Sitemap    Contact Info
Tizor Systems, Inc. - Data Protection and Compliance Auditing Solutions
About Us Solutions Products Services Partners News & Events Resource Center
Resource Center View Mantra
Resource Center Overview
Data Sheets
Whitepapers
On-Demand Events
Compliance Resources
SOX Perspective
The SOX Challenge
Beyond SOX Compliance
SOX 404
IT Controls for SOX
Background: Sarbanes Oxley
PCI Requirements
Data Security Resources
Data Breach Resources
Podcast
Bylines
IT Controls for SOX

Frameworks for Data Integrity

The primary frameworks many companies are using to address SOX compliance - CobIT and ISO 17799 and 27001—arrived on the scene long before the legislation creating the Sarbanes-Oxley regulations ever made it to the Congressional chambers. In hindsight, they seem prescient. All are intelligent reactions to the evolution of the role of information in business—from business by-product to the enterprise’s most valuable asset.  

 

Lofty intro for an article on IT controls for compliance. But the fact is, it helps to step back and look at the larger picture—the underlying reasons why guidelines like CobIT and ISO have emerged...and why companies are scrambling to comply with regulations that could land their C-level executives in jail, or ruin their hard-earned brand equity.  

 

What’s it all about? Information. It’s all about electronic information and the fact that the nature of our critical assets, and how we use and protect them, has changed. Almost all of a company’s most critical assets are now electronic data—from corporate intellectual property to sensitive customer information. Even companies that once saw physical inventory and manufacturing equipment as core critical assets now realize that the computer models that drive the systems are even more valuable. By the same token, information about a consumer’s buying patterns is often more valuable than the purchase itself. The definition of critical assets has changed, and along with it the way the world defines a company’s value, as well as its risks and responsibilities.  

 

Regulations like Sarbanes Oxley are simply society’s recognition of this shift in value from hard to soft goods and that protecting these information assets is a fundamental responsibility for those entrusted with the data. It is this change that we are reacting to when we define the controls that IT needs to put in place in order to meet the requirements of ever expanding government and industry regulations. It is also this change that defines what we need to do as IT professionals to meet the requirements of our organizations as the fiduciaries of the critical, and often sensitive, information assets that drive business opportunity and success today.  

 

Unfortunately, while the goals and business drivers for compliance are clear, the path to accomplishing it is not. The issue of corporate integrity—and, therefore, of data integrity—came upon us rapidly in response to Enron, WorldCom and other corporate scandals, but it won’t be resolved so quickly. As IT professionals, it is our responsibility to take stock of the challenges associated with ensuring data integrity, develop a rational and phased plan for overcoming them, and begin taking steps toward that goal.  

 

The first step is relatively simple: ensure that your organization is paying close attention to what are the critical data assets, where they are and what is happening to them. After all, if you don’t know what you have and where you have it, how can you protect and leverage it? Yet, surprisingly, most companies lack this very visibility of the existence and location of data assets. This knowledge is the foundation for the control you need to fulfill the requirements of almost all regulations focused on data integrity—not to mention your company’s own data protection and governance objectives. But in this age of seamless connectivity and virtual businesses, how do we define ”control”? 

 

Not too long ago, control over electronic assets was achieved by controlling access and privileges. Unfortunately, a growing trend of sophisticated data breaches (including many that involved insiders or those masquerading as such) illustrate clearly the limitations of these approaches to protecting data assets. Yet to do business today, you cannot keep your data under lock and key.  

 

In the face of these realities, a new approach to control has emerged. This new approach focuses on behavior and insight into that behavior—seeing exactly what’s happening with information assets. Regulators demand that you have enough understanding about your information assets to know when information of interest is being accessed or changed. They expect you to know when something goes wrong and have the ability to do something about it. Aside from regulatory compliance, your business demands that you take the steps necessary to protect your intellectual property and your customer’s sensitive data against known threats. Because the landscape is constantly changing, you must have solutions flexible enough to deal with future threats, including those no one even knows about yet. This is where CobIT and ISO 17799 and 27001 can help.  

Despite their arcane names, CobIT and ISO 17799/27001 are simply models and frameworks for thinking about the problems of information protection and data governance, with some guidelines for addressing them. Their prescience is that they were conceived at a time when most of us had not yet given the issue any thought. Since the first versions of these frameworks were forged in the early 1990s, they have evolved in a way that makes them extremely valuable to organizations looking to establish a solid information protection and data governance program. This evolution, which continues, is focused on better control mechanisms and process. It addresses how we can take that first step towards protecting critical information, as well as where we should aspire to be.  

The most recent versions of these documents, CobIT 4.1 and ISO 17799:2005, are well-written, well-structured models that can help every organization state its challenges clearly, develop goals that are appropriate to the larger needs of our business, and build and execute plans to accomplish those goals in a rational and measured way. In addition to these well-established frameworks, we are seeing a growth in corporate sponsored organizations, such as the Data Governance Council formed by IBM, to develop even more best practices and processes to create a common set of standards.  

 

Taking advantage of the thinking behind these frameworks can play a fundamental role, not only in helping companies achieve and maintain regulatory compliance, but in optimizing the value of their growing data assets. In so doing, these companies will build greater levels of trust with customers, partners and shareholders. And in the information economy, that’s the real bottom line.