Compliance and Security Controls
Assessing ICFR in IT systems can be difficult. IT professionals have several different frameworks that they can use for reviewing IT controls, some of which you are already familiar with. Many of these frameworks help companies decide which controls to implement.
COBIT
In 1996, the Information Systems Audit and Control Association (ISACA) released the first version of “Control Objectives for Information and Related Technology” (COBIT). Several versions of COBIT have been released. Even though ISACA has moved away from use of the term control objective in its framework, it has kept the popular term COBIT for the name of the framework. The most recent version of COBIT was released in 2019.39
The COBIT 2019 framework aims to help organizations create value from their IT assets.40 COBIT also provides a framework for the governance and management of those assets. It has six key principles:
- Providing stakeholder value
- Adopting a holistic approach
- Understanding that governance is dynamic
- Separating governance from management
- Tailoring governance to the organization’s needs
- Covering the whole organization
COBIT 2019 does not state specific actions that an organization must take to build an IT governance framework. Instead, it provides a list of processes and practices that an organization should review. It has 40 governance and management objectives. This list provides organizations with a method for making their own decisions about technology governance and management. It is technology neutral, and also general enough that any type of organization, profit or nonprofit, can use the framework.
Similar to earlier versions, COBIT 2019 refers to the COSO Framework. You can learn more about COBIT at http://www.isaca.org.
GAIT
The IIA created the GAIT series in January 2007. The IIA first created the GAIT methodology to help auditors and companies comply with SOX Section 404, as well as help identify controls where a failure might cause an error in a financial statement. GAIT was most recently updated in 2009.
The GAIT methodology helps auditors and companies scope Section 404 reviews of IT controls. It realizes that companies must implement ICFR in IT systems. Similar to the SEC and PCAOB, GAIT advocates a top-down, risk-based approach to review IT controls. GAIT has four main principles:
- A top-down approach should be used to review risks and IT controls.
- The review of risks and IT controls should be limited to financially significant systems, applications, or data.
- IT controls and risks exist at various layers in an IT system (application, database, operating system, and network infrastructure).
- IT processes should be mitigated by IT control objectives, not individual controls.
FYI
The words framework and methodology are often used interchangeably. However, they are actually different things. A framework is a loose structure that guides an organization toward a particular goal. A framework is intended to be flexible. A methodology, by contrast, is a set of defined principles and practices that lead toward a particular goal. A methodology is intended to be inclusive of all tasks needed to accomplish a goal. A framework is flexible and can actually embed multiple practices and methodologies.
Similar to COBIT, GAIT does not recommend individual controls. Instead, it specifies a series of control objectives. Companies are free to choose the individual controls that meet the control objectives. Information security objectives are included in the GAIT guidance to the extent that they scope to systems that impact a company’s financial reports. The IIA has also issued several practice guides that address current topics in IT and information security.
You can learn more about GAIT at https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GAIT-Methodology.aspx.
ISO/IEC Standards
The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) have created two standards that companies can use to implement information security controls. The two standards work together: One guides information security governance, whereas the other reviews how to implement security controls. The standards are:
- ISO/IEC 27001:2013, “Information Technology—Security Techniques—Information Security Management Systems—Requirements”
- ISO/IEC 27002:2013, “Information Technology—Security Techniques—Code of Practice for Information Security Controls”
ISO/IEC 27001 provides a framework for creating an information security management system. It uses a risk-based approach to review how information security is managed within an organization, and reviews the processes that management teams must consider to operate, monitor, review, and maintain IT systems.
ISO/IEC 27002 lists information security safeguards. Unlike COBIT and GAIT, ISO/IEC 27002 does describe specific controls. It has 14 major sections, with each section reviewing a different category of information security controls. The standard explains why organizations should use the listed controls. It also explains how to use the controls. The 14 sections are:
- Information security policy
- Information security organization
- Human resources security
- Asset management
- Asset control
- Cryptography
- Physical and environmental security
- Operations security
- Communications security
- Information system acquisition, development, and maintenance
- Supplier relationships
- Information security incident management
- Information security business continuity management
- Compliance
The ISO/IEC standards are specific to information security. Companies can use these standards to make sure that their information security practices provide reasonable assurance that ICFR are effective. See Table 7-1 for the relationship between SOX internal controls and information security goals.
NIST Computer Security Guidance
Finally, some organizations turn to the National Institute of Standards and Technology (NIST) for information security control guidance. NIST creates information security guidance for federal agencies. These agencies must comply with the Federal Information Security Management Act (FISMA).
NOTE
NIST is currently updating SP 800-53 (Rev. 4). As of the writing of this chapter, the final public draft of SP 800-53 (Rev. 5) had been released for final public comment. The update integrates both information security and privacy controls. It is intended to provide a comprehensive approach for safeguarding new technologies.
Many nongovernmental organizations also use NIST publications to guide their own information security programs. “NIST Special Publication 800-53 (Rev. 4), Security and Privacy Controls for Federal Information Systems and Organizations” states the minimum security controls that organizations should use to create an effective information security program.
You can learn more about NIST computer security resources at http://csrc.nist.gov/. SOX does not provide public companies with specific advice on how to use IT controls. Many organizations use the frameworks reviewed in this chapter to guide their SOX Section 404 compliance activities.