Did you know that the difficulty in scaling existing compliance such as Sarbanes Oxley, HIPPA, PCI DSS, and security management programs to meet new requirements is creating a resource crisis within many organizations. As a result, large enterprises are seeking ways to actively streamline their compliance activities, to operationalize their security management programs, and to gain value from automating and integrating both.
By creating scalability in your compliance efforts, you can reduce manual processes and gain efficiencies for future compliance. By examines trends in compliance and security management along (more…)
Popularity: 15% [?]
From a regulatory compliance perspective, IT teams have two responsibilities: support enterprise-wide compliance efforts and ensure that IT itself is compliant with internal and external regulations such as Sarbanes-Oxley (SOX), HIPAA, PCI DSS, FDA, etc. In other words, the IT and SAP teams support the compliance efforts across all departments in the company as well as ensure their own governance, risk, controls and systems are compliant.
This means IT is second only to the finance department when you assess the day to day impact of SOX. Most of the internal compliance effort is focused on the change management controls driven by section 404, which dictates management’s responsibility to implement/document internal controls, implement good segregation of duties, assess their effectiveness, and report on their ultimate compliance to the documented process.
For SAP teams, this translates into several (more…)
Popularity: 14% [?]
Security has been and will continue to be an overhead expense for all organizations, as are payroll and other administrative tasks that are required to keep an organization running. The question that seems to pop up every few months in the security industry is, What is the value of all the security work that takes place within an organization? Organizations want to see what the Return on Investment (ROI) is for the security budget that is currently used or expected to be used in the future. Establishing an RIO is a very difficult task. After all, if the security team is doing its job, the organization will likely not see a measurable impact from security problems.
Although several projects are under way to determine what the ROI on security is, none of them has effectively or simply defined what the ROI is for security. You can find more information on this subject by performing a simple Internet search on “Security ROI.” The best approach is not trying to determine the ROI for security, but rather to determine the benefit of cost avoidance provided by the security work accomplished, and what ROI that can provide. (more…)
Popularity: 16% [?]
Every company that would comply with Sarbanes Oxley compliances need to carefully design control regarding system log management. From COBIT for SOX published by ISACA we know that we can apply this control statement regarding this case: “System event data are sufficiently retained to provide chronological information and logs to enable the review, examination and reconstruction of system and data processing” However, the next question would be arise is how deep is sufficient enough? Regarding system log, access to system log only limited to read only and the access is only for system administrator. So others user doesn’t need to get read access, and of course write access. Some of application who comes with default user who has access to system log should be removed. For example, Oracle Database or Sun Solaris default user who has access to read/write system log should be removed. Basically removing all default user account is easier in this case. Access to system log should be very restricted. Some of company using write once disk to maintain the integrity of system log. This is considering very important, because if some one could change the system log then we cannot rely for system log evidence. Compensating control In some cases, removing access to system log is too difficult. Or if the system administrator account is shared –because somehow the company was very large and need more than one system administrator then the next step would be implementing compensating control, which in this case Log Activation Review, Log Review, Administrator account log review. This compensating control also would be advantage to be used when facing performance related issue if enabling the system log. So do you have any others experience regarding system log management? In the future the application developer will use better feature regarding system log management, so I hope no need to worry about this.
Popularity: 9% [?]