Forwarded from: Mark Bernard <Mark.Bernard@private> Dear Associates, Here in Canada the Chartered Accountants of Canada are in the process of making our IT Audit standards, CICA 5900, compliant with SOX and SAS 70. We are also anticipating newly crafted Financial Securities legislation this year currently under review in Ontario also known as Bill 198. It's very likely that each of the Canadian provinces will adopt Bill 198 provisions since our stock exchange is located in Toronto - Ontario. The current target release date for CICA 5900 is July 1st, 2005. The answer to complying with all of this new legislation is to implement a best practice framework such as ISO17799 or ISACA's COBiT. I would personally recommend ISACA's COBiT because its a world wide standard that IT Auditors and Financial professionals recognize. A hybrid strategy using both ISO 17799 and COBiT is that much better since both IT professionals and Financial Professionals can relate to each. Furthermore, it's very likely that your annual audits will be conducted by IT Auditors with Financial backgrounds, so its the only logical approach. Why should IT be concerned about the Finance Department? Well, if you're an IT Professional and been in business long enough than you already know how important it is to work closely with Finance and ensure that such projects and capital expenditures are clearly understood. This way they'll have a chance to stay in the annual budget and not get cut during the annual rollback on capital expenses. Here's a link for more information about CICA 5900; http://www.cica.ca/index.cfm/ci_id/19365/la_id/1.htm Here's a link for COBiT; http://www.isaca.org/Template.cfm?Section=COBIT_Online&Template=/ContentManagement/ContentDisplay.cfm&ContentID=15633 Best regards, Mark. Mark E. S. Bernard, CISM, CISSP, PM, Principal, Risk Management Services, e-mail: Mark.Bernard@private Web: http://www.TechSecure.ca Phone: (506) 325-0444 Leadership Quotes by John Quincy Adams: "If your actions inspire others to dream more, learn more, do more and become more, you are a leader." [...snip] > http://www.nwfusion.com/news/2005/0318offsite.html > > By Ann Bednarz > Network World Fusion > 03/18/05 > > Offsite security conditions are always a factor to consider when a > company enters an outsourcing deal, but regulatory initiatives are > raising the stakes. > > IT executives need to ensure service providers have proper system > controls in place before and after they enter into sourcing and > hosting arrangements, analysts say. It's not only a good business > practice, it's also increasingly required by law. > > One law putting a spotlight on outsourcing deals is the Sarbanes-Oxley > (SOX) Act of 2002, which Congress passed in the wake of accounting > scandals at firms such as Enron and WorldCom. > > SOX has IT and finance departments working closely to review and > modernize companies' financial reporting systems to comply with its > regulations. Of particular concern is Section 404 of the legislation, > which calls for company executives and third-party auditors to certify > the effectiveness of internal controls - technologies and processes > put in place to preserve the integrity of financial reports. > > Doing due diligence to Section 404 means looking into conditions at > outsourcing and hosting providers' sites, where sensitive corporate > data might be accessible, processed or stored. That's where Statement > on Auditing Standards (SAS) 70 comes in. [...] _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Wed Mar 23 2005 - 00:00:46 PST