Forwarded from: Mark Bernard <Mark.Bernard@TechSecure.ca>
Dear Associates,
Here in Canada the Chartered Accountants of Canada are in the process
of making our IT Audit standards, CICA 5900, compliant with SOX and
SAS 70. We are also anticipating newly crafted Financial Securities
legislation this year currently under review in Ontario also known as
Bill 198. It's very likely that each of the Canadian provinces will
adopt Bill 198 provisions since our stock exchange is located in
Toronto - Ontario. The current target release date for CICA 5900 is
July 1st, 2005.
The answer to complying with all of this new legislation is to
implement a best practice framework such as ISO17799 or ISACA's COBiT.
I would personally recommend ISACA's COBiT because its a world wide
standard that IT Auditors and Financial professionals recognize. A
hybrid strategy using both ISO 17799 and COBiT is that much better
since both IT professionals and Financial Professionals can relate to
each. Furthermore, it's very likely that your annual audits will be
conducted by IT Auditors with Financial backgrounds, so its the only
logical approach.
Why should IT be concerned about the Finance Department? Well, if
you're an IT Professional and been in business long enough than you
already know how important it is to work closely with Finance and
ensure that such projects and capital expenditures are clearly
understood. This way they'll have a chance to stay in the annual
budget and not get cut during the annual rollback on capital expenses.
Here's a link for more information about CICA 5900;
http://www.cica.ca/index.cfm/ci_id/19365/la_id/1.htm
Here's a link for COBiT;
http://www.isaca.org/Template.cfm?Section=COBIT_Online&Template=/ContentManagement/ContentDisplay.cfm&ContentID=15633
Best regards,
Mark.
Mark E. S. Bernard, CISM, CISSP, PM,
Principal, Risk Management Services,
e-mail: Mark.Bernard@TechSecure.ca
Web: http://www.TechSecure.ca
Phone: (506) 325-0444
Leadership Quotes by John Quincy Adams: "If your actions inspire others to
dream more, learn more, do more and become more, you are a leader."
[...snip]
http://www.nwfusion.com/news/2005/0318offsite.html
By Ann Bednarz
Network World Fusion
03/18/05
Offsite security conditions are always a factor to consider when a
company enters an outsourcing deal, but regulatory initiatives are
raising the stakes.
IT executives need to ensure service providers have proper system
controls in place before and after they enter into sourcing and
hosting arrangements, analysts say. It's not only a good business
practice, it's also increasingly required by law.
One law putting a spotlight on outsourcing deals is the Sarbanes-Oxley
(SOX) Act of 2002, which Congress passed in the wake of accounting
scandals at firms such as Enron and WorldCom.
SOX has IT and finance departments working closely to review and
modernize companies' financial reporting systems to comply with its
regulations. Of particular concern is Section 404 of the legislation,
which calls for company executives and third-party auditors to certify
the effectiveness of internal controls - technologies and processes
put in place to preserve the integrity of financial reports.
Doing due diligence to Section 404 means looking into conditions at
outsourcing and hosting providers' sites, where sensitive corporate
data might be accessible, processed or stored. That's where Statement
on Auditing Standards (SAS) 70 comes in.
[...]
_________________________________________
Bellua Cyber Security Asia 2005 -
http://www.bellua.com/bcs2005
