sox & iso 27001 protect your data and be ready to be audited!!!

SOX & ISO 27001 Protect your data and be ready to be audited!!!

Upload: scot-little

Post on 22-Dec-2015




0 download


SOX & ISO 27001

Protect your data and be ready to be audited!!!

What is SOX Compliance?

Why audit IT controls?

IT Controls

Failure of SOX controls

What is ISO 27001?

Why be ISO 27001 compliant?

Certification timeline

Security Domains + More

Risk Assessment

1 of 17


SOX Compliance

• SOX stands for “Sarbanes–Oxley”

• Legislation formed in 2002

• All about Financial Data

• It was designed to:– to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise

– Improve the accuracy of corporate disclosures.

2 of 17

Image Source: Google Images

• All public companies in the U.S.

• International companies that have registered equity or debt securities with the SEC

• Accounting firms that provide auditing services to them.

Information Source: Source: Google Images

SOX Compliance

3 of 17

Financial Data

Is the data reliable?

Is the data complete & accurate?

Can we trust the data coming out of the systems?

Why audit IT Controls?

System A

System B

4 of 17



• Access to program and data

• Program Changes

• Program Development

• Computer Operations

Databases(Stores or processes

Financial data)



E.g. “Flight tickets sold” report is complete and accurate.

Application Controls

5 of 17

IT Controls

1. Password policy (best practices)2. SoD (restricted access)3. Terminations; New Hires; Transfers

Controls tested:

IT ControlAccess to Programs & Data

1. Test of Design2. Test of Effectiveness


Key Inputs:

– Password settings– List of users/administrators with full/admin access- List of new hires/terminated/transferred users

Control is effectiveor Not effective


Testing technique used: Sampling

Impact on Financials?6 of 17

Changes are: 1. Tested 2. Approved

Controls tested:

7 of 17

IT ControlProgram Changes

1. Test of Design2. Test of Effectiveness


Key Inputs:

– Change Management Process– List of system generated Database changes


Testing technique used: Sampling

Impact on Financials?

Control is effectiveor Not effective

• Deficiency: A control breakdown prevents management or employees from preventing or detecting financial misstatements within a reasonable time frame.

• Significant deficiency: An important control is not working and the organization's ability to initiate, record, process, or report financial data to the public is compromised. In addition, a significant deficiency may prevent compliance with generally accepted accounting principles (GAAP). A significant deficiency must be reported to the audit committee of the board of directors.

• Material weakness: One or more control failures at this level will result in a 404 failure. A material weakness represents, according to the AICPA, "more than a remote likelihood that a material misstatement of the financials will not be prevented or detected." The control failure must be reported to the audit committee of the board of directors as well as the investing public (via the 10K). Material weaknesses usually, but not always, arise from business practices rather than IT control failures.

IT is expected to pass with few deficiencies, no significant deficiencies, and certainly no material weaknesses.


Failure of SOX Controls (IT & Non-IT)

8 of 17

Database Administrators– You are responsible for security of the databases!

– Follow enterprise wide processes for adding/removing/ updating access

– Follow enterprise wide process around Password Management

– Follow enterprise wide process for Change Management

– Do not use shared accounts

– Make sure logging/auditing is available on the databases

– Be prepared to provide audit evidence & support

9 of 17

Key Points to remember…For a successful SOX audit

ISO 270012-3 minutes break before we proceed

Image Source:

10 of 17

Next Topic

What is SOX Compliance?

Why audit IT controls?

IT Controls

Failure of SOX controls

What is ISO 27001?

Why be ISO 27001 compliant?

Certification timeline

Security Domains + More

Risk Assessment

11 of 17


ISO 27001:2013 is an information security standard

It is a specification for an information security management system (ISMS)

It is designed to protect ANY* kind of required information

*scope is defined by the organization

12 of 17

ISO 27001

Some reasons may include:

• Maintain ISO 27001 Certification

• Protect Employee PII Data

• Protect Consumer PII Data

• Comply with applicable privacy and security laws

• Satisfy contractual obligations

• Be prepared to deal with changing threats with respect to new cloud based services

• Streamline Processes and adopt best practices

13 of 17

Why be ISO 27001 compliant?

2012 Original Certification: Full Audit



Surveillance Audit: High level Audit

Surveillance Audit: High level Audit

2015 Re-Certification: Full Audit

Maintaining the certificate

Example timeline: 3 year cycle

14 of 17

Certification Timeline

Security Domains – ISO 27001:2013 versionAnnex A

1. Scope, Information Security Management System2. Information Security Policies (A.5)3. Organization of Information Security (A.6)4. Human Resource Security (A.7)5. Asset Management (A.8)6. Access Control (A.9)7. Cryptography (A.10)8. Physical and Environmental Security (A.11)9. Operations Security (A.12)10. Communications Security (A.13)11. System Acquisition, Development, and Maintenance (A.14)12. Supplier Relationships (A.15)13. Information Security Incident Management (A.16)14. Information Security Aspects of Business Continuity Management (A.17)15. Compliance (A.18)

& risk assessment…

Total 114Controls

15 of 17

Security Domains + more

# Document Purpose Owner

1 Asset Register Identify critical business information, where it exists, and who owns it

Database Team

2 Risk Assessment Identify potential data loss or security threats and resulting impact to the business

InfoSec, Database Team

Asset Based Risk Assessment – Applicable to the Database Team

3 Risk Treatment Plan (RTP) Define the preferred procedure the organization should follow in the event of a security breach. Additional security controls to be implemented are recommended here.

Database Team

4 Implementation Procedure Lists all current controls in place to ensure security. Once additional controls from RTP are implemented, they will be added here.

Database Team

Lists all applicable controls from the previous slide• Accept• Mitigate• Transfer• Avoid 16 of 17

Risk Assessment


17 of 17

Image Source: