SlideShare a Scribd company logo

Sarbanes-Oxley Compliance and the RFI/RFP Process

CXT Group
CXT Group

Sarbanes-Oxley compliance and the RFI/RFP development process set an international standard in the industry. This article clearly states the happenings. Read More... http://goo.gl/7cfs5T

Technology
1 of 5
Download to read offline
Sarbanes-Oxley Compliance and the RFI/RFP Process In 2001, most of the world became familiar with Enron, an energy company from Houston, Texas. The company gained notoriety as the largest bankruptcy up to that point due to irregular accounting practices that were bordering on fraud. Because of public outrage over this and several other accounting scandals, such as the WorldCom that followed shortly after Enron, the United States federal law “Sarbanes-Oxley Act of 2002”, commonly known as SOX, was enacted on July 30, 2002 (Addison-Hewitt Associates, 2006). The law introduced major changes to the way public companies were to conduct and report their business, and held upper management personally accountable for the information reported to the investors. The law consists of eleven titles, six of which concern compliance, namely sections 302, 401, 404, 409, 802, and 906. Sections 302 “Corporate Responsibility for Incident Report” and 404” Management Assessment of Internal Controls” are very important to IT operations and are concerned with accuracy, privacy, and security of financial records. Cannon and Byers (2006) state that verification is the essence of compliance and it is simply a matter of ensuring that company’s processes are executed as intended. Cannon and Byers (2006) recommend a four-step process for the compliance: the first step in ensuring compliance within the organization is to perform compliance assessment. The next step is to create a high-level corporate policy that can be adapted by individual departments to meet their needs. The third
step is to use the technology to automate the compliance with the law. Finally, through regular review and auditing procedures should be evaluated. However, the real-life compliance with various laws is not clear-cut. Depending on the nature of the business, in addition to SOX, Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS) may need to be considered. If company does business in European Union (EU), organization may be required to comply with European Union Data Protection Directive (EUDPD). All these laws and compliance requirements, on top of previously required Generally Accepted Privacy Principles (GAAP) may force companies to seek alternatives. Many organizations view Government Required Compliance (GRC) as an overwhelming task with little return and as a result may choose to outsource some or all of their compliance requirements to an outside provider. As an example, Capital Automotive REIT, a real estate investment trust, decided to outsource all of its IT operations to an outside company, Alteritech, which ensured SOX compliance for the Capital Automotive REIT (Allbusiness, 2005). When deciding to outsource some or all IT operations, public companies must be aware of the GRC and should dedicate required time to perform needs analysis with the business plan. This will ensure clear understanding what the organization is trying to achieve and why, and among other things, upper management’s buy-in. Once identified, requirements should be briefly stated within Request for Information (RFI), Request for Proposal (RFP), or Request for Quote (RFQ). Within RFI, RFP, and RFQ, the client organization should specify its requirements for SOX compliance such as an audit of vendor’s internal information controls, oversight procedures, and problem resolution. Consequently, the outsourcing supplier should spell out their organization’s implementation of SOX compliance policies within their information package or proposal sent to the potential customer. As stated earlier, compliance requires validation; however, validation of SOX compliance with third-party provider requires greater efforts because the company distances itself from IT operations through large-scale outsourcing (Hall and Liedtka, 2007). When outsourcing large-scale IT operations, it is important to make sure that security and compliance with various laws and regulations are considered. Organizations may decide to adopt and adapt internationally accepted standards in order to deal with their IT security management. Alexrod (2004) suggests following CISSP body of knowledge, which defines ten security classifications. In addition, newer
CxT Group Michigan,2415 E.Hammond Lake DriveSte,219 BloomfieldHills, MI 48302 Contact No:(248) 282-5599 Toll Free:(877) 439-2539 standard of ISO 17799, ISO 27002 can be used by as well. This standard deals broadly with security for electronic files, paper documents, all types of communication and business continuity planning. Companies may also decide to use Control Objectives for Information and related Technology (COBIT) that provides framework for generic management principles that organization may adapt it to its own unique needs. Axelrod (2004) combined CISSP and ISO 17799 into ten security considerations, namely:  Security Management Practices covers various security management aspects, including, among other things, personnel physical and emotional security.  Asset Management Practices discusses importance of data classification protection when considering IT outsourcing. Data, and identify theft in particular, has been a regular headline in recent times with thieves stealing thousands of sensitive records. As an example, consider a 2005 case, when Card Systems Solutions, a third-party processor for credit cards and other payments for banks and merchants, had its network hacked and 40 million credit card accounts stolen and sold all over the world (CCRC, 2005).  Application and System Development provides an overview of what is happening during the application and system development outsourcing. Currently, there is a movement towards educating software developers on security aspects in order to improve application security from the bottom-up (North, North, and North, 2009).  Operations Security and Operations Risk involves controlling processes and making sure that the third party to which the task is outsourced follows set standards. Government laws and regulations are increasingly mandating these standards.  Security Models and Architecture presents solid foundation upon which the rest of processes can be built and includes architecture framework and set of industry-accepted design standards and implementation adaptations by the organization.  Physical and Environmental Security is by far the strongest security measure for the organization and current trends present companies integrating logical and physical security in order to provide complete environmental security (Axelrod, 2004).
 Telecommunications and Network Security describes various aspects of communication lines and network security, including such activities as wire-tapping and induction loops. Axelrod (2004) also describes the convergence of voice and data providers into a single carrier, aid discusses risks of relying on a single vendor.  Cryptography provides an extra level of protection to messages sent and received without wrong eyes viewing it. There are three types of cryptography algorithms, namely: 1). Secret Key Cryptography (SKC); 2). Public Key Cryptography (PKC); and 3). Hash functions. By far, the most popular is PKC, though not without problems.  Disaster Recovery and Business Continuity – Organizations big and small, private, public and government must do everything in their power to avert and defend against disasters – manmade or acts of God. However, statistical probabilities dictate that some events cannot be prevented and organizations need to be prepared to contain the damages and be able to proceed with business as usual. Hall and Liedtka (2007) describe a case of the Montreal Urban Community that was not able to perform any business functions for two months as they were switching from one outsourcing vendor to another one. The success of Business Continuity Plan is based on the thorough and accurate security risk assessment. “Risk cannot be mitigated if not defined.” (Carlson, n.d., p. 13). ISO/IEC 1799 requires an organization to:  identify and prioritize its business processes;  identify and assess possible security risks that could threaten business operations;  estimate likelihood of the risk exposure; and,  analyze the impact that risk can cause on the business, including operational interruptions, slow down, or shut down.  Legal Action – Axelrod (2004) suggests consulting a lawyer at the beginning of an outsourcing relationship in order to ensure proper contract negations. In addition, if problems do arise, legal advice will be necessary. Since 2002, many companies, including Microsoft, have been creating compliance software applications aimed to help companies manage their policies. Microsoft Operations Framework (MOF) is an IT control framework that allows companies to avoid overlapping efforts in addressing common IT control
CxT Group Michigan,2415 E.Hammond Lake DriveSte,219 BloomfieldHills, MI 48302 Contact No:(248) 282-5599 Toll Free:(877) 439-2539 objectives (Microsoft, 2008). As stated earlier in the paper, SOX was created as a government’s response to rising number of investor and government fraud by few crooked corporate citizens. As a result, all public organizations must comply with the law in order to avoid investor losses and rebuild their confidence. However, a company that is able to exhibit its full compliance with various GRCs may gain a competitive advantage, as other compliant companies would prefer doing business with another GRC company. Organizations may also include their GRC into marketing material. References Addison-Hewitt Associates. (2006). SARBANES-OXLEY ACT 2002. Retrieved June 12, 2010, from www.soxlaw.com/ All Business. (2005, March 14). Capital Automotive REIT Outsources Information Technology Management to Alteritech. Retrieved June 13, 2010, from www.allbusiness.com/banking-finance/financial-markets-investing/5038651-1.html Cannon, J. C., & Byers, M. (2006, September). Compliance Deconstructed. ACM Queue , 30-38. Carlson, T. (n.d.). Information Security Management: Understanding ISO 17799. Lucent Technologies Worldwide Services. CCRC Staff. (2005, July 08). Computer Crime Research Center. Retrieved June 14, 2010, from Russia, Biggest Ever Credit Card Scam : www.crime-research.org/news/08.07.2005/1349/ Hall, J. A., & Liedtka, S. L. (2007). The Sarbanes-Oxley Act: IMPLICATIONS FOR LARGE-SCALE IT OUTSOURCING. Communications of the ACM , 50 (3), 95-100. Microsoft. (2008). IT Compliance Management Guide. Redmont, WA: Microsoft. North, M. M., North, S. M., & North, M. M. (April 2009). Security from the Bottom-up: Compliance Regulations and the trend towards design-oriented web applications. CCSC: South Central Conference (pp. 65-71). Atlanta: ACM.

