This is cache of http://feeds.feedburner.com/~r/PracticalRiskManagement/~3/196113846/is-there-silver-bullet-to-it-compliance.html. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.
Is there a "silver bullet" to IT Compliance Management?
2007-12-06 13:12:00 by Ryan Shopp in practical risk management
 

Is there a "silver bullet" to IT Compliance Management
by: Ryan Shopp



A few times I've found myself getting confused or having trouble explaining the relationships between policies, standards, controls, audits, etc when answering questions about IT Compliance & Risk Management? I came across a great two part thread in my blog reader that help crystallize things for me. It also enabled me to finally layout a logical response to a request I hear often. Is there a "silver bullet" to my IT compliance program? Here are some of those key points (from that posting) to help me answer that better now.



  • ...numerous standards organizations have issued leading or “best” practices for control design and implementation; however, neither SOX (Sarbanes-Oxley Section 404) nor the PCAOB (Public Company Accounting Oversight Board) recommends a specific set of controls.

  • ...In 2004, (PCAOB) issued a statement that COSO (“Committee of Sponsoring Organizations’ Internal Control—Integrated Framework"), or any other generally accepted control framework could be used. Note: it did not say COSO was the only one.

  • But COSO can pose a problem...COSO doesn’t set out details. As its name implies, it is a framework.

  • Each organization must still go through the difficult process of setting out its own system of internal control to meet its perception of COSO—which, in broad terms, is more of a philosophy than a set of rules.

  • To fill the gap between theories and practice in implementing effective general IT controls, managers have turned to other externally developed standards and frameworks, such as the Information Technology Infrastructure Library (ITIL) from OGC, CobiT from ISACA, or the 20000-series of information security standards from the ISO/IEC


Bottom line, today there is no "silver bullet" for an enterprise. They can't simply flip a switch (or install a software product) and say "we have all the IT controls in place we need to meet x, y or z." It's a process, which must include a starter kit of controls and then review, massage and even extend based on your unique business vs. compliance requirements. To solve this "process" you need to work to automate various portions of the process itself, only then will IT compliance close in on the proverbial "silver bullet."

Special thanks to Xenia Ley Parker posts on IT Compliance Institute for the informative thread.

Auditor Answer: Can Internal Policies Overrule the "Rules?"
Auditor Answer: What are the "Right" Controls?
 
Tags: compliance, compliance management, silver bullet, compliance institute, standards, numerous standards organizations, compliance close, controls, compliance requirements
 
 
 
 
 
TOP SEARCH
Expand / MinimizeClose Widget
  •  
RECENT SEARCH
Expand / Minimize
  •  
RELATED VIDEO
Expand / Minimize
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia