World Class Security Experts © Copyright 2004 SkyView Partners LLC. All rights reserved. www.skyviewpartners.com How IT is affected by Sarbanes-Oxley Act.

Slides:

Advertisements

Similar presentations

WEBCAST SCHEDULE Todays event will run one-hour long. Here are the expected times for each segment of the webcast: :00 – :05: Moderator introduces the.

Advertisements

© Copyright 2006 SkyView Partners Inc. All rights reserved. 1 Introducing: SkyView Policy Minder for i5/OS and OS/400 “In today’s.

EvalS Application User Guide version September 17, 2011.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

Slide 1 FastFacts Feature Presentation 12/16/2014 To dial in, use this phone number and participant code… Phone number: Participant code:

Network security policy: best practices

Slide 1 FastFacts Feature Presentation April 3, 2014 To dial in, use this phone number and participant code… Phone number: Participant code:

Invoices On – Line Registration Instructions for Vendors.

Printing Systems August 19, 2003 © 2003 IBM Corporation iSeries Infoprint Announcement Enhancements to Infoprint Server and Infoprint Designer Guest speaker:

© 2006 Jupitermedia Corporation Webcast TitleSuccessful Rollout Planning 1 January 19, :00pm EST, 11:00am PST George Spafford, President Spafford.

Student Guide to DIGGERecruiting.

WEBCAST SCHEDULE Today’s event will run one-hour long. Here are the expected times for each segment of the Webcast: :00 – :05: Moderator introduces the.

Conducting Online Driver Records Checks Lesson 1 Using the mt.gov “ePass” System & the Department of Justice Driver History Records Service Presented.

Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.

WORKING EFFECTIVELY IN AN INFORMATION TECHNOLOGY ENVIRONMENT

Planning an Audit The Audit Process consists of the following phases:

Command-line control of Terminal Services Christa Anderson.

Domino for iSeries Taking the mystery out of Migrating Domino 5 to Domino 6 on iSeries Walter Scanlan

T. Rowe Price, Invest With Confidence and the Bighorn Sheep logo is a registered trademark of T. Rowe Price Group, Inc. Please dial from.

Federal Aviation Administration Federal Aviation Administration 1 Presentation to: Name: Date: Federal Aviation Administration AMHS Security Security Sub-Group.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Issues in Corporate Governance: Board Structures and Functions Based on a Student Presentation by Joshua Shullaw and Matthew Domeyer.

TACTEAM -- Dallas 1 Whacking Spam with ISA Server 2000 Thomas W Shinder MD.

Information Systems Security Operational Control for Information Security.

Access Training Linux/Unix Power Broker Access Custom Schema Database Access Customer Training Date: 25-JAN-2005.

Auditing Information Systems (AIS)

The Capabilities of AdminP Carilyn E. Daniel KMAS Consulting.

Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.

Everyone’s Been Hacked Now What?. OakRidge What happened?

Department of Psychology Experiment Management System Experimenter Tutorial Stony Brook University Subject Pool Office

1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.

IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.

WEBCAST SCHEDULE Today’s event will run one-hour long. Here are the expected times for each segment of the Webcast:  :00 – :05: Moderator introduces the.

“The Monitor" System Training Guide For Providers IMS Health.

EECS 4482 Fall 2014 Session 8 Slides. IT Security Standards and Procedures An information security policy is at a corporate, high level and generally.

User Guide HealthLink Your Personal Health Network.

Agency Name Security Program FY 2009 John Q. Public Agency Director/CIO/ISO.

Slide 1 FastFacts Feature Presentation November 18, 2015 To dial in, use this phone number and participant code… Phone number: Participant.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Slide 1 FastFacts Feature Presentation December 22, 2015 To dial in, use this phone number and participant code… Phone number: Participant.

Partner Ready Portal: New Partner Registration Process

Page 1 of 42 To the ETS – Create Client Account & Maintenance Online Training Course Individual accounts (called a Client Account) are subsets of the Site.

Message Validation, Processing, and Provisioning System (MVPS) Access for Jurisdictions User has SAMS User ID Center for Surveillance, Epidemiology, and.

Global Field Operations From Vision to Value Cisco Confidential1© 2011 Cisco and/or its affiliates. All rights reserved. Access to PMC Partner Training.

On-Line BankCard Center Presentation Cardholder Role During the Presentation click the mouse on this button to move back a slide During the Presentation.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

STARR Companies: Human Resources Portal Overview WELCOME to STARR Companies’ Human Resources Portal! This presentation will provide first time users of.

Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.

Supply Chain Platform – BAE Systems Weapon Systems Suppliers Live Training Presentation - Part 1: - Log into your account - How to get support December.

Project Management: Messages

To the ETS – Accounts Setup and Preferences Online Training Course

Welcome! To the ETS – Create Client Account & Maintenance

Deployment Planning Services

Administrator Training

ERO Portal Overview & CFR Tool Training

Unit 7 – Organisational Systems Security

Why ISO 27001? Subtitle or presenter

Producer Toolbox PTB Access for Users -Primary and Delegate

How to Create and Start a Test Session

Activating Your Account and Navigating Through TIDE

Why ISO 27001? MARIANNE ENGELBRECHT

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

To the ETS – Accounts Setup and Preferences Online Training Course

Management How-To Guide

Terry O’Neill, Taxpayer Services Specialist

Presentation transcript:

World Class Security Experts © Copyright 2004 SkyView Partners LLC. All rights reserved. How IT is affected by Sarbanes-Oxley Act – or is it? Carol Woodbury

© Copyright 2004 SkyView Partners LLC. All rights reserved. 2 WEBCAST SCHEDULE Today’s event will run one-hour long. Here are the expected times for each segment of the webcast: :00 – :05: Moderator introduces the speaker and discusses the details of the Webcast. :05- :35: Speaker delivers a PowerPoint presentation on the webcast topic. :35- :60: Moderator and speaker engage in a Q&A on the topic. You can submit questions to the speaker at any time during the event. Just click on the “Ask a Question” button in the lower left corner of your screen.

