IT Today Catalog Auerbach Publications ITKnowledgebase IT Today Archives infosectoday.com Book Proposal Guidelines IT Today Catalog Auerbach Publications ITKnowledgebase IT Today Archives infosectoday.com Book Proposal Guidelines
Auerbach Publications

IT Performance Improvement

Management

Security

Networking and Telecommunications

Software Engineering

Project Management

Database


Share This Article

Mixx it digg



Free Subscription to IT Today





Powered by VerticalResponse

 
Mechanics of User Identification and Authentication: Fundamentals of Identity Management
How to Achieve 27001 Certification: An Example of Applied Compliance Management
Oracle Identity Management: Governance, Risk, and Compliance Architecture, Third Edition
Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI
Information Security: Design, Implementation, Measurement, and Compliance
Information Technology Control and Audit, Second Edition
Information Security Policies and Procedures: A Practitioner's Reference, Second Edition

Compliance Frameworks

by Marlin Pohlman

Compliance frameworks are the connection between regulatory mandates and software practices. In the following chapter, we explore the nature of compliance frameworks and best practices in an attempt to direct the identity professional toward standards that enable auditable stewardship and governance of identity-related information.

Management should perceive the self-assessment phase provided by the use of these tools as an opportunity for business process reengineering. For the manager, a regular self-assessment of control operations should also reveal potential improvements in process. The exceptions found in detective, back-end controls can recommend more appropriate front-end controls to reduce error correction and rework. Often, these exceptions can point to refinements for system input screens that shift the control function from detective or manual to preventative or automated and result in a net increase in value for the company.

Compliance Framework Taxonomy

Identity management has the greatest impact on a company's ability to achieve regulatory compliance. Operational transparency and financial accountability derive from the enterprise's ability to assign access and authority to the right people. Accountability also derives from the ability to track users' identity as expressed in the role and responsibility assigned by the company. As a result, companies are discovering that their ability to win and perform on contracts is as subject to investigation of their identity management processes as it is of their company's balance sheets or stock value.

Accompanying a flock of identity-related compliance mandates are multiple frameworks and methodologies for managing operational risk in a way that can be verified. This can be good or bad depending on perspective. Either way, these frameworks should not be unfamiliar to the identity management professional. The number of frameworks against which companies' processes are evaluated continues to increase; however, it is evident that companies may need to consider a daunting number of frameworks. The field truly is a quagmire in which compliance efforts can stall if an organization is not careful. The first step toward making sense of the regulatory quagmire is to categorize the frameworks by purpose and focus. In general, these frameworks define characteristics of good processes, but do not prescribe how they should be enacted.

Joint EU Framework

ISO/IEC 27001:2005, ITIL, and CobiT are the three most important best-practice IT-related frameworks. ISO/IEC 27001 is the international Code of Best Practice for Information Security from the International Standards Organization in Geneva. ITIL is the IT Infrastructure Library, created by the United Kingdom's Office of Government Commerce, and CobiT is Control Objectives for Information and Related Technology, from the IT Governance Institute, in the United States. ISO 17799, ITIL, and COBIT are all best-practice IT approaches to regulatory and corporate governance compliance. The challenge is to craft an integrated framework that encompasses all three standards. The Joint Framework established by the IT Governance Institute and the British Office of Government Commerce forms one of the two most comprehensive frameworks.

Aligning COBIT, ITIL and ISO 17799 for Business Benefit was published in 2005 and serves to formalize the relationship between these three best-practice frameworks. The recommendation is that COBIT should be used to provide "an overall control framework based on the (generic) IT-process model" at the governance level.

ITIL describes how service management aspects should be handled.

  • ITIL and ISO 27001 are mapped to high-level COBIT process and control objectives.
  • ISO 27001 defines what must be done in terms of information security controls.
  • Appendix I maps CobiT controls to ITIL processes and ISO 27001 controls.
  • Appendix II maps ITIL processes to COBIT control objectives.
  • ITIL, COBIT, and ISO 27001(17799) projects are enabled to be cross-linked/integrated.

