Computerworld - Most information security professionals are probably familiar with at least one of the many recent regulations that have an information security element to them. For my company, the legislation of concern is the Sarbanes-Oxley Act, which has presented new financial accounting and reporting requirements.
I recently reviewed the law to see what the IT security group needed to do to ensure compliance. It was without a doubt the most boring document I've read in months.
Besides getting bored, I also came away confused because it offered no guidance on the related information security issues. After further reading, I decided that the most important part for my group is Section 404, titled "Management Assessment of Internal Controls." This section mandates that management attest to the effectiveness of our company's "internal control" structure and procedures for financial reporting. Internal control is an extremely broad term, but I translated this section to mean that the CEO will expect my group to have sufficient controls in place to ensure the confidentiality, integrity and availability of financial and other critical information. So I came up with an initial plan to ensure compliance.
Over the past few years, I've put together a series of information security policies, standards, procedures and guidelines. Some of these documents are published, others are available to those who ask, and others are just sitting in a shared folder on our network.
I think we have enough infrastructure in place to satisfy most expectations of our executive staff and any auditor. But to make everyone's lives easier, I decided to standardize on a methodology for policies and standards called ISO 17799 -- something many of my peers are also doing. The ISO information security code of practice consists of a framework that provides guidance in creating strong information security.
The ISO framework consists of 10 main sections, with several subsections within each. First I created a table of contents, making sure that the expected ISO 17799-compliant headings were in place and that there was a place for every policy, standard and guideline that we have created over the past few years. Most of our documentation exists as either Microsoft Word or Adobe Acrobat files. Eventually I'd like to convert all of the documents to HTML and create a hyperlinked set of documents where users can quickly navigate from a policy to the corresponding standard, guideline and procedures.
Even a well-organized set of documents doesn't ensure compliance with those corporate standards, however. Sarbanes-Oxley mandates that audit reports contain a description of internal controls
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
