 IT
Asset Management - Sarbanes-Oxley Act |
|
Sarbanes-Oxley Act - Impact on IT Assets
As previously stated, due to many corporate failures Risk
Management has become a necessity in Corporate compliance.
Sarbannes-Oxley legislation specific addresses the need for
better control of assets and accounting systems. Sections
107 and 108 deal specific
with Risk Assement and Prioritisation of Risk. By identifying
and mitigating risks with 'best practice' IT Asset Management
solutions, an organisation is able to demonstrate their willingness
to comply with Sarbanes-Oxley legislative requirements.
|
Sarbanes-OxleySection
107 Risk Assessment Risk Assessment.
.............risk assessment, is the process of identifying
and analyzing both internal and external risks and threats to
achieving an entity’s goals and objectives. Risk assessment
can be performed either on the level of the whole enterprise
or entity or on the level of a specific application or transaction.
Processes for both enterprise-level and application-level risk
assessment form the basis of determining how to manage risk.
Some of these risks are:
- Changes in operating environment
- New technology
- New or revamped information systems
- New personnel
- Rapid growth
- New lines, products, or activities
- Corporate restructurings
- Foreign operations
- Accounting pronouncements
The risk assessment component process itself can be expressed
in terms of five key subcomponents. Each step in the risk assessment
process can be linked to other related tasks and actions to
form a consistent and repeatable evaluation methodology:
1.Determine control objectives
2. Prioritize requirements
3. Identify risks
4. Determine likelihood
5. Manage risk
Systems Model. For Sarbanes-Oxely, a risk assessment
analysis should be performed within the context of the total
operating environment. (Note: SEC rules regarding certification
of periodic reports incorporate a broader standard than just
financial reporting.) By evaluating entitywide and application-level
risks in a systematic and linked manner, a complete and balanced
measure of the control activities necessary to meet the entity’s
control objectives can be developed. The following paragraphs
illustrate a general layered model that can be used to describe
an overall systems environment. Assurance Methodology, provides
a more comprehensive discussion of the concepts covered here.
The basic elements of this model typically include: Entity-Level
Risk Assessment
Application-Level Risk Assessment
- Business/transaction services (Inbound and Outbound)
Determine Control Objectives. Control objectives form
the specific entitywide or application-level goals the entity
wishes to achieve. Some common control objectives for an information-system
environment may include:
- Adequate business planning and sufficient needs analysis
- Systems confidentiality and transaction integrity
- Information availability and authenticity
- Accurate, valid, authorized, and timely transaction processing
- Correct implementation and integration
- Sufficient end-user support and training
- Adequate systems and data protection
Section 108 Prioritize Prioritize
Requirements. In order to perform an overall risk assessment,
specific assets or processes should be prioritized in terms
of their criticality to the enterprise. To help identify which
assets are most important and need to be protected and safeguarded,
the entity can rank assets on the basis of their significance
to the core requirements it needs to meet. Using this methodology,
assets can be ordered into two general groups:
- Tangibles— property, plant equipment - computer
systems, applications, and data
- Intangibles—business reputation, continuity, and
quality of service or products
Identify Risks. After ranking and prioritizing important
assets that need to be protected and safeguarded, specific threats
to those assets can be identified. To understand and assess
the significance of the various risk factors, the entity can
evaluate risk factors by determining what can go wrong, what
the weaknesses are, and how vulnerable it is to them. Risks
and threats can be grouped into three general categories:
- Internal and external threats
- Authorized and unauthorized actions
- Intentional and unintentional (mistaken) activities
Determine Likelihood. After identifying all of the major
risks that represent the greatest threats to the most valuable
assets of the enterprise, the entity should estimate the likelihood
of these risks occurring. This process can be determined by
establishing a basis to estimate the frequency, magnitude, and
duration of the threats on three different levels:
- Aggregate level—cumulative effect
- Transaction level—individual effect
- System level—environmental effect
Manage Risk. Once a decision matrix has been created
that identifies and links the various control objectives, asset
prioritization rankings, potential risks and threats, and likelihood
of occurrence, a risk management decision can be made in the
context of balancing each of these elements with the others.
Both quantitative and qualitative risk management decisions
can be supported using a value-based approach, as opposed to
a “weak link” model, to measure when a threshold limit
has been reached. An economic value method identifies specific
assets or processes that are considered important to the entity,
and then directs resources towards protecting those critical
areas. It recognizes that while other types of security threats
may exist (i.e., weak links), if they do not pose a significant
risk or can be controlled through other means, they will receive
less attention than priority areas. In general, there are three
basic types of risk management decisions, of which only one
considers what action should be taken to reduce or mitigate
the risk:
- Accept or ignore risk
- Transfer risk (to insurance carriers, etc.)
- Reduce or mitigate risk:
~ Measure and manage—institute and monitor a logical, systematic,
traceable, and repeatable process ~ Teach and train—develop
awareness and skills~ Reduce—take action and safeguard;
determine what combination is the most effective |
|
|
|
|