Organizations that use the Joint Framework will have a single, integrated, compliance approach that delivers corporate governance general control objectives, meets the regulatory requirements of data and privacy-related regulation, and enables the organization to prepare for external certification to ISO 27001 and ISO 20000, both of which demonstrate compliance. The Joint Framework prepares the enterprise for emerging regulatory requirements, enabling compliance with multiple regulations and meeting complex compliance requirements.

The Joint Framework helps organizations improve business performance; it focuses on business processes, as opposed to controls, and builds controls into the business processes. The Joint Framework enables a broad-based shift from reactive to proactive compliance operations.

A benefit of increased standardization in compliance efforts is reduced costs, improved efficiency, and increased quality. Because the framework applies across the enterprise, it reduces vertical silos of expertise and practice, improving communication and business effectiveness. In observation, the framework can be deployed quickly and can reduce an organization's dependence on multitudes of experts and methodologies. Choosing the implementation of the Joint Framework not only leads an enterprise toward effective regulatory compliance but also helps improve the organization's competitiveness.

Control Mapping-Joint EU Framework
ISO/IEC 27001:2005, ITIL, and CobiT make up the Joint EU Framework, addressing the domain control requirements of

  • Trusted access
  • Change management
  • Business continuity and availability
  • Operational monitoring
  • Records management
  • Audit and risk management
  • Operational controls

The standard concedes as out of its scope the control areas of

  • Operational transparency
  • Segregation of duties

Control Objectives for Information and related Technology (CobiT)

The Control Objectives for Information and related Technology (CobiT), in its fourth edition, is widely adopted in North America and is increasingly being accepted in Europe. It is a broad principles-based framework that looks at the management of the IT organization and is aimed at board members, managers, and auditors. CobiT identifies 34 key information technology processes and a further 318 control objectives, each of which has an audit guideline. It maps to the specific requirements of the recommended internal control framework for Sarbanes-Oxley compliance and underpins the recommendations of the Turnbull Guidance.

This framework has four major domains, which follow the general systems development life cycle:

  • Planning and organization (PO, plan and organize): The planning and organization domain has 11 high-level control objectives that cover everything from strategic IT planning and the creation of a corporate information architecture to the management of specific projects.
  • Acquisition and implementation (AI, acquire and implement): Companies need to acquire and implement information systems. This domain has six high-level control objectives.
  • Delivery and support (DS, deliver and support): Most of the IT project life cycle takes place after implementation. The CobiT framework has 13 high-level control objectives for delivery and support.
  • Monitoring (M, monitor and evaluate): Firms must monitor processes, assess the adequacy of internal controls, obtain independent assurance, and provide for independent auditing.

Each process is described by using the following information:

  • High-level control objectives
  • Detailed control objectives
  • Information criteria affected by the process
  • IT resources used by the process
  • Typical characteristics depending on the maturity level
  • Critical success factors
  • Key performance indicators
  • Key goal indicators

Information Criteria
Information delivered to the core business processes has to fulfill certain criteria, categorized as follows:

Quality requirements

  • Effectiveness: The relevance and pertinence of information to the business process as well as the timely, correct, consistent, and usable delivery.
  • Efficiency: The provision of information through the optimum (most productive and economical) use of resources.

Security requirements

  • Confidentiality: The protection of sensitive information from unauthorized disclosure.
  • Integrity: The accuracy and completeness of information, as well as its validity, in accordance with business values and expectations.
  • Availability: Information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.

Fiduciary requirements

  • Compliance: Deals with following those laws, regulations, and contractual arrangements to which the business process is subject (i.e., externally imposed business criteria).
  • Reliability: Relates to the provision of appropriate information for management to operate the entity and for management to exercise its financial and compliance-reporting responsibilities.

