How can you ensure your IT infrastructure complies with SOX?

Primero hay que considerar lo que detonó la creación de la Ley SOX y fue el fraude de la empresa ENRON donde los directivos se "auto-autorizaban" prestamos a diestra y siniestra y por otra parte la información financiera fue falseada sin que nadie la validara hasta que los reporteros comenzaron a investigar. Mi sugerencia es que en la infraestructura exista al menos lo siguiente: - Asignación de perfiles limitados. - Una correcta segregación de funciones. - Una adecuada estrategia de liberación para las compras. - Un continuo monitoreo Lo anterior no va a prevenir que se cometa un fraude pero podrá identificarse inmediatamente porque dejará un rastro de quien o quienes fueron los responsables de las malversaciones.

- Identify and assess risks related to these assets, such as unauthorized access, malware, system failures, and data loss. - Implement IT controls to mitigate these risks, such as access controls, regular backups, penetration testing, and disaster recovery plans. - Document all changes made, including the reason for the change, the date, and approval. - Manage access and permissions. - Ensure data protection and privacy. - Monitor and log events. - Conduct security awareness and training.

Section 404 focuses on auditing a company’s internal controls, including the controls that govern its IT assets with access to financial data. SOX ITGC audits focus on four critical areas: ? Access controls like Segregation of Duties ? IT Security controls like password policies, security password policies across the enterprise, timely review and remediation of identities, device protection policies including encryption. ? Change management controls establish guidelines for updating systems and records with an audit trail of changes made. These include maintaining a log of changes to system configurations, patches, reports, workflows, interfaces and other programs that support your financial reporting. ? Backup controls

In addition to this some crucial areas are: - Business Continuity Plan - Incident Management - Review of Access rights - Change Management - Perimeter Security and Vulnerability Management - Configuration Management

Some additional points I would like to add: 1. Appoint a Compliance Officer: Designate a Compliance Officer or team responsible for overseeing and enforcing SOX compliance within your organization. This role is essential for coordinating efforts across different departments, including IT. 2. Secure Data: Protect sensitive financial data by implementing encryption, firewalls, intrusion detection systems, and other security measures. Regularly monitor and audit data access and security events. 3. Remediate Issues: Promptly address any identified issues or deficiencies in your IT controls. Document the remediation process and its effectiveness.

Use COBIT and ISO27K as a method to measure and audit IT control. COBIT, more specifically from version 5 onwards, helps in the execution of IT controls, both in risk assessment, in control activities, as well as in monitoring mechanisms. On the other hand, the ISO27k family, more specifically ISO27001, presents several security controls, thus covering controls related to organizational structure (physical and logical), human resources, information technology, supplier management, among others. Therefore, the recommendation is to use a combination of COBIT, ISO27K and COSO.