Re: [ISN] Offsite security complicates compliance

From: InfoSec News (isn@private)
Date: Tue Mar 22 2005 - 23:19:39 PST

Forwarded from: Mark Bernard <Mark.Bernard@private>

Dear Associates,

Here in Canada the Chartered Accountants of Canada are in the process
of making our IT Audit standards, CICA 5900, compliant with SOX and
SAS 70. We are also anticipating newly crafted Financial Securities
legislation this year currently under review in Ontario also known as
Bill 198. It's very likely that each of the Canadian provinces will
adopt Bill 198 provisions since our stock exchange is located in
Toronto - Ontario. The current target release date for CICA 5900 is
July 1st, 2005.

The answer to complying with all of this new legislation is to
implement a best practice framework such as ISO17799 or ISACA's COBiT.
I would personally recommend ISACA's COBiT because its a world wide
standard that IT Auditors and Financial professionals recognize. A
hybrid strategy using both ISO 17799 and COBiT is that much better
since both IT professionals and Financial Professionals can relate to
each. Furthermore, it's very likely that your annual audits will be
conducted by IT Auditors with Financial backgrounds, so its the only
logical approach.

Why should IT be concerned about the Finance Department? Well, if
you're an IT Professional and been in business long enough than you
already know how important it is to work closely with Finance and
ensure that such projects and capital expenditures are clearly
understood. This way they'll have a chance to stay in the annual
budget and not get cut during the annual rollback on capital expenses.

Here's a link for more information about CICA 5900;

Here's a link for COBiT;

Best regards,

Mark E. S. Bernard, CISM, CISSP, PM,
Principal, Risk Management Services,

e-mail: Mark.Bernard@private
Phone: (506) 325-0444

Leadership Quotes by John Quincy Adams: "If your actions inspire others to 
dream more, learn more, do more and become more, you are a leader."


> By Ann Bednarz
> Network World Fusion
> 03/18/05
> Offsite security conditions are always a factor to consider when a
> company enters an outsourcing deal, but regulatory initiatives are
> raising the stakes.
> IT executives need to ensure service providers have proper system
> controls in place before and after they enter into sourcing and
> hosting arrangements, analysts say. It's not only a good business
> practice, it's also increasingly required by law.
> One law putting a spotlight on outsourcing deals is the Sarbanes-Oxley
> (SOX) Act of 2002, which Congress passed in the wake of accounting
> scandals at firms such as Enron and WorldCom.
> SOX has IT and finance departments working closely to review and
> modernize companies' financial reporting systems to comply with its
> regulations. Of particular concern is Section 404 of the legislation,
> which calls for company executives and third-party auditors to certify
> the effectiveness of internal controls - technologies and processes
> put in place to preserve the integrity of financial reports.
> Doing due diligence to Section 404 means looking into conditions at
> outsourcing and hosting providers' sites, where sensitive corporate
> data might be accessible, processed or stored. That's where Statement
> on Auditing Standards (SAS) 70 comes in.


Bellua Cyber Security Asia 2005 -

This archive was generated by hypermail 2.1.3 : Wed Mar 23 2005 - 00:00:46 PST