Home > Step 5: Measuring compliance
Compliance School:
EMAIL THIS

Step 5: Measuring compliance

01 Feb 2006

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   

About Compliance School

In Compliance School, guest instructor Richard Mackey shows you exactly what you need to do to meet regulations' ongoing demands and arms you with actionable items to ensure your business remains continuously compliant. Best of all you can attend any of the following on-demand lessons when it's most convenient for you:

Ensuring compliance across the extended enterprise

Compliance improvement: Get better as you go forward  

Gauging your SOX progress  

SOX compliance basics: Taking Action   

Understanding
compliance-related technology
Once an organization has compared its policies, procedures and practices to those required by COBIT and described in ISO17799, the issue becomes how closely an organization needs to match the strict controls described in these documents. In SOX audits, the auditor is expected to interpret requirements based on whether the controls are effective in a given environment.

Factors like an organization's size can significantly affect the need for COBIT recommended interdisciplinary committees (in a small company, one person may be responsible for the entire technical environment and may naturally communicate with business "representatives"), separation of duties (there may be insufficient staff to allocate individuals to traditional roles) and multiparty approval chains.

Other requirements are likely to be subject to interpretation, as well. The level of reliability (or maturity) of certain practices and the level of documentation required may be less than the levels described in COBIT. COBIT publications describe multiple stages of reliability of a control as corresponding to the following descriptions, in increasing level of reliability:

  1. Non-existent
  2. Initial-ad hoc
  3. Repeatable but intuitive
  4. Defined process
  5. Managed and measurable
  6. Optimized
Assuming that an organization is only assessing the reliability of controls it requires, it's likely that an auditor would only accept controls that are stage 3 (defined process) and above.

One of the most daunting aspects of SOX compliance is its requirement for documentation to prove that the policies and practices are in compliance. Many organizations are competent when running their businesses and IT operations, but do not document their policies, procedures, changes and authorization workflows to the degree SOX compliance requires. Organizations have to improve in this area if they are to maintain compliance.



Home: Introduction
Step 1: Understanding compliance -- Financial and technical standards
Step 2: Scope of compliance
Step 3: Establishing an IT Control Framework
Step 4: Detailed objectives and policies
Step 5: Measuring compliance
Step 6: Managing and tracking compliance
Step 7: The changing nature of compliance

BROWSE BY TAG
COBIT,   Security Audit, Compliance and Standards,   Sarbanes-Oxley Act,   VIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED CONTENT
COBIT
Tony Spinelli: Prioritize Information Security over Compliance
Security survey finds increase in security standards adoption
Mix of Frameworks and GRC Satisfy Compliance Overlaps
GRC: Over-Hyped or Legit?
Is the Orange Book still relevant for assessing security controls?
Does SOX provision email archiving?
COSO and COBIT: The value of compliance frameworks for SOX
ISO 17799: A methodical approach to partner and service provider security management
Mapping the path toward information security program maturity
RSA Conference 2006
COBIT Research

Sarbanes-Oxley Act
Information security book excerpts and reviews
SOX compliance burdens midmarket security teams
Ex-SEC chief Pitt decries state of Sarbanes-Oxley, risk management
Internal audits for Sarbanes Oxley and internal IT support
Internal auditors and CISOs mitigate similar risks
Implement security and compliance in a risk management context
Does password sharing in international branches violate SOX?
Consensus Controls project aims to set benchmarks for compliance
Security visualization helps make log files work
The Little Black Book of Computer Security, 2nd Edition
Sarbanes-Oxley Act Research

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
COBIT  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary




Search Additional Security Research and Solutions
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2010, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts