A SarbanesOxley SOX Compliance Driven Risk Assessment Model - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

A SarbanesOxley SOX Compliance Driven Risk Assessment Model

Description:

Mahesh Babu. Chetak Sirsat. Sarbanes-Oxley Act of 2002 'To protect investors by improving the accuracy and reliability of corporate ... – PowerPoint PPT presentation

Number of Views:189
Avg rating:3.0/5.0
Slides: 20
Provided by: gene158
Category:

less

Transcript and Presenter's Notes

Title: A SarbanesOxley SOX Compliance Driven Risk Assessment Model


1
A Sarbanes-Oxley (SOX) Compliance Driven Risk
Assessment Model
  • Team
  • Mahesh Babu
  • Chetak Sirsat

2
Sarbanes-Oxley Act of 2002
  • "To protect investors by improving the accuracy
    and reliability of corporate disclosures made
    pursuant to the security laws, and for other
    purposes."

3
Sarbanes-Oxley Act of 2002
  • Governments Response to Enron, WorldCom
  • Intended to restore investor trust in US
    corporations
  • Changes how companies manage
  • Auditors
  • Financial Reporting
  • Executive Responsibility
  • Internal Controls

4
SOX Section 302, 404
  • Corporations required to
  • assess internal controls around financial
    reporting system
  • Report effectiveness of controls to SEC
  • Assessment must be reviewed and judged by an
    outside auditing firm

5
Information Security and SOX
  • Financial reporting systems heavily dependent on
    well controlled IT environment (ITGI, 2004).
  • Internal controls include information security
    controls
  • ITGI identified security controls required by SOX
    in the following areas
  • Security Policy
  • Security Standards
  • Access and Authentication
  • Network Security
  • Monitoring
  • Segregation of Duties
  • Physical Security
  • Companies required to assess and report the
    effectiveness of these controls to be compliant

6
Risk Assessment
  • Important step in an effective information
    security strategy
  • Used to
  • evaluate risk associated with security related
    threats
  • Identify controls to minimize risk
  • Can be modified to assess SOX security controls

7
NIST Risk Assessment Methodology
8
Why need a SOX driven Risk Assessment?
  • Companies required by SOX to assess and report
    the effectiveness of security controls to be
    compliant
  • Current methods are proprietary
  • Risk assessment is important to companys
    information security strategy
  • Current risk assessment methods do not consider
    SOX compliance.

9
Proposed Solution
  • Leverage NIST methodology as framework. The
    following modifications will be made
  • The scope of the assessment would be the IT
    infrastructure associated with the financial
    reporting process.
  • The asset identification process would involve
    analyzing
  • User Authentication
  • User provisioning/de-provisioning
  • Segregation of Duties
  • Audit Logging/Reporting
  • The threat identification step will be modified
    to identify non compliance with SOX regulations
    as a threat.
  • Threats associated with the financial reporting
    process itself will be identified along with the
    threats associated with the IT infrastructure.

10
  • The financial reporting process will also be
    assessed for vulnerabilities.
  • The control analysis step will be modified to
    test for specific security controls associated
    with the financial reporting process of the
    organization.
  • A control checklist will be developed to test the
    level of compliance of the organizations
    financial reporting process.
  • The impact of non compliance will be factored in
    during the impact analysis step.
  • Compliance specifications and deadlines will be
    factored in when formulating and prioritizing
    control recommendations. If a recommended control
    would address a threat related to non compliance,
    it would receive a higher priority than a control
    that would not address non compliance.

11
Step 1 Scope Identification
  • Break down IT infrastructure into (no more than
    5) categories.
  • identify the categories that are involved with
    the organizations financial reporting process.
  • Assign a value (CIA-SOX score) for the impact to
    CIA and SOX compliance if each category is
    compromised.
  • Rank categories based on CIA-SOX score
  • Categories with highest rank will fall into
    scope.

12
Step 2 Asset Identification
  • Build Asset Classification Model. Example

13
Step 2 Asset Identification
  • Application Assessment Interview
  • For each category, analyze
  • User Authentication
  • User provisioning/de-provisioning
  • Segregation of Duties
  • Audit Logging/Reporting
  • Produce Application Definition Document

14
Step 3 Threat Identification
  • Threat Definition
  • Source, Motivation, Action, Resource, Capability
  • Threat Categorization
  • Threat Evaluation
  • SOX compliance related threats identified based
    on previous audit findings and the results of the
    application assessment from Step 1.

15
Step 4 Vulnerability Identification
  • This step involves identifying three kinds of
    vulnerabilities
  • Technical vulnerabilities
  • Non-technical vulnerabilities
  • SOX compliance related vulnerabilities
  • To identify SOX compliance vulnerabilities
  • Complete the vulnerability checklist
  • Complete the application assessment questionnaire

16
Step 5 Control Analysis
  • The following contain the basic standards that
    will be used to systematically evaluate
    compliance and noncompliance to those standards
    (NIST 800-30, 17.)
  • The vulnerability checklist
  • Appendices A, B and C of IT Control Objectives
    for Sarbanes-Oxley by ITGI
  • the application assessment questionnaire in
    appendix B (also used in the previous step)

17
Step 6 Impact Analysis
  • The adverse impact of a threat was examined along
    five (5) axes
  • Confidentiality A loss in confidentiality is the
    unauthorized disclosure of information.
  • Integrity A loss of integrity is the
    unauthorized modification or destruction of
    information.
  • Availability A loss of availability is the
    disruption of access to or use of information or
    an information system.
  • Reputation A loss in reputation is the loss in
    the esteem and respect that the public and peer
    institutions have.
  • Compliance Noncompliance would have severe legal
    and financial implications.

18
Step 7, 8, 9 Likelihood Determination, Risk
Determination and Documentation
  • The concluding steps of the risk assessment will
    identically follow the NIST 800-30 risk
    assessment methodology with the one following
    exception
  • Compliance specifications and deadlines will be
    factored in when formulating and prioritizing
    control recommendations.

19
Benefits
  • Findings can be used when evaluating current
    level of SOX compliance.
  • It would reduce the costs associated with
    performing separate risk assessments as part of
    the organizations information security strategy.
  • It would bring information security related risks
    into the focus of the organizations leadership
    because of its association with SOX compliance.
  • It would lay the groundwork for developing a
    generalized compliance driven risk assessment
    model that could incorporate any set of
    regulations or specifications.
  • It could be the first step in developing a risk
    management program for organizations that have to
    be SOX compliant.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "A SarbanesOxley SOX Compliance Driven Risk Assessment Model" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!