Step 4: Detailed objectives and policies

At first glance, the list of 20 high level objectives may seem daunting. However, in the same way an organization focuses its compliance activities on areas that affect financial reporting, it also concentrates most of its effort on the areas that have the greatest impact on ensuring integrity and passing an audit. Of the high-level objectives, organizations working to comply spend much of their effort on the following:

  • Managing configuration controls on systems and applications
  • Managing system and application security – including authentication, user provisioning, system accreditation
  • Managing business continuity plans and measures

Here are examples of COBIT detailed control objectives involving user account management and configuration management that are critical in meeting SOX requirements:

User Account Management
Management should establish procedures to ensure timely action relating to requesting, establishing, issuing, suspending and closing of user accounts. A formal approval procedure outlining the data or system owner granting the access privileges should be included. The security of third-party access should be defined contractually and address administration and non-disclosure requirements. Outsourcing arrangements should address the risks, security controls and procedures for information systems and networks in the contract between the parties.

5.5 Management Review of User Accounts
Management should have a control process in place to review and confirm access rights periodically. Periodic comparison of resources with recorded accountability should be made to help reduce the risk of errors, fraud, misuse or unauthorized alteration.

Configuration Recording
Procedures should be in place to ensure that only authorized and identifiable configuration items are recorded in inventory upon acquisition. These procedures should also provide for the authorized disposal and consequential sale of configuration items. Moreover, procedures should be in place to keep track of changes to the configuration (e.g., new item, status change from development to prototype). Logging and control should be an integrated part of the configuration recording system including reviews of changed records.

Configuration Management Procedures
Configuration management procedures should be established to ensure that critical components of the organization's IT resources have been appropriately identified and are maintained. There should be an integrated process whereby current and future processing demands are measured and provide input to the IT resource acquisitions process.

About Compliance School

In Compliance School, guest instructor Richard Mackey shows you exactly what you need to do to meet regulations' ongoing demands and arms you with actionable items to ensure your business remains continuously compliant. Best of all you can attend any of the following on-demand lessons when it's most convenient for you:

Ensuring compliance across the extended enterprise

Compliance improvement: Get better as you go forward  

Gauging your SOX progress  

SOX compliance basics: Taking Action   

compliance-related technology

Home: Introduction
Step 1: Understanding compliance -- Financial and technical standards
Step 2: Scope of compliance
Step 3: Establishing an IT Control Framework
Step 4: Detailed objectives and policies
Step 5: Measuring compliance
Step 6: Managing and tracking compliance
Step 7: The changing nature of compliance

This was last published in February 2006

Dig Deeper on Security audit, compliance and standards