... postmortem. Disaster Recovery and Business continuity. Definition of Policies and Procedures ... – PowerPoint PPT presentation

Number of Views:34
Avg rating:3.0/5.0
Slides: 22
Provided by: greenf9
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: IT Compliance and Controls


1
IT Compliance and Controls
  • Chapter 8

2
Areas of Discussion
  • The Importance of Compliance to IT
  • The Rules
  • How to Comply with the Rules
  • Hidden Benefits of Complying with the Rules
  • Methodologies and Frameworks
  • It Is Not Just Regulatory Compliance
  • Additional Resources

3
Scandals
  • Enron
  • Worldcom
  • HealthSouth
  • Adelphia
  • Tyco
  • Qwest Communications
  • Global Crossing

4
The Importance of Compliance to IT
  • IT generally responsible for controlling,
    securing, and managing data
  • The Victims of Non-Compliance
  • A failing company impacts its suppliers and
    partners
  • A failing company may impact financial markets as
    a whole

5
The Importance of Compliance to IT cont.
  • Non-compliance may lead to lack of trust by
    employees, customers, suppliers, and partners
  • Non-compliance may lead to individual and
    organizational financial loss and bankruptcy

6
The Rules
  • Sarbanes-Oxley
  • Public Company Accounting Reform and Investor
    Protection Act of 2002
  • Ensure integrity of financial statements
  • Since IT systems are usually the core of how a
    company manages and reports its finances, it is
    no surprise that IT is significantly impacted by
    this law.

7
The Rules cont.
  • Sarbanes-Oxley
  • State the responsibility of management for
    establishing and maintaining an adequate internal
    control structure and procedures for financial
    reporting
  • Contain an assessment, as of the end of the most
    recent fiscal year of the issuer, of the
    effectiveness of the internal control structure
    and procedures of the issuer for financial
    reporting.
  • Section 404 requires the auditors to attest to,
    and report on, the assessment made by the
    management.

8
The Rules cont.
  • HIPAA Health Insurance Portability and
    Accountability Act
  • Health plans
  • Healthcare providers
  • Healthcare clearinghouses
  • Designed to assure the confidentiality and
    integrity of Protected Health Information (PHI)
  • Includes any individually-identifiable health
    information

9
The Rules cont.
  • Basel II (Switzerland)
  • Formerly known as the International Convergence
    of Capital Measurement and Capital Standards
  • Endorsed in 2004 by the Group of Ten (G10)
    10-member countries of the International Monetary
    Fund
  • US, UK, Germany, France, Belgium, The
    Netherlands, Italy, Sweden Canada, and Japan,
    plus Switzerland.

10
The Rules cont.
  • Basel II
  • Pillar 1align the minimum capital requirements
    more closely to each banks actual risk of
    economic loss
  • Pillar 2exercise effective supervisory review of
    banks internal assessments of overall risks and
    set aside adequate capital
  • Pillar 3ability of market discipline to motivate
    prudent management and sets out public
    disclosures
  • This has been adopted in the US by four Federal
    banking agenciesOffice of the Comptroller of the
    Currency, the Board of Governors of the Federal
    Reserve System, the Federal Deposit Insurance
    Corporation, and the Office of Thrift Supervision.

11
The Rules cont.
  • SB-1386 Californias Security Breach
    Information Act
  • FACTA The Fair and Accurate Credit Transactions
    Act of 2003
  • Gramm-Leach-Bliley The Financial Modernization
    Act of 1999
  • U.S. Securities
  • Patriot Act
  • OFAC The Office of Foreign Assets Control
  • CLERP-9 (Australia)
  • PIPEDA (Canada)
  • Privacy and Electronic Communications Directive
    (European Union)

12
How to Comply with the Rules
  • Document the Policies
  • Identify control mechanism(s)
  • Educate your employees
  • Maintain evidence

13
Hidden Benefits of Complying with the Rules
  • Benefit of Documentation
  • Control Mechanisms
  • Educating Your Employees
  • Maintaining Evidence
  • In truth, the evidence proves to anyone who might
    ask that you are actually operating by the
    established policies. Maintaining evidence is
    essentially good record keeping and is a good
    habit for all to have.

14
Methodologies and Frameworks
  • COSO Committee of Sponsoring Organizations is a
    private sector organization dedicated to
    improving the quality of financial reporting
    through business ethics, effective internal
    controls, and corporate governance.

15
Methodologies and Frameworks
  • COBIT Control Objectives for Information and
    related Technology
  • A set of documents that provide guidance for
    computer security.

16
Methodologies and Frameworks cont.
  • ITIL IT Infrastructure Library (Great Britain)
  • Service support
  • Service delivery
  • Planning to implement service management
  • Information and Communication Technology
    Infrastructure Management
  • Applications Management
  • The Business Perspective
  • It is now being adopted and used across the world
    for best practices in the provision of IT
    service.

17
Methodologies and Frameworks cont.
  • CMMI Capability Maturity Model Integration
  • ISO 9000
  • Five main sections
  • Quality Management System
  • Management Responsibility
  • Resource Management
  • Product Realization
  • Measurement Analysis and Improvement

18
Methodologies and Frameworks cont.
  • Six Sigma
  • DMAIC
  • Define
  • Measure
  • Analyze
  • Improve
  • Control
  • Six Sigma
  • DMADV
  • Define
  • Measure
  • Analyze
  • Design
  • Verify

19
It is Not Just Regulatory Compliance
  • Electronic Discovery
  • Class action lawsuits against company by
    investors or customers
  • Disgruntled employees
  • Allegations of discrimination or harassment
  • Invasion of privacy
  • Lawsuits by partners, suppliers, vendors

20
It is Not Just Regulatory Compliance cont.
  • Working with Auditors
  • Incident Response
  • postmortem
  • Disaster Recovery and Business continuity
  • Definition of Policies and Procedures
  • Outsourcing

21
Summary Slide
  • The Importance of Compliance to IT
  • The Rules
  • How to Comply with the Rules
  • Hidden Benefits of Complying with the Rules
  • Methodologies and Frameworks
  • It is Not Just Regulatory Compliance
About PowerShow.com