INFORMATION TECHNOLOGY POLICY AND PROCEDURE FOR SMALL BUSINESS

DILIMA offers comprehensive IT policies and procedures for small businesses.  Establishing new controls always presents a host of business challenges. There is often a disconnect between IT and auditors, with IT unclear about what controls are expected. Even when they know what to monitor, data centers are filled with a wide range of data stores and systems from multiple vendors, including legacy systems. Staffing, time and resources are tight.

Then there is the challenge posed by privileged users, including system administrators and database administrators (DBAs) responsible for key facility operations. To address compliance issues, some organizations have actually curtailed privileges for such users. Yet this is clearly counter-productive to a facility’s operational efficiency. Instead, organizations need strategies that allow them to demonstrate to auditors that data integrity is being protected, without hindering privileged users’ access to the data they need to do their jobs.

Overcoming these challenges can pay significant dividends. Implementing effective controls for ensuring the integrity of financial information, sensitive customer and employee information, and other critical corporate data can provide enormous business benefits; including better security, more consistent business processes and improved documentation. In short, compliance helps demonstrate to customers and business partners that your organization can be trusted. And in today’s corporate world, trust is the coin of the realm.

Two Important Roadmaps

COBIT 4.1

Control Objectives for Information and Related Technologies (COBIT) is an open standard published by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA). The latest version recently published, COBIT 4.1, emphasizes regulatory compliance as it relates to IT governance. ISACA describes COBIT as “an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues, and business risks.”
COBIT provides a best practice framework for how to control, manage and measure 34 key IT practices. This framework includes high-level and detailed control objectives for each process, management guidelines (including process inputs and outputs, roles and responsibilities, and metrics), and process maturity, models. A core emphasis of COBIT is aligning IT operations with strategic enterprise objectives and priorities to improve IT value delivery, resource management, business performance, efficiency and risk management.

ISO 17799:2005

The ISO 17799:2005 standard is the most recently published revision of ISO’s global security framework. It significantly improves upon the already well-respected and comprehensive “Code of Practice for Information Security Management.” ISO 17799:2005 provides principles and guidelines for initiating, implementing, maintaining, and improving information security management throughout the enterprise. This includes best practices, control objectives and controls for a range of IT functions related to protecting information.

The ISO 17799:2005 standard includes extensions that strengthen controls designed to protect the integrity of information—from asset
HTML clipboard management and access control, to human resources security, security incident management, and business continuity management. An important new requirement is an increased emphasis on the capability to validate the integrity of regulated information. It mandates validation through systematic auditing and monitoring of activity to prevent unauthorized access to sensitive corporate and customer information. Just as ISO 9000/9001 is used universally as a measure of production quality, ISO 17799:2005 is poised to play a similar role in the area of information integrity assurance.

IT Best Practices for Data Integrity

Both COBIT 4.1 and ISO 17799/2005 provide guidelines that are useful in helping companies determine how to think about the root requirements of compliance regulations and managing data risks. Developed specifically for IT organizations, they provide specific best practices for controls aimed at ensuring the integrity of information assets. What specific controls should IT managers be focusing on achieving SOX compliance, while moving toward data governance? While these vary depending on the business, the following IT controls consistent with both COBIT and ISO 17799:2005 are important building blocks for protecting the integrity of critical data and documenting that protection.