A quick SOX cheat-sheet

Thomas Ptacek | May 24th, 2005 | Filed Under: Uncategorized

I wrote this up in an hour to help write a white paper for a security product. It may be inaccurate, wrong, stupid, or insulting. See fullpost for details.

SOX Cheat Sheet

  • 302: Execs go to jail if the report is fucked up
  • 404: Create reports on controls, gotta use an accepted framework
  • PCAOB: The gov’t group that oversees SOX
  • COSO: The (business) auditor standards body/document
  • COBIT: The (IT) auditor standards framework COSO recommends

COBIT Breakdown:

  • Planning
  • Acquisition
  • Delivery
  • Monitoring

P1.0 Defined a Strategic IT Plan

Short-range, long-range, changes to plan, report the plan, monitor plan, assess existing systems

P2.0 Define the Information Architecture

Have a model, a syntax, classification, and security levels

P3.0 Determine Technological Direction

Planning, tech trends, contingencies, acquisition plans and standards

P4.0 Define the IT Organization and Relationships

  • 1 IT Planning or Steering Comittee
  • 2 Organizational Placement of IT
  • 3 Review of Organizational Achievements
  • 4 Roles and Responsibilities
  • 5 Responsibility for QA
  • 6 Responsibility for Logical and Physical Security
  • 7 Ownership and Custodianship
  • 8 Data and System Ownership
  • 9 Supervision
  • 10 Segregation of Duties
  • 11 IT Staffing
  • 12 Job Descriptions for IT Staff
  • 13 Key IT Personnel
  • 14 Contracted Staff Policies
  • 15 Relationships

P5.0 Manage the IT Investment

Budget, cost-benefit

P6.0 Communicate Management Aims and Direction

Management responisibilities, policies, maintain policies, security framework policies, IPR, IT security awareness

P7.0 Manage Human Resources

Recruit & promote, qualifications, training, clearance, job change & termination.

P8.0 Ensure Compliance with External Requirements

Identify other regs, privacy, intellectual property, commerce, etc.

P9.0 Assess Risks

  • 1 Business Risk Assessment
  • 2 Risk Assessment Approach
  • 3 Risk Identification
  • 4 Risk Measurement
  • 5 Risk Action Plan
  • 6 Risk Acceptance
  • 7 Safeguard Selection
  • 8 Risk Assessment Comittee

P10.0 Manage Projects

Project teams, frameworks, approval, test plans

P11.0 Manage Quality

QA assurance planning, review, dev lifecycle, third party implementors, pilot projects, quality metrics

A1.0 Identify Automated Solutions

Requirements, feasability, information architecture, risk analysis, security controls, audit trails, maintenance, facilities

A2.0 Acquire and Maintain Application Software

Design, manage changes, requirements definitions, source data, interfaces, controllability, availability, integrity, testing

A3.0 Acquire and Maintain Technology Infrastructure

Assess, maintain, security, installation, change controls

A4.0 Develop and Maintain Procedures

Training, manuals, documentation

A5.0 Install and Accredit Systems

Train, capacity planning, conversion and migration, testing

A6.0 Manage Changes

  • 1 Change Request Initiation and Control
  • 2 Impact Assessment
  • 3 Control of Changes
  • 4 Emergency Changes
  • 5 Documentation and Procedures
  • 6 Authorised Maintenance
  • 7 Software Release Policy
  • 8 Distribution of Software

D1.0 Define and Manage Service Levels

SLAs, performance procedures, monitor, report, improve

D2.0 Manage Third-Party Services

  • 1 Supplier Interfaces
  • 2 Owner Relationships
  • 3 Third-Party Contracts
  • 4 Third-Party Qualifications
  • 5 Outsourcing Contracts
  • 6 Continuity of Services
  • 7 Security Relationships
  • 8 Monitoring

D3.0 Manage Performance and Capacity

Availability, monitoring and reporting, trending, forecasting, usage schedule

D4.0 Ensure Continuous Service

Contiuity framework, plan, requirements, training, identify critical resources, backup sites, backup, etc

D5.0 Ensure Systems Security

  • 1 Manage Security Measures
  • 2 Identification, Authentication, and Access
  • 3 Security of Online Access to Data
  • 4 User Account Management
  • 5 Management Review of User Accounts
  • 6 User Control of User Accounts
  • 7 Security Surveillance
  • 8 Data Classification
  • 9 Central Identification and Access Rights Management
  • 10 Violation and Security Activity Reports
  • 11 Incident Handling
  • 12 Reaccreditation
  • 13 Counterparty Trust
  • 14 Transaction Authorization
  • 15 Non-Repudiation
  • 16 Trusted Path
  • 17 Protection of Security Functions
  • 18 Cryptographic Key Management
  • 19 Malicious Software Prevention, Detection, and Correction
  • 20 Firewall Architectures and Connections with Public Networks
  • 21 Protection of Electronic Value

D6.0 Identify and Allocate Costs

Charging, billing

D7.0 Educate and Train Users

Traning and awareness

D8.0 Assist and Advise Customers

Helpdesk, escalation, trend analysis at helpdesk

D9.0 Manage the Configuration

Configuration record, baseline, status accounting, unauthorized software

D10.0 Manage Problems and Incidents

Management systems, escalation, audit trail (tickets), emegency authorizations

D11.0 Manage Data

Data preperation, authorize, error handling, retention, accuracy, error handling, integrity, output handling and distribution, security for output reports, protect sensitive information during transmission (ala HIPAA EPHI), storage management, backups, archives

D12.0 Manage Facilities

Security, escorts, low-profile, UPS, earthquakes and shit

D13.0 Manage Operations

Job scheduling, logs, documentation, remote operations

M1.0 Monitor the Processess

Collect data, assess performance and satisfaction, report

M2.0 Assess Internal Control Adequacy

Moitor internal controls, on-time deployment, report control levels, report operational security

M3.0 Obtain Independent Assurance

Get independent security people in, conduct audit for IT services and for third-party services

M4.0 Provide for Independent Audit

Audit charter, independence, ethics, competance, planning, reporting, followup.

No comments yet. Be the first.

Leave a reply