by Richard Mackey
By now most organizations are past the mad rush to understand Sarbanes-Oxley requirements and establish critical security policies. However, over time, SOX requirements are becoming more demanding. Auditors are looking for more maturity in the policies and practices they evaluate. Companies need to take the initiative and look critically at their own policies to determine their effectiveness. Policy sets and self assessment/audit tools can help organizations improve their policies and continuously understand how their practices measure up.
Using standards to build and assess policies
COBIT is a good place to start for IT-related SOX policies. ISACA's introduction to COBIT provides the following description of its Control Objectives: "COBIT's Control Objectives provides the critical insight needed to delineate a clear policy and good practice for IT controls." These control objectives serve as the basis of many organizations' SOX goals, so it is a good idea to periodically look at the standard to determine whether your original mapping of goals to policies is still valid. If, on the other hand, your policies came from another source, using COBIT as a cross check can be a valuable exercise.
ISACA provides access to the full COBIT standard including the Control Objectives, Audit Guidelines and materials to help implement COBIT in the enterprise. While useful, COBIT's Control Objectives aren't directly and universally applicable to SOX, so you'll have to look closely at each control objective in the SOX context, but many will be appropriate. Rather than specify policies directly, COBIT control objectives refer somewhat broadly to policies that the standard requires. By assembling the list of policies referred to by COBIT and understanding why the policy must exist, policy authors can determine if their policies achieve the stated goals.
A clearer mapping of security requirements to policies can be found in ISO17799. This standard describes what topics need to be included in an overall security policy and describes their implications. Section 5 of ISO17799, entitled Security Policy, describes the structure of the policy document, its relationship to other policies, the need for its periodic review and the need for it to be a living document.
One of the strengths of the ISO standard is that it provides a wealth of information about the need for and content of a security policy. Consequently, it's a great resource for organizations drafting or checking on the completeness and appropriateness of their policies for SOX compliance.
Policies in business context
One of the key aspects of policy writing is crafting policies that are not only technically correct but applicable to your business. In other words, all your policies must be appropriate to an organization of your size, in your market, with your employees and your technology. When drafting policy, or even determining whether your organization complies with a given policy, you need to consider whether the policies recommended by COBIT and ISO17799 make sense in your context. For example, in larger organizations, a long chain of approvals across multiple departments may be appropriate for account creation and changes to access controls. In smaller organizations, there may be adequate transparency in the account creation process due to the close knit nature of the company to simply require notification.
The secret to effective policy writing is to go back to first principles and consider why the policy exists. Policy authors should remind themselves of two rules: remember that policies need to appropriate to the business and that they are living documents. The most effective policy documents are those that capture not only the statement but the intent. Furthermore, to stay effective, policies must be reviewed regularly and changed to reflect changes in the business and organization.
If even ISO17799 seems like it's too indirect a route to a security policy, there are policy templates that you can buy. The ISO17799 Toolkit includes such a template. The policy documents included in the template state the policy and provide background information that supports the policy. If your organization needs to build policies from the ground up or wants to restructure its policies, a toolkit like this might be helpful.
If your policies are written and largely complete, but not organized effectively enough to support a SOX audit, PolicyTechnologies International builds software that helps organize documents according to the sections of Sarbanes-Oxley. PolicyTechnologies' Policy & Procedure Manager is designed to help assign and sort documents by the relevant Sarbanes-Oxley regulation. The idea behind this kind of product is that it can speed audits and ensure that the organization has the policy and procedure coverage it needs to pass an audit. Self assessment tools
Another critical part of SOX compliance is measuring your own compliance. Self assessment is a time consuming process, and when added to the compliance effort and the external audit, it can seem daunting. Unfortunately, without periodic self assessments, you increase the risk that you will fail an audit. Since assessments should be performed multiple times per year, finding tools that help to make the process more efficient and consistent can be a real boon.
SecureInfo's ComplianceAuthority product allows organizations to perform comprehensive self-assessments for demonstrating compliance with multiple regulations. It's designed to help companies map regulatory requirements to accepted industry standards and practices, create a sustainable test, validation and management process, and maintain sustainable preparation for information security audits. The product includes a library of example policies, recommendations, tests and validation scenarios that are organized according the regulations to which they apply. ComplianceAuthority supports not only SOX but others like HIPAA and Gramm-Leach Bliley, as well.
As a self-assessment product with built-in business processes and guidance, ComplianceAuthority ensures consistent results that can be measured over time. ComplianceAuthority certifiably meets all Common Criteria standards and is used extensively within financial services, manufacturing and other entities to lower the costs of compliance.
Protiviti's Self-Assessor™ is a tool that allows organizations to conveniently and consistently assess their own compliance while documenting and tracking their results. Protiviti's Discoveri™ supports risk intelligence management and data analysis. Audit Partner, also part of the suite, helps to automate internal SOX audits and includes workflow for communication and signoff.
The existence of a complete, up to date and effective security policy is an important part of any SOX audit. It is only prudent to incorporate reliable sources of policy guidance, automated policy tools and policy based assessment mechanisms into your SOX compliance methodology.