Step 3: Establishing an IT Control Framework

Step 3: Establishing an IT Control Framework

As we mentioned, COSO is the de facto internal control framework associated with Sarbanes-Oxley. Therefore, COBIT is a natural choice for the IT Control Framework. The COBIT Framework is a set of 34 high-level control objectives organized into the four areas described in the financial and technical standards section.


    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

About Compliance School

In Compliance School, guest instructor Richard Mackey shows you exactly what you need to do to meet regulations' ongoing demands and arms you with actionable items to ensure your business remains continuously compliant. Best of all you can attend any of the following on-demand lessons when it's most convenient for you:

Ensuring compliance across the extended enterprise

Compliance improvement: Get better as you go forward  

Gauging your SOX progress  

SOX compliance basics: Taking Action   

Understanding
compliance-related technology
The diagram above shows the 34 high-level control objectives and their relationship to the four areas. While a majority of the controls have elements that are important in SOX compliance, a number of the high-level objectives stand out.

In the area of Planning and Organization:

  • Determine the information architecture
  • Define the IT organization and relationships
  • Ensure compliance with external requirements
  • Assess risks
Virtually all of the elements of Acquisition and Implementation:
  • Acquire and maintain application software
  • Acquire and maintain technology infrastructure
  • Develop and maintain procedures
  • Install and accredit systems
  • Manage changes
Many of the elements of Delivery and Support:
  • Ensure systems security
  • Educate and train users
  • Manage the configuration
  • Manage problems and incidents
  • Manage data
  • Manage facilities
  • Manage operations
And all of the elements associated with Monitoring:
  • Monitor the processes
  • Assess internal control adequacy
  • Obtain independent assurance
  • Provide for independent audit
Using these objectives, COBIT recommends organizations follow a plan, do, check, correct cycle. This philosophy, if followed, will help to improve the effectiveness of IT operations and, at the same time, help an organization achieve SOX compliance.


Home: Introduction
Step 1: Understanding compliance -- Financial and technical standards
Step 2: Scope of compliance
Step 3: Establishing an IT Control Framework
Step 4: Detailed objectives and policies
Step 5: Measuring compliance
Step 6: Managing and tracking compliance
Step 7: The changing nature of compliance

This was first published in February 2006