Recommended

July 2010 Cover Story
July 2010 Cover StoryJuly 2010 Cover Story
July 2010 Cover StoryPatrick Spencer
 
Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...
Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...
Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...Jason Glass, CFA, CISSP
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsJason Dover
 
Minimum viable compliance whitepaper
Minimum viable compliance whitepaperMinimum viable compliance whitepaper
Minimum viable compliance whitepaperAlban Jarry (Bibliothèque de Documents)
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software developmentMuhammadArif823
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 

Recommended

July 2010 Cover Story
July 2010 Cover StoryJuly 2010 Cover Story
July 2010 Cover StoryPatrick Spencer
 
Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...
Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...
Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...Jason Glass, CFA, CISSP
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsJason Dover
 
Minimum viable compliance whitepaper
Minimum viable compliance whitepaperMinimum viable compliance whitepaper
Minimum viable compliance whitepaperAlban Jarry (Bibliothèque de Documents)
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software developmentMuhammadArif823
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
Week5IRACFinalDraft
Week5IRACFinalDraftWeek5IRACFinalDraft
Week5IRACFinalDraftRachel Krebs
 
It outsourcing contracts practical issues
It outsourcing contracts practical issuesIt outsourcing contracts practical issues
It outsourcing contracts practical issuesAqeelMayoof
 
11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 a11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 aIT Strategy Group
 
Artificial Intelligence and Machine Learning
Artificial Intelligence and Machine LearningArtificial Intelligence and Machine Learning
Artificial Intelligence and Machine LearningPolsinelli PC
 
Insider Breaches and Data Theft by Employees and Contractors
Insider Breaches and Data Theft by Employees and ContractorsInsider Breaches and Data Theft by Employees and Contractors
Insider Breaches and Data Theft by Employees and ContractorsButlerRubin
 
Trade, Antitrust and Other Regulatory Matters in BRICS
Trade, Antitrust and Other Regulatory Matters in BRICSTrade, Antitrust and Other Regulatory Matters in BRICS
Trade, Antitrust and Other Regulatory Matters in BRICSIlya Nikiforov
 
Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsThe Economist Media Businesses
 
Managing Mobile Menaces
Managing Mobile MenacesManaging Mobile Menaces
Managing Mobile MenacesNalneesh Gaur
 
Carlos Moreira Cyber Security Round-table Moderation in NY 2014 M&A Advisory ...
Carlos Moreira Cyber Security Round-table Moderation in NY 2014 M&A Advisory ...Carlos Moreira Cyber Security Round-table Moderation in NY 2014 M&A Advisory ...
Carlos Moreira Cyber Security Round-table Moderation in NY 2014 M&A Advisory ...Creus Moreira Carlos
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystemkpatrickwheeler
 
Information governance a_necessity_in_to
Information governance a_necessity_in_toInformation governance a_necessity_in_to
Information governance a_necessity_in_toAnne ndolo
 
Arc Sight Info Documents 12 3 2009
Arc Sight Info Documents 12 3 2009Arc Sight Info Documents 12 3 2009
Arc Sight Info Documents 12 3 2009mattdriscoll
 
Investor Presentation
Investor PresentationInvestor Presentation
Investor PresentationCompany Spotlight
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standardsautomatskicorporation
 
Overcome regulatory data retention challenges
Overcome regulatory data retention challengesOvercome regulatory data retention challenges
Overcome regulatory data retention challengesBryant Bell
 
Gebm os presentation final
Gebm os presentation finalGebm os presentation final
Gebm os presentation finalsunnyjoshi88
 
Open Source Governance in Highly Regulated Companies
Open Source Governance in Highly Regulated CompaniesOpen Source Governance in Highly Regulated Companies
Open Source Governance in Highly Regulated Companiesiasaglobal
 