Control Mapping-COBIT
COBIT addresses the domain control requirements of

  • Trusted access
  • Business continuity and availability
  • Operational monitoring
  • Records management
  • Operational controls

The standard concedes as out of its scope the control areas of

  • Change management
  • Audit and risk management
  • Operational transparency
  • Segregation of duties

ISO 27001

This international standard promotes the adoption of a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organization's information security management system (ISMS). An organization needs to identify and manage many activities to function effectively. Any activity using resources and managed so as to enable the transformation of inputs into outputs can be considered to be a process. Often, the output from one process directly forms the input of the following process.

ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of international standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and nongovernmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC. This international standard adopts the "Plan- Do-Check-Act" (PDCA) process model, which is applied to structure all ISMS processes. This international standard is aligned with ISO 9001:2000 and ISO 14001:2004 to support consistent and integrated implementation and operation with related management standards.

The focus of ISO/IEC 17799:2005, the precursor to ISO 27001, is the assurance of the availability, confidentiality, and integrity of an organization's information. These principles are at the heart of all of today's information-related regulations. The standard's key controls all mapping to specific requirements of existing data protection legislation and, through ISO/IEC 27001:2005 (the ISMS specification standard), it is recognized as a means of complying with EU regulations on data protection and privacy.

Control Mapping-ISO 27001
ISO/IEC 27001:2005 addresses the domain control requirements of

  • Trusted access
  • Business continuity and availability
  • Operational monitoring
  • Records management
  • Audit and risk management
  • Operational controls

The standard concedes as out of its scope the control areas of

  • Change management
  • Operational transparency
  • Segregation of duties

ITIL

The Information Technology Infrastructure Library (ITIL) is growing in popularity among financial institutions seeking to improve service quality and to align IT with larger business objectives. It is an IT management approach that bridges tools and standards with business processes. As one of the three compliance structures of the Joint EU Framework, ITIL will only increase in importance. It was developed in England in the 1980s for the Central Computer and Telecommunications Agency (CCTA), and is a set of documents focused on best-practice processes for IT service management. ITIL is technology neutral and focuses on processes. Unlike ISO 17799, ITIL security management describes "how" security measures can be implemented.

The ITIL book has five chapters along with annexes at the end of the book. The first two chapters consist of an introduction, a section on the fundamentals of information security, and a section on the links between information security and IT processes. The first two chapters primarily deal with basic security management information, including the importance of upper management commitment and the view of information security being a business enabler instead of a cost. These are important concepts worthy of being reviewed and discussed to help identity stewards look at information security from a business perspective as opposed to a technical product perspective.

The next three chapters discuss security management for a number of key security processes. In the third chapter, there is a discussion about determining the security-related service-level requirements for various business processes. The service-level requirements help determine key operational areas that must be in place before effective security management can take place. The operational areas include

Configuration and asset management

  • Incident control and help desk
  • Problem management
  • Change management
  • Release management

The final two chapters provide best-practice processes for some key information security areas, including

  • Asset classification
  • Personnel security
  • Communications and operations management
  • Access control
  • Auditing and evaluation

ITIL Process Description

  • Configuration management: Creation and maintenance of a database of all IT configuration items, their relationship with other items, and their proper state.
  • Incident management: Receiving, recording, and classifying user reports of malfunctions, primarily received through the help desk.
  • Problem management: Analysis of incidents to uncover patterns of repetition that might indicate a common root cause. Positive conclusion results in a request for change (RFC), and the cycle repeats.
  • Change management: Response to and action on requests for change. The process includes solution evaluation and design, risk analysis, prioritization, approvals, and feasibility testing.
  • Release management: Sequence of events for rolling out a change to the user environment in order to minimize disruption, prevent errors and loss of data, and maintain proper documentation.