© Copyright 2004 SkyView Partners LLC. All rights reserved. 3 TECHNICAL FAQs Here are answers to the most common technical problems users encounter during a webcast: Q: Why can’t I hear the audio part of the webcast? A: Try increasing the volume on your computer. Q: I just entered the webcast and do not see the slide that the speaker is referring to. What should I do? A: The slides are constantly be pushed to your screen. You’ll should refresh (hit F5) to view the latest slide. If your question is still not answered, please click the “Ask a Question” button in the lower left corner of your screen and submit your problem. A technical support person will respond immediately. You can also visit the Broadcast Help page for more information or to test your browser compatibility. Click here:

World Class Security Experts © Copyright 2004 SkyView Partners LLC. All rights reserved. How IT is affected by Sarbanes-Oxley Act – or is it? Carol Woodbury

© Copyright 2004 SkyView Partners LLC. All rights reserved. 5 Disclaimer This presentation is for educational purposes only and is not intended an endorsement of any vendor or vendor product mentioned during this webcast.

© Copyright 2004 SkyView Partners LLC. All rights reserved. 6 Agenda Description of Sarbanes-Oxley Act What we’re seeing What this means Tips

© Copyright 2004 SkyView Partners LLC. All rights reserved. 7 Sarbanes-Oxley Act Legislation passed in 2002 to prevent another Enron/Arthur Andersen fiasco. Section 302 – Corporate accountability Section 404 – Internal controls over financial reporting Internal controls over financial reporting Requires supporting documentation

© Copyright 2004 SkyView Partners LLC. All rights reserved. 8 Security statements in SOX

© Copyright 2004 SkyView Partners LLC. All rights reserved. 9 Accounting firms SOX auditing firms Must meet certain criteria and be registered as a SOX audit firm Cannot be the same firm that remediates issues discovered Requiring sound data security practices before signing audit

© Copyright 2004 SkyView Partners LLC. All rights reserved COBIT – process for managing risk Provides a process to assess and manage risk and balance that risk against benefits to the business. Centered around IT processes Four domains Each domain is divided into IT processes (34) Each IT process is divided into control objectives (318)

© Copyright 2004 SkyView Partners LLC. All rights reserved ISO17799 Implementation Guidelines for IT Security Sections include Security policy Organization security Asset classification and control Personnel security Physical and environmental security Communications and operations management Access control System development and maintenance Business continuity management Compliance with legal requirements

© Copyright 2004 SkyView Partners LLC. All rights reserved What does this mean? Need to Assess your risks Come up with a plan to mitigate risks Implement sound a security scheme

© Copyright 2004 SkyView Partners LLC. All rights reserved Audit checklist System values set to best practices Users Get rid of default passwords Get rid of old profiles or accounts Examine users that have been given privileges (special authorities). Remove if not part of user’s job function. *ALLOBJ *AUDIT *SECADM *IOSYSCFG Object authorities *PUBLIC(*ALL) Authority of libraries and directories containing sensitive applications Authority of files containing confidential or private data TCP/IP configurations

© Copyright 2004 SkyView Partners LLC. All rights reserved What systems need to be examined? All production systems Production Development when connected to the network and can access production

© Copyright 2004 SkyView Partners LLC. All rights reserved Missing documentation Security policy Standards Processes Disaster recovery plan Steps toward remediation Initial reports Periodic reports Plans and sign-offs of major changes

© Copyright 2004 SkyView Partners LLC. All rights reserved Policy Corporate Security Policy Standards Mandatory requirements employed and enforced to prescribe a disciplined uniform approach to achieve an objective, that is, mandatory conventions and practices are is fact standards. Procedures A series of defined activities carried out to accomplish a task or operation A guiding principal, typically established by senior management, that is adopted by an organization or project to influence and determine decisions Best practices Superior performance within a function independent of industry, leadership, management, or operational method or approach that lead to exceptional performance

© Copyright 2004 SkyView Partners LLC. All rights reserved Policy vs. Standard vs. Procedure Policy User will have a unique account Privileges will be granted based on job classification Access to private data will be based on business justification Standard User’s manager is responsible for requesting an OS/400 user profile for each employee Default access No special authorities Access to Basic menu Additional access Approved by employee’s manager Approved by application owner User’s manager and HR is responsible for notifying IT that user has left the company Procedure Procedure Create user profile by taking Option 1 from the Administration Menu Naming convention is first 7 characters of last name plus first letter of first name For end users and programmers the special authorities granted are *NONE For operators the special authorities granted are *SAVSYS and *JOBCTL

© Copyright 2004 SkyView Partners LLC. All rights reserved Security awareness training Security tip (once a month ) Posters Social engineering training “Appropriate Use Statement” on all computer systems Periodic review of security policy, especially after updates Random re-training and acknowledgement of re-read

© Copyright 2004 SkyView Partners LLC. All rights reserved For more information Contact SkyView Partners

© Copyright 2004 SkyView Partners LLC. All rights reserved Questions? Submit your questions now by clicking on the “Ask A Question” button in the left corner of your presentation screen. Carol will answer your questions shortly after the broadcast.