Omlis Data Breaches Report - An Inside Perspective
Omlis Data Breaches Report - An Inside Perspective Omlis Data Breaches Report - An Inside Perspective
Omlis Data Breaches Report - An Inside Perspective Omlis
 
Convergence Compliance E Discovery Rim.Doc
Convergence Compliance E Discovery Rim.DocConvergence Compliance E Discovery Rim.Doc
Convergence Compliance E Discovery Rim.DocDavid Haines
 
Accounting
AccountingAccounting
Accountingjerryrabin
 
Sox In Telecom Industry
Sox In Telecom IndustrySox In Telecom Industry
Sox In Telecom IndustryMahesh Panchal
 
Corporate governance
Corporate governanceCorporate governance
Corporate governanceAbhinav Khanna
 

More Related Content

What's hot

Week5IRACFinalDraft
Week5IRACFinalDraftWeek5IRACFinalDraft
Week5IRACFinalDraftRachel Krebs
 
It outsourcing contracts practical issues
It outsourcing contracts practical issuesIt outsourcing contracts practical issues
It outsourcing contracts practical issuesAqeelMayoof
 
11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 a11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 aIT Strategy Group
 
Artificial Intelligence and Machine Learning
Artificial Intelligence and Machine LearningArtificial Intelligence and Machine Learning
Artificial Intelligence and Machine LearningPolsinelli PC
 
Insider Breaches and Data Theft by Employees and Contractors
Insider Breaches and Data Theft by Employees and ContractorsInsider Breaches and Data Theft by Employees and Contractors
Insider Breaches and Data Theft by Employees and ContractorsButlerRubin
 
Trade, Antitrust and Other Regulatory Matters in BRICS
Trade, Antitrust and Other Regulatory Matters in BRICSTrade, Antitrust and Other Regulatory Matters in BRICS
Trade, Antitrust and Other Regulatory Matters in BRICSIlya Nikiforov
 
Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsThe Economist Media Businesses
 
Managing Mobile Menaces
Managing Mobile MenacesManaging Mobile Menaces
Managing Mobile MenacesNalneesh Gaur
 
Carlos Moreira Cyber Security Round-table Moderation in NY 2014 M&A Advisory ...
Carlos Moreira Cyber Security Round-table Moderation in NY 2014 M&A Advisory ...Carlos Moreira Cyber Security Round-table Moderation in NY 2014 M&A Advisory ...
Carlos Moreira Cyber Security Round-table Moderation in NY 2014 M&A Advisory ...Creus Moreira Carlos
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystemkpatrickwheeler
 
Information governance a_necessity_in_to
Information governance a_necessity_in_toInformation governance a_necessity_in_to
Information governance a_necessity_in_toAnne ndolo
 
Arc Sight Info Documents 12 3 2009
Arc Sight Info Documents 12 3 2009Arc Sight Info Documents 12 3 2009
Arc Sight Info Documents 12 3 2009mattdriscoll
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standardsautomatskicorporation
 
Overcome regulatory data retention challenges
Overcome regulatory data retention challengesOvercome regulatory data retention challenges
Overcome regulatory data retention challengesBryant Bell
 
Gebm os presentation final
Gebm os presentation finalGebm os presentation final
Gebm os presentation finalsunnyjoshi88
 
Open Source Governance in Highly Regulated Companies
Open Source Governance in Highly Regulated CompaniesOpen Source Governance in Highly Regulated Companies
Open Source Governance in Highly Regulated Companiesiasaglobal
 
Omlis Data Breaches Report - An Inside Perspective
Omlis Data Breaches Report - An Inside Perspective Omlis Data Breaches Report - An Inside Perspective
Omlis Data Breaches Report - An Inside Perspective Omlis
 
Convergence Compliance E Discovery Rim.Doc
Convergence Compliance E Discovery Rim.DocConvergence Compliance E Discovery Rim.Doc
Convergence Compliance E Discovery Rim.DocDavid Haines
 

What's hot (20)

Week5IRACFinalDraft
Week5IRACFinalDraftWeek5IRACFinalDraft
Week5IRACFinalDraft
 
It outsourcing contracts practical issues
It outsourcing contracts practical issuesIt outsourcing contracts practical issues
It outsourcing contracts practical issues
 