Terms and Definitions Associated with ITIL

  • SLM (service-NN level management): The monitoring of required service levels.
  • SLA (service-level agreement): Specific targets identified by SLM for each unit within the IT organization.
  • SLC (service-level contract) : Specific targets identified by SLM for each unit within an external IT supplier.
  • OLA (operation-level agreement) : Specific targets for the service being supplied by internal service providers (network services, LAN services, and so on).
  • UC (underpinning contract) : Specific targets for the service being supplied by an external service provider (such as GE Capital, Decision One).
  • Service catalogue: A collection of all the services being provided and the customers of each.
  • SLR (service-level requirements) : SLM will ask each IT customer what his or her requirements are. This will be embedded into the SLA.
  • SIP (service improvement program) : After the review of an SLA, service improvements may be necessary. A service improvement plan will be designed and acted on.
  • CI (configuration item) : Anything within IT that is decided to be within scope and can be changed should be considered a CI. This could be hardware, software, an SLM, a job description, and so on.
  • CMDB (configuration management database) : The CMDB holds all details, and relationship information of all CIs, associated with the IT infrastructure.
  • SCOPE (scope) : The activities of configuration management include identification, control, status accounting, and auditing.

Control Mapping-ITIL
ITIL addresses the domain control requirements of

  • Change management
  • Business continuity and availability
  • Operational monitoring
  • Records management
  • Operational controls
The standard concedes as out of its scope the control areas of
  • Trusted access
  • Audit and risk management
  • Operational transparency
  • Segregation of duties

BSI IT-Grundschutz Methodology

The IT-Grundschutz methodology is a procedure for IT security management that can be adapted to the situation of a specific institution. It is described in BSI Standard 100-1 MSIS. This document describes the steps required by the IT-Grundschutz methodology. It represents a standard for establishing and maintaining the appropriate level of IT security in an institution. The method, which was introduced by BSI in 1994, has been developed to provide a methodology for setting up an information security management system for establishing a comprehensive basis for assessing risk, monitoring the existing IT security level, and implementing appropriate IT security.

One of the most important objectives of IT-Grundschutz is to reduce the expense of the IT security process by providing established procedures to improve information security. The methodology describes an efficient management system for information security and how the ITGrundschutz catalogues can be used for this task. Each of the documents focuses on a differing area:

  • The BSI Standard 100-1 MSIS describes the general methods for the initiation and management of information security in an institution.
  • The BSI Standard 100-2 provides a summary of the important steps in introducing an ISMS and the approach to producing an IT security concept.
  • The BSI Standard 100-3 describes how the fundamental phase in initiating the IT security process could look, and which organizational structures are appropriate for it. In addition, a systematic path is shown for setting up functional IT security management and for developing it further in ongoing operations.
  • The BSI Standard 100-4 describes the IT-Grundschutz methodology for producing an IT security concept. This first lists how the basic information on IT assets can be collected and simplified by forming groups.

The IT-Grundschutz catalogues describe how to produce and monitor IT security concepts on the basis of standard security measures. Modules of standard security measures are available for common IT processes, applications, and components. The modules are classified into five layers according to their focus:

  1. Layer 1 covers all the generic IT security issues.
  2. Layer 2 covers all the physical, technical issues.
  3. Layer 3 relates to individual IT systems.
  4. Layer 4 concerns the issues relating to networking IT systems.
  5. Layer 5 handles the actual IT applications.

Control Mapping-BSI IT-Grundschutz Methodology
The BSI IT-Grundschutz methodology addresses the domain control requirements of

  • Trusted access
  • Change management
  • Business continuity and availability
  • Operational monitoring
  • Records management
  • Audit and risk management
  • Operational transparency
  • Operational controls

The methodology only concedes as out of its scope the control areas of

  • Segregation of duties

CMMI-SEI

Capability Maturity Model Integration (CMMI) is a process improvement approach that provides organizations with the essential elements of effective processes. It is used to guide process improvement across projects, divisions, and entire organizations. CMMI helps integrate traditionally separate organizational functions, set process improvement goals and priorities, provide guidance for quality processes, and afford a point of reference for appraising current processes. Although it is not a specific compliance methodology, its use in conjunction with other compliance methodologies in remediation efforts may serve as proof of intent to comply.

The Carnegie Mellon Software Engineering Institute (SEI) is a federally funded research and development center in the United States. Its core purpose is to help organizations improve their software engineering capabilities.

Control Mapping-CMMI-SEI
The CMMI methodology addresses the domain control requirements of

  • Trusted access
  • Change management
  • Business continuity and availability
  • Operational monitoring
  • Records management

The methodology only concedes as out of scope of the standard the control areas of

  • Audit and risk management
  • Operational transparency
  • Segregation of duties
  • Operational controls

SoGP

In 1998, the Information Security Forum (ISF) developed a comprehensive list of best practices for information security, the Standard of Good Practice (SoGP). The foundation offers an assessment to identify benchmark environments and measure compliance with the SoGP. The SoGP provides a biannual review cycle during which existing sections are revised and new sections are added according to ISF member information and best-practices research.

The standard is developed from research based on practices of and incidents in major corporations. The standard is used as the default governing document for information security behavior by many major organizations, by itself or in conjunction with other standards such as ISO 17799 or COBIT.

The standard is divided into five aspects:

  1. Security management (SM) : Aligns business risks associated with information with senior management.
  2. Systems development (SD) : Builds security into every component from inception at each stage of the cycle. This approach proves more cost effective and efficient than grafting it on after development. SD encourages a coherent approach to systems development and sound discipline throughout the development cycle, ensuring that information security is addressed.
  3. Critical business applications (CB) : By understanding the business impact surrounding a loss of confidentiality, integrity, or availability of information, it is possible to establish the level of criticality of an application. This provides a sound basis for identifying business risks and determining the level of protection required to keep risks within acceptable limits.
  4. Computer installations (CI) : This aspect provides a common standard of good practice for information security that should be applied irrespective of where, or on what scale or type of computer, information is processed.
  5. Networks (NW) : Secure network design is essential to network services. This aspect enforces sound discipline in running networks and managing security. This discipline applies equally to local and wide area networks, and to data and voice communications.

Control Mapping-ISF Standard of Good Practice (SoGP)
The ISF Standard of Good Practice (SoGP) addresses the control requirements of the domains of

  • Trusted access
  • Change management
  • Business continuity and availability
  • Operational monitoring
  • Audit and risk management

The standard concedes as out of its scope the control areas of

  • Records management
  • Operational transparency
  • Segregation of duties
  • Operational controls

GAIT and GAISP

GAIT stands for Guide to the Assessment of IT General Controls Scope Based on Risk. GAIT provides guidance in support of the internal control objectives of the IT-related Committee of Sponsoring Organizations of the Treadway Commission (COSO), including operational and financial reporting. Although not a control framework, GAIT provides information to appropriately identify and link COSO constructs of internal control assertions, risks, controls, and objectives. These principles define the relationship between IT and business objectives, how IT differs from company to company, and how to make assertions on IT processes, for example, how to reach an educated decision on which controls to include and exclude. GAIT also addresses the balance of manual and automated controls, entity and process- or activity-level controls, and percentage of business automation supported or enabled by IT.

Related to GAIT is GAISP, the successor project to the Generally Accepted System Security Principles (GASSP). GAISP is organized in a three-level hierarchy, comprising

  1. Pervasive principles: Fundamental in nature, and rarely changing (target: governance)
  2. Broad functional principles: Subordinate to one or more of the pervasive principles; change only when reflecting major developments in technology or other affecting issues (target: operational management)
  3. Detailed principles: Subordinate to one or more of the broad functional principles; change frequently as technology and other affecting issues evolve (target: the information security practitioner)

Control Mapping-GAIT and GAISP
GAIT and GAISP address the domain control requirements of

  • Trusted access
  • Records management
  • Audit and risk management
  • Operational controls

Functionally, the standard concedes as out of its scope the control areas of

  • Change management
  • Business continuity and availability
  • Operational monitoring
  • Records management
  • Operational transparency
  • Segregation of duties

NIST 800 Series

NIST special publication 800-12 provides a broad overview of computer security and control areas. The standard highlights the importance of the security controls and details ways to implement them.

