Section 404 was designed to hold company executives responsible for the accuracy of their company’s financial reporting mechanisms. While the letter of the law spelled out the need to demonstrate the effectiveness of internal controls surrounding financial data and financial transactions, real-world compliance audits of IT groups quickly revealed how much farther IT organizations needed to go in their quest to demonstrate effectiveness of their control procedures.
Besides controls surrounding their company’s financial applications and financial systems, IT groups soon found other areas facing scrutiny by auditors.
These included effectiveness of system access and security procedures, change control processes, system upgrades, as well as procedures surrounding data protection, IT media and resource management, disaster recovery and data retention.
With the help of legal, risk and SOX compliance experts, and data storage management teams IT organizations began to translate SOX 404 requirements into actionable, repeatable steps for their data protection management processes.
A set of best practices across different companies began to emerge—many rooted in common quality control frameworks such as COSO, CoBIT, ITIL, ISO and Six Sigma.
Making the Grade
What follows is a summary of the eight A’s in IT controls compliance. We have come to call them the straight “A’s” of a SOX data protection report card.
These best practices are designed to be easy to remember. Applying each “A” in the framework helps IT groups score high marks in both internal and external audits:
Assess your own requirements first with legal and compliance staff. Agree on the goals and parameters of successful compliance for data protection management. Utilize outside help if necessary. Most of the major business and IT consulting firms have established basic compliance definitions and goals.
You can also utilize the documented IT management frameworks such as COSO and ITIL. More information can be found at www.isaca.org. CoBIT specifically lists controls and examples of control tests that could be performed to indicate effectiveness of data protection processes along with processes related to other IT domains.
Advise your staff and your end-user customers how you will ensure compliance. This step is typically performed by documenting the control steps you plan to follow with key IT processes. Documented steps should follow the typical reporter’s mantra of “Who, What, Where, When, and How”:
Who is responsible for performing the process, such as backing up or restoring key systems (systems administrator, DBA, etc.)?
What steps will be performed within the IT control process (such as ways that you ensure successful backup or recovery of systems and data, etc.)?
Where, in terms of applications involved, data center, servers, storage media, platform and work team, will the steps be performed?
When, or how often, must the process steps be executed?
How will you capture and document backup/recovery policies and SLAs for the business units, including notices of updates or inadvertent changes?
Act by putting the process in motion. Start with the basics and build from there. The key is to rely on action to sharpen focus and heighten awareness of process challenges surrounding common backup/restore procedures.
Automate whatever documented control steps you can, especially in the area of on-going testing, monitoring and communication of results. Compliance brings a heavy (manual) burden.
Audit how well your teams are following the documented process and resolving any issues that emerge. This should be performed on a frequent basis at the start to encourage adoption and standardization of the new workflows around the compliance process.
Analyze your performance against goals. Look for gaps in backup/restore workflow, especially resource and time-intensive tasks that create bottlenecks. Get the team’s input and conclusions on how best to improve on the effectiveness of the current process. Again, focus on the basics first. Do not try to optimize the entire process.
Adapt your actions and on-going activities in order to respond and correct any significant gaps or discrepancies you identified. Be sure to document actions taken to correct the discrepancy, including changes to existing backup or restore processes as well as new processes developed to minimize future problems.
Advance to step one. Reassess whether all requirements are being met, and what new ones must now enter the process.
Mark Silverman is president and CEO of Bocada, a data protection management software vendor.