11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 a11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 a
 
Artificial Intelligence and Machine Learning
Artificial Intelligence and Machine LearningArtificial Intelligence and Machine Learning
Artificial Intelligence and Machine Learning
 
Insider Breaches and Data Theft by Employees and Contractors
Insider Breaches and Data Theft by Employees and ContractorsInsider Breaches and Data Theft by Employees and Contractors
Insider Breaches and Data Theft by Employees and Contractors
 
Trade, Antitrust and Other Regulatory Matters in BRICS
Trade, Antitrust and Other Regulatory Matters in BRICSTrade, Antitrust and Other Regulatory Matters in BRICS
Trade, Antitrust and Other Regulatory Matters in BRICS
 
Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next steps
 
Managing Mobile Menaces
Managing Mobile MenacesManaging Mobile Menaces
Managing Mobile Menaces
 
Carlos Moreira Cyber Security Round-table Moderation in NY 2014 M&A Advisory ...
Carlos Moreira Cyber Security Round-table Moderation in NY 2014 M&A Advisory ...Carlos Moreira Cyber Security Round-table Moderation in NY 2014 M&A Advisory ...
Carlos Moreira Cyber Security Round-table Moderation in NY 2014 M&A Advisory ...
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystem
 
Information governance a_necessity_in_to
Information governance a_necessity_in_toInformation governance a_necessity_in_to
Information governance a_necessity_in_to
 
Arc Sight Info Documents 12 3 2009
Arc Sight Info Documents 12 3 2009Arc Sight Info Documents 12 3 2009
Arc Sight Info Documents 12 3 2009
 
Investor Presentation
Investor PresentationInvestor Presentation
Investor Presentation
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standards
 
Overcome regulatory data retention challenges
Overcome regulatory data retention challengesOvercome regulatory data retention challenges
Overcome regulatory data retention challenges
 
Gebm os presentation final
Gebm os presentation finalGebm os presentation final
Gebm os presentation final
 
Open Source Governance in Highly Regulated Companies
Open Source Governance in Highly Regulated CompaniesOpen Source Governance in Highly Regulated Companies
Open Source Governance in Highly Regulated Companies
 
Omlis Data Breaches Report - An Inside Perspective
Omlis Data Breaches Report - An Inside Perspective Omlis Data Breaches Report - An Inside Perspective
Omlis Data Breaches Report - An Inside Perspective
 
Convergence Compliance E Discovery Rim.Doc
Convergence Compliance E Discovery Rim.DocConvergence Compliance E Discovery Rim.Doc
Convergence Compliance E Discovery Rim.Doc
 
Accounting
AccountingAccounting
Accounting
 

Viewers also liked

Sox In Telecom Industry
Sox In Telecom IndustrySox In Telecom Industry
Sox In Telecom IndustryMahesh Panchal
 
Corporategovernance 100404044122-phpapp01
Corporategovernance 100404044122-phpapp01Corporategovernance 100404044122-phpapp01
Corporategovernance 100404044122-phpapp01Sarath Nair
 
Sarbanes-Oxley Act 2002
Sarbanes-Oxley Act 2002Sarbanes-Oxley Act 2002
Sarbanes-Oxley Act 2002Syed Shah
 
Corporate Governance in Narayan Murthy Committee
Corporate Governance in Narayan Murthy CommitteeCorporate Governance in Narayan Murthy Committee
Corporate Governance in Narayan Murthy CommitteeVaishnaviSSSikarwar
 
Sarbanes-Oxley act
Sarbanes-Oxley actSarbanes-Oxley act
Sarbanes-Oxley actRizze
 
Cadbury report on corporate governance
Cadbury report on corporate governanceCadbury report on corporate governance
Cadbury report on corporate governanceBandri Nikhil
 

Viewers also liked (9)

Sox In Telecom Industry
Sox In Telecom IndustrySox In Telecom Industry
Sox In Telecom Industry
 
Corporate governance
Corporate governanceCorporate governance
Corporate governance
 
Corporategovernance 100404044122-phpapp01
Corporategovernance 100404044122-phpapp01Corporategovernance 100404044122-phpapp01
Corporategovernance 100404044122-phpapp01
 