The first section establishes the basic elements of computer security, defines the associated roles and responsibilities, and exposes common threats. The second section on management controls defines the computer security policy and how to implement this in the computer security program management, computer security risk management, security and planning in the computer security life cycle, and the required assurance measures. The third section outlines the operational controls. These include personnel and user issues, how to prepare for disasters, computer security, incident handling, training and education, security considerations in computer support and operations, and physical and environmental security. The fourth section outlines the technical controls, defining identification and authentication controls, logical access controls, the necessary audit trails, and cryptography techniques.

The Management Controls section addresses security topics that can be characterized as managerial. They focus on the management of the computer security program and the management of risk within the organization. The Operational Controls section addresses security controls that focus on controls that are implemented and executed by people. These controls are put in place to improve the security of a particular system (or group of systems). The Technical Controls section addresses security controls that the computer system executes. These controls are dependent on the proper functioning of the system for their effectiveness.

NIST special publication 800-14 describes common security principles. The standard provides a high-level description of what should be incorporated within an information security policy. Eight principles and fourteen practices are described within this document. The eight principles are

  1. Computer security supports the mission of the organization.
  2. Computer security is an integral element of sound management.
  3. Computer security should be cost effective.
  4. Systems owners have security responsibilities outside their own organizations.
  5. Computer security responsibilities and accountability should be made explicit.
  6. Computer security requires a comprehensive and integrated approach.
  7. Computer security should be periodically reassessed.
  8. Computer security is constrained by societal factors.

NIST special publication 800-26 provides guidance on managing IT security. The standard emphasizes the importance of self-assessments as well as risk assessments.

The NIST self-assessment questionnaire defines specific control objectives and suggested techniques against which the security of a system. The questionnaire can be based primarily on an examination of relevant documentation and a rigorous examination and test of the controls. Most controls cross the boundaries between management, operational, and technical. Each chapter in the three sections provides a basic explanation of the control; approaches to implementing the control; some cost considerations in selecting, implementing, and using the control; and selected interdependencies that may exist with other controls.

Control Mapping-NIST 800 Series
NIST addresses the domain control requirements of

  • Records management
  • Operational monitoring
  • Records management
  • Operational transparency
  • Segregation of duties

The standard functionally, concedes as out of its scope the control areas of

  • Trusted access
  • Change management
  • Business continuity and availability
  • Audit and risk management
  • Operational controls
  • Operational transparency

COSO and Turnbull Guidance

The COSO framework is a document called Internal Control, Internal Framework (COSO, 1994). The acronym COSO comes from the organization that created the document, the Committee of Sponsoring Organizations of the Treadway Commission (http://www.coso.org). In the COSO framework, there are three objectives:

  1. Operations: The firm wishes to operate effectively and efficiently. It is necessary for the firm to control its general internal operations to do this.
  2. Financial reporting: The firm must create accurate financial reports.
  3. Compliance: The firm wishes to be in compliance with external regulations.

Control Environment
The component at the base of the COSO framework is the corporation's control environment. This is the company's overall control culture. It includes the "tone at the top" set by top management, the company's commitment to training employees in the importance of control, the punishment of employees (including senior managers) who violate control rules, attention by the board of directors, and other broad matters. If the broad control environment is weak, other control elements are not likely to be effective.

Risk Assessment
A company needs to assess the risks that it faces. Without systematic risk analysis, it is impossible to understand what level of controls to apply to individual assets. Risk assessment must be an ongoing preoccupation for the firm because the risk environment constantly changes.

Control Activities
An organization will spend most of its control effort on control activities that actually implement and maintain controls. This includes approvals and authorization, IT security, the separation of duties, and many other matters. Controls usually have two elements: One is a general policy, which says what must be done. The other is a set of procedures, which explains how to do it.

