At first glance, the list of 20 high level objectives may seem daunting. However, in the same way an organization focuses its compliance activities on areas that affect financial reporting, it also concentrates most of its effort on the areas that have the greatest impact on ensuring integrity and passing an audit. Of the high-level objectives, organizations working to comply spend much of their effort on the following:
- Managing configuration controls on systems and applications
- Managing system and application security – including authentication, user provisioning, system accreditation
- Managing business continuity plans and measures
Here are examples of COBIT detailed control objectives involving user account management and configuration management that are critical in meeting SOX requirements:
User Account Management
CONTROL OBJECTIVE
Management should establish procedures to
ensure timely action relating to requesting, establishing,
issuing, suspending and closing of user
accounts. A formal approval procedure outlining
the data or system owner granting the access
privileges should be included. The security of
third-party access should be defined contractually
and address administration and non-disclosure
requirements. Outsourcing arrangements should
address the risks, security controls and procedures
for information systems and networks in
the contract between the parties.
5.5 Management Review of User Accounts
CONTROL OBJECTIVE
Management should have a control process in
place to review and confirm access rights periodically.
Periodic comparison of resources with
recorded accountability should be made to help
reduce the risk of errors, fraud, misuse or unauthorized
alteration.
Configuration Recording
CONTROL OBJECTIVE
Procedures should be in place to ensure that only
authorized and identifiable configuration items
are recorded in inventory upon acquisition. These
procedures should also provide for the authorized
disposal and consequential sale of configuration
items. Moreover, procedures should be in place
to keep track of changes to the configuration
(e.g., new item, status change from development
to prototype). Logging and control should be an
integrated part of the configuration recording
system including reviews of changed records.
Configuration Management Procedures
CONTROL OBJECTIVE
Configuration management procedures should be
established to ensure that critical components of
the organization's IT resources have been appropriately
identified and are maintained. There
should be an integrated process whereby current
and future processing demands are measured and
provide input to the IT resource acquisitions
process.
Home: Introduction
Step 1: Understanding compliance -- Financial and technical standards
Step 2: Scope of compliance
Step 3: Establishing an IT Control Framework
Step 4: Detailed objectives and policies
Step 5: Measuring compliance
Step 6: Managing and tracking compliance
Step 7: The changing nature of compliance