Sarbanes Oxley Act
Sarbanes Oxley ActSarbanes Oxley Act
Sarbanes Oxley Act
 
Sarbanes-Oxley Act 2002
Sarbanes-Oxley Act 2002Sarbanes-Oxley Act 2002
Sarbanes-Oxley Act 2002
 
Corporate Governance in Narayan Murthy Committee
Corporate Governance in Narayan Murthy CommitteeCorporate Governance in Narayan Murthy Committee
Corporate Governance in Narayan Murthy Committee
 
Sarbanes-Oxley act
Sarbanes-Oxley actSarbanes-Oxley act
Sarbanes-Oxley act
 
Cadbury report on corporate governance
Cadbury report on corporate governanceCadbury report on corporate governance
Cadbury report on corporate governance
 
Enron scandal
Enron scandalEnron scandal
Enron scandal
 

Similar to Sarbanes-Oxley Compliance and the RFI/RFP Process

There are regulatory rules that must be met as well as organizatio.docx
There are regulatory rules that must be met as well as organizatio.docxThere are regulatory rules that must be met as well as organizatio.docx
There are regulatory rules that must be met as well as organizatio.docxrandymartin91030
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesCompTIA
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guideAdilsonSuende
 
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdf
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdfWritten-Blog_Ethic_AI_08Aug23_pub_jce.pdf
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdfjiricejka
 
Mulin Holstein PKI-strategy
Mulin Holstein PKI-strategyMulin Holstein PKI-strategy
Mulin Holstein PKI-strategyfEngel
 
115 By Robert Smallwood with Randy Kahn,Esq. , and .docx
115 By Robert Smallwood with Randy Kahn,Esq. , and .docx115 By Robert Smallwood with Randy Kahn,Esq. , and .docx
115 By Robert Smallwood with Randy Kahn,Esq. , and .docxdrennanmicah
 
The Cybersecurity Executive Order
The Cybersecurity Executive OrderThe Cybersecurity Executive Order
The Cybersecurity Executive OrderBooz Allen Hamilton
 
Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Joe Orlando
 
Solving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesSolving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesEchoworx
 
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfThe Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfProtected Harbor
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityPaul Ferrillo
 
Sookman law society_6_min_business_law
Sookman law society_6_min_business_lawSookman law society_6_min_business_law
Sookman law society_6_min_business_lawbsookman
 
Managing Consumer Data Privacy
Managing Consumer Data PrivacyManaging Consumer Data Privacy
Managing Consumer Data PrivacyGigya
 
EKovacevich-IT697-Phase 5 IP
EKovacevich-IT697-Phase 5 IPEKovacevich-IT697-Phase 5 IP
EKovacevich-IT697-Phase 5 IPEDDY KOVACEVICH
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix LLC
 

Similar to Sarbanes-Oxley Compliance and the RFI/RFP Process (19)

There are regulatory rules that must be met as well as organizatio.docx
There are regulatory rules that must be met as well as organizatio.docxThere are regulatory rules that must be met as well as organizatio.docx
There are regulatory rules that must be met as well as organizatio.docx
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for Businesses
 
Mmt2 Task1 Wgu Essay
Mmt2 Task1 Wgu EssayMmt2 Task1 Wgu Essay
Mmt2 Task1 Wgu Essay
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
 
Data breaches at home and abroad
Data breaches at home and abroad Data breaches at home and abroad
Data breaches at home and abroad
 
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdf
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdfWritten-Blog_Ethic_AI_08Aug23_pub_jce.pdf
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdf
 
Mulin Holstein PKI-strategy
Mulin Holstein PKI-strategyMulin Holstein PKI-strategy
Mulin Holstein PKI-strategy
 
115 By Robert Smallwood with Randy Kahn,Esq. , and .docx
115 By Robert Smallwood with Randy Kahn,Esq. , and .docx115 By Robert Smallwood with Randy Kahn,Esq. , and .docx
115 By Robert Smallwood with Randy Kahn,Esq. , and .docx
 
The Cybersecurity Executive Order
The Cybersecurity Executive OrderThe Cybersecurity Executive Order
The Cybersecurity Executive Order
 
Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3
 
Solving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesSolving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial Services
 
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfThe Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurity
 
Sookman law society_6_min_business_law
Sookman law society_6_min_business_lawSookman law society_6_min_business_law
Sookman law society_6_min_business_law
 
