Cobit Sox Hipaa and Glba Mapping Templates. This action might not be possible to undo. Are you sure you want to continue? CANCELOKcanceldelete collection. Cobit Sox Hipaa and Glba Mapping Templates. This action might not be possible to undo. Are you sure you want to continue? CANCELOKcanceldelete collection.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the and the. The world of business or finance for the past few years, there is a regulation called the Sarbanes-Oxley Act. It seeks to eliminate financial fraud (think WorldCom and Enron) by enforcing more regimented financial controls and adding significant accountability for CEOs and CFOs of publicly traded companies. The regulation is in full effect now, and even though there's still discussion about how strictly it will be enforced, it certainly cannot be ignored. In this tip, we'll discuss how compliance frameworks -- COSO and COBIT, and ISO 27001 to a lesser extent -- can be applied to SOX compliance efforts.

COSO & SOX: Start at the highest level Now, to be clear, SOX is actually meant to be a guideline for the reporting of financial data with reliability and integrity. That's not necessarily an IT security function, but as with most high-profile business initiatives, significant security components are needed to ensure an organization is SOX-compliant.

Given that there haven't been many highly publicized SOX enforcement actions to date, how can corporations know what to do and how much is enough? Like most legislation, SOX is pretty nebulous about the business requirements that need to be met in order to be considered SOX-compliant. The fine folks at the Treadway Commission published a framework called COSO to improve the quality of financial reporting back in 1992 when Sarbanes and Oxley were wee Congressional pups (well, sort of). The was updated in 2004 to reflect the changed reality of the world. To break it down further, COSO consists of eight different components. CAD Notes Hindi Pdf. • Internal control environment • Objective setting • Event identification • • Risk response • Control activities • Information and communication • Monitoring None of those components mention firewalls or IPS devices, do they? Not even encryption, so how should a security practitioner translate such a wide-ranging, business-oriented framework like COSO into useful SOX compliance advice?

In response, the folks at and ISACA were kind enough to define a list of governance control practices that help to define a structure for IT governance The resulting COBIT framework is an IT-specific governance framework designed to help translate business risk into actions for the technical folks. The reality is most organizations looked to solve the SOX 'problem' like every other problem out there, i.e. Buy a product and the problem goes away, right?

Well, not by a long shot. COSO and offer controls and processes that, when assembled, can provide a measure of reliability and integrity for financial controls. They are not products that can be bought, and unfortunately, there is no easy way to get them. An organization needs to figure out what is faulty -- process, technology, etc. -- and fix it. To clarify a bit more, COSO is used by the finance group to build their business processes and associated controls. Once again, COSO is NOT IT-specific.

COBIT, on the other hand, takes many of the objectives of COSO and translates them into a language or framework that IT people can understand and work with. COBIT & SOX: Apples and oranges? Since most people like easy choices, the initial path of least resistance to SOX compliance (from an IT standpoint, anyway) is to be able to report specifically to the. The decade-old guidelines are a favorite among auditors because of their specificity and their regard for no particular platform. There are similar alternatives as well, including or maybe even something ad hoc. Regardless of your organization's preference, a constant focus on security diligence -- as opposed to compliance 'box-checking' -- will be effective in keeping auditors happy.