Sarbanes-Oxley Policy Compliance Solutions

Organizations can save thousands of dollars and hundreds of man-hours using our publications to help comply with Sarbanes-Oxley or other corporate governance laws. Organizations adopting the COBIT™ framework for internal audit and control can use our library of pre-written information security policies and job descriptions to build, document and maintain a culture of IT governance.

Information Security Policy Library

Information Security Policies Made Easy   Request a Sample Policy
  Security Policy Matrix for COBIT 4.0
  Learn more about ISPME
  Security Policy ROI Whitepaper
  Order Now

Information security policies are the documented control objectives that form the foundation of IT governance. Information Security Policies Made Easy provides a complete set of over 1300 information security policies and standards developed and organized around the ISO 17799 framework. Our COBIT 4.0 ™ policy map outlines how ISPME information security topics map to the COBIT 4.0 control domains. ISPME includes:

Define and Document Security Roles and Responsibilities

Information Security Roles and Responsibilities Made Easy According to the PCAOB Auditing Standard, effective governance requires information security roles and responsibilities to be defined and documented. Information Security Roles and Responsibilities Made Easy provides expert guidance and pre-written templates that can save your organization hundreds of hours of effort in developing your information security security organization. Information Security Roles and Responsibilities Made Easy contains:

Security Policies and Sarbanes-Oxley Controls

Information Shield publications are focused on the controls in Sarbanes-Oxley, Section 404. Information Security Policies Made Easy (ISPME) provides a comprehensive list of over 1300 security controls via detailed security policy and standard statements. Information Security Roles and Responsibilities Made Easy (ISRRME), provides expert advice on building a security organization that can effectively manage these security controls.

As both the COBIT and COSO frameworks define a proper control environment, both written information security policies and documented roles and responsibilities are critical to success. Policies and procedures with no defined security roles guarantee non-compliance. Security personnel without clear responsibilities and a tie to the overall compliance organization will be ineffective.

The following specific sections (marked with a **) of the COBIT Framework are addressed by specific controls in Information Shield publications:

PLAN and ORGANISE
1.0 Define a Strategic IT Plan
2.0 Define the Information Architecture **
3.0 Determine Technological Direction
4.0 Define the IT processes, organization and relationships **
5.0 Manage the IT Investment
6.0 Communicate Management Aims and Direction **
7.0 Manage IT Human Resources **
8.0 Manage Quality
9.0 Assess and Manage IT Risks **
10.0 Manage Projects

ACQUIRE and IMPLEMENT
1.0 Identify Automated Solutions
2.0 Acquire and Maintain Application Software **
3.0 Acquire and Maintain Technology Infrastructure **
4.0 Enable operation and use **
5.0 Procure IT resources
6.0 Manage Changes **
7.0 Install and Accredit Solutions and Changes **

DELIVER and SUPPORT
1.0 Define and Manage Service Levels
2.0 Manage Third-Party Services **
3.0 Manage Performance and Capacity **
4.0 Ensure Continuous Service **
5.0 Ensure Systems Security **
6.0 Identify and Allocate Costs
7.0 Educate and Train Users **
8.0 Manage Service Desk and Incidents **
9.0 Manage the Configuration
10.0 Manage Problems
11.0 Manage Data **
12.0 Manage the physical environment **
13.0 Manage Operations **

MONITOR and EVALUATE
1.0 Monitor and evaluate IT performance **
2.0 Monitor and evaluate Internal Control**
3.0 Ensure regulatory compliance **
4.0 Provide IT Governance **

Our publications provide the security thread that runs through the various controls requirements of COBIT. For example, in Install and Accredit Systems, ISPME provides detailed policies and standards for defining a secure baseline for new systems. ISRRME provides detailed job requirements for security personnel who are responsible for installing and accrediting systems.

For more information on using Information Shield solutions for your compliance efforts, please contact us.

COBIT Security Policy Map

See how security policies within ISPME V10 cover the control objectives of COBIT. Download the new
Policy Matrix for COBIT 4.0

Sarbanes Policy Requirements

"The IT governance structure should be designed to help ensure that IT adds value to the business and that IT risks are mitigated. This also includes an IT organization structure that supports adequate segregation of duties and promotes the achievement of the organization's objectives."
- PCAOB Auditing Standard #2

"Control activities are the policies, procedures and practices that are put into place to ensure that business objectives are achieved and risk mitigation strategies are carried out. Control activities are developed to specifically address each control objective to mitigate the risks identified."
- IT Control Objectives for Sarbanes-Oxley, ISACA

"The bank must have a routine in place for ensuring compliance with a documented set of internal policies, controls and procedures concerning the operational risk management system, which must include policies for the treatment of non-compliance issues."
- Basel II Qualitative Standards, Section 606(e)