Managing Consumer Data Privacy
Managing Consumer Data PrivacyManaging Consumer Data Privacy
Managing Consumer Data Privacy
 
itgc.pptx
itgc.pptxitgc.pptx
itgc.pptx
 
softwss
softwsssoftwss
softwss
 
EKovacevich-IT697-Phase 5 IP
EKovacevich-IT697-Phase 5 IPEKovacevich-IT697-Phase 5 IP
EKovacevich-IT697-Phase 5 IP
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdf
 

Recently uploaded

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Recently uploaded (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Sarbanes-Oxley Compliance and the RFI/RFP Process

  • 1. Sarbanes-Oxley Compliance and the RFI/RFP Process In 2001, most of the world became familiar with Enron, an energy company from Houston, Texas. The company gained notoriety as the largest bankruptcy up to that point due to irregular accounting practices that were bordering on fraud. Because of public outrage over this and several other accounting scandals, such as the WorldCom that followed shortly after Enron, the United States federal law “Sarbanes-Oxley Act of 2002”, commonly known as SOX, was enacted on July 30, 2002 (Addison-Hewitt Associates, 2006). The law introduced major changes to the way public companies were to conduct and report their business, and held upper management personally accountable for the information reported to the investors. The law consists of eleven titles, six of which concern compliance, namely sections 302, 401, 404, 409, 802, and 906. Sections 302 “Corporate Responsibility for Incident Report” and 404” Management Assessment of Internal Controls” are very important to IT operations and are concerned with accuracy, privacy, and security of financial records. Cannon and Byers (2006) state that verification is the essence of compliance and it is simply a matter of ensuring that company’s processes are executed as intended. Cannon and Byers (2006) recommend a four-step process for the compliance: the first step in ensuring compliance within the organization is to perform compliance assessment. The next step is to create a high-level corporate policy that can be adapted by individual departments to meet their needs. The third
  • 2. step is to use the technology to automate the compliance with the law. Finally, through regular review and auditing procedures should be evaluated. However, the real-life compliance with various laws is not clear-cut. Depending on the nature of the business, in addition to SOX, Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS) may need to be considered. If company does business in European Union (EU), organization may be required to comply with European Union Data Protection Directive (EUDPD). All these laws and compliance requirements, on top of previously required Generally Accepted Privacy Principles (GAAP) may force companies to seek alternatives. Many organizations view Government Required Compliance (GRC) as an overwhelming task with little return and as a result may choose to outsource some or all of their compliance requirements to an outside provider. As an example, Capital Automotive REIT, a real estate investment trust, decided to outsource all of its IT operations to an outside company, Alteritech, which ensured SOX compliance for the Capital Automotive REIT (Allbusiness, 2005). When deciding to outsource some or all IT operations, public companies must be aware of the GRC and should dedicate required time to perform needs analysis with the business plan. This will ensure clear understanding what the organization is trying to achieve and why, and among other things, upper management’s buy-in. Once identified, requirements should be briefly stated within Request for Information (RFI), Request for Proposal (RFP), or Request for Quote (RFQ). Within RFI, RFP, and RFQ, the client organization should specify its requirements for SOX compliance such as an audit of vendor’s internal information controls, oversight procedures, and problem resolution. Consequently, the outsourcing supplier should spell out their organization’s implementation of SOX compliance policies within their information package or proposal sent to the potential customer. As stated earlier, compliance requires validation; however, validation of SOX compliance with third-party provider requires greater efforts because the company distances itself from IT operations through large-scale outsourcing (Hall and Liedtka, 2007). When outsourcing large-scale IT operations, it is important to make sure that security and compliance with various laws and regulations are considered. Organizations may decide to adopt and adapt internationally accepted standards in order to deal with their IT security management. Alexrod (2004) suggests following CISSP body of knowledge, which defines ten security classifications. In addition, newer
  • 3. CxT Group Michigan,2415 E.Hammond Lake DriveSte,219 BloomfieldHills, MI 48302 Contact No:(248) 282-5599 Toll Free:(877) 439-2539 standard of ISO 17799, ISO 27002 can be used by as well. This standard deals broadly with security for electronic files, paper documents, all types of communication and business continuity planning. Companies may also decