COSO and COBIT: The value of compliance frameworks for SOX

None of those components mention firewalls or IPS devices, do they? Not even encryption, so how should a security practitioner translate such a wide-ranging, business-oriented framework like COSO into useful SOX compliance advice? In response, the folks at IT Governance Institute and ISACA were kind enough to define a list of governance control practices that help to define a structure for IT governance The resulting COBIT framework is an IT-specific governance framework designed to help translate business risk into actions for the technical folks.

The reality is most organizations looked to solve the SOX "problem" like every other problem out there, i.e. buy a product and the problem goes away, right? Well, not by a long shot. COSO and COBIT offer controls and processes that, when assembled, can provide a measure of reliability and integrity for financial controls. They are not products that can be bought, and unfortunately, there is no easy way to get them. An organization needs to figure out what is faulty -- process, technology, etc. -- and fix it.

To clarify a bit more, COSO is used by the finance group to build their business processes and associated controls. Once again, COSO is NOT IT-specific. COBIT, on the other hand, takes many of the objectives of COSO and translates them into a language or framework that IT people can understand and work with.

COBIT & SOX: Apples and oranges?
Since most people like easy choices, the initial path of least resistance to SOX compliance (from an IT standpoint, anyway) is to be able to report specifically to the COBIT set of controls. The decade-old guidelines are a favorite among auditors because of their specificity and their regard for no particular platform. There are similar alternatives as well, including ISO 27001 or maybe even something ad hoc. Regardless of your organization's preference, a constant focus on security diligence -- as opposed to compliance "box-checking" -- will be effective in keeping auditors happy.

So what exactly does that mean? It means an enterprise's priorities should be protecting appropriate data (including the financial data that drives financial reporting), ensuring unalterable audit trails and documenting the security controls in place. Demonstrating those efforts effectively is what will appease auditors.

COBIT and ISO 27001 can help by providing accepted and somewhat widely used vernacular and structure to define how to communicate the controls that are probably already in place in your organization. Without that common structure, an enterprise runs the risk of having to educate an auditor on the breadth and depth of its specific framework; whereas going with a standard framework eliminates that.

But frameworks come and go, and the need for a strong set of controls is always there. I'm not big fan of throwing unnecessary and expensive software at the problem, but if I worked for a big company, I would look at mapping engines, also known as IT governance software. Security vendors including Archer Technologies, and ControlPath Inc., and broader offerings from vendors like OpenPages Inc. and consulting firm Paisley can ease the process mapping controls to the language and vernacular that auditors have come to know and love.

Corporations can also build their own control maps if they don't have the budget to buy a product. As with every other software category, these products offer a number of features you probably don't need, but I think the mapping capabilities are very helpful to keep a set of controls consistent over multiple regulations and frameworks.

So the reality is that COSO and COBIT -- and ISO 27001, for that matter -- are helpful in providing a map to solve the puzzle that is SOX. Not because they offer some silver bullet for compliance, rather because they offer a common language that all parties are likely to understand.

About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also SearchSecurity.com's expert-in-residence on information security management. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   Security Audit, Compliance and Standards,   Sarbanes-Oxley Act,   COBIT,   Compliance School,   Gauging your SOX progress,   SOX compliance,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Identity lifecycle management for security and compliance Interpreting 'risk' in the Massachusetts data protection law FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders PCI DSS compliance requirements: Ensuring data integrity Understanding PCI DSS compliance requirements for log management Are 'strong authentication' methods strong enough for compliance? Strategies for using technology to enable automated compliance Common PCI questions: Web application firewalls or source code review? Sarbanes-Oxley Act SOX compliance burdens midmarket security teams Ex-SEC chief Pitt decries state of Sarbanes-Oxley, risk management Information security book excerpts and reviews Internal audits for Sarbanes Oxley and internal IT support Internal auditors and CISOs mitigate similar risks Implement security and compliance in a risk management context Does password sharing in international branches violate SOX? Consensus Controls project aims to set benchmarks for compliance Security visualization helps make log files work The Little Black Book of Computer Security, 2nd Edition Sarbanes-Oxley Act Research COBIT Tony Spinelli: Prioritize Information Security over Compliance Security survey finds increase in security standards adoption Mix of Frameworks and GRC Satisfy Compliance Overlaps GRC: Over-Hyped or Legit? Is the Orange Book still relevant for assessing security controls? Does SOX provision email archiving? ISO 17799: A methodical approach to partner and service provider security management Mapping the path toward information security program maturity RSA Conference 2006 Step 1: Understanding compliance -- Financial and technical standards COBIT Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary COBIT  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.