Monitoring
Having controls in place means nothing if organizations do not monitor and enforce them. Monitoring includes both human vigilance and audit trails in information technology. It is essential to have an independent monitoring function that is free to report on problems even if these problems deal with senior management.

Information and Communication
For the control environment, risk assessment, control activities, and monitoring to work well, the company needs to ensure that it has the required information and communication across all levels of the corporation. Page 49 of the COSO framework notes the existence of manual controls, computer controls, and management controls. On page 50, it provides the following process:

  • Top-level review: Comparing budgets with actual performance, tightly monitoring major initiatives.
  • Direct functional or activity management: Examining the appropriate reports for their level in the role of managers who run individual operations.
  • Information processing: Including the enforcement of manual procedures. Information processing must focus on business processes, not merely on IT processes.
  • Physical controls: Taking inventory of cash stores and archival media.
  • Performance indicators: Relating different sets of data to each other for checking inconsistencies, noting deviations from normal performance (in either direction), unusual trends, and so forth.
  • Segregation of duties: Requiring sensitive processes to be completed by two or more people so that no single person can engage in improper activities without this becoming apparent.

Controls for Information Systems
On pages 52-55, Internal Control Internal Framework specifically lists some controls over information systems. At a most basic level, the framework discusses the differences between application controls and general controls:

  • Application controls: Involve individual applications (accounting applications, spreadsheets, and so forth), including manual operations in using them.
  • General controls: Cover levels beneath the application, together with manual operations in using them.

Control Mapping-COSO and Turnbull Guidance
COSO and Turnbull Guidance address the domain control requirements of

  • Trusted access
  • Records management
  • Operational monitoring
  • Operational transparency
  • Segregation of duties
  • Audit and risk management
  • Operational controls

Functionally, the standard concedes as out of its scope the control areas of

  • Change management
  • Business continuity and availability

SAS 70

SAS 70 is an international auditing standard developed by the American Institute of Certified Public Accountants (AICPA). More precisely, this standard is defined in the Statement on Auditing Standards (SAS) No. 70 (Service Organizations); hence, SAS 70. The results of an SAS 70 audit are displayed in an SAR (service auditing report or service auditor's report). There are two versions of an SAR, known as Type I and Type II reports. A Type I report provides a description of a service organization's controls as of a point in time. A Type II report provides assurance over the operating effectiveness over controls for a period of time. Type II testing procedures are required to be performed for a period not less than six months. Type II SAS 70 reports cover a 6-month or 1-year period of time.

The report includes the following information:

  • Independent service auditor's opinion
  • Service organization's description of controls
  • Information provided by the independent service auditor, including description of the service auditor's tests of operating effectiveness and the results of those tests (Type II only)
  • Glossary

The report assesses four main indicators:

  1. Description of controls is presented fairly.
  2. Controls are designed effectively.
  3. Controls are placed in operation as of a specified date.
  4. Controls are operating effectively over a specified period of time (for Type II reports).

Control Mapping-SAS 70
SAS 70 addresses the domain control requirements of

  • Change management
  • Business continuity and availability
  • Operational monitoring
  • Operational transparency
  • Segregation of duties
  • Operational controls

Functionally, the standard concedes as out of its scope the control areas of

  • Trusted access
  • Records management
  • Audit and risk management

Summary

Table 1 illustrates the strength and scope of each framework cited. It is hoped this will assist in the framework selection process for the client's operational structure and audit requirements.

Table 1 Framework to Control Domain Mapping

Notes
X denotes the framework may be used to measure the control requirement.
* denotes the framework does not express a metric used to measure the control requirement.

About the Author

From Oracle Identity Management: Governance, Risk, and Compliance Architecture, Third Edition by Marlin B. Pohlman. New York: Auerbach Publications, 2008.

© Copyright 2008 Auerbach Publications