Infrastructure Acquisition and Maintenance in Sarbanes Oxley
What SOX need to know about IT infrastructure? It doesn’t have any relation with data integrity isn’t it?
One of my friends keeps asking me about IT Infrastructure control in Sarbanes Oxley compliance. He’s confused why a regulatory compliance released by government should control the IT infrastructure. SOX is about financial reporting data integrity, what is the relationship with IT infrastructure? He said.
Based on guidance released by ISACA, SOX actually need to review the IT Infrastructure. The control statements are:
“Controls provide reasonable assurance that technology infrastructure is
acquired so that it provides the appropriate platforms to support financial reporting applications”
At practical level, its mean that every changes or development in infrastructure should be controlled, should be approved, monitored and tested. Same as what happen in application development lifecycle.
So if your company has a SDLC (System Development Life Cycle) for application development, then the company also should prepared SDLC for IT infrastructure, in this case for operating system and databases. The IT infrastructure control usually available for capacity management, capacity planning and capacity growth.
So do you have any experience for infrastructure acquisition and maintenance? Usually the common problems for implementing this control are:
- There is no standard process for Infrastructure management; there is no Infrastructure Lifecycle Development,
- Capacity Management is performed by executive level; there is no capacity development department.
- Plan for infrastructure management is only performed once a year in IT strategic and planning.
Any suggestion, story?
Popularity: 47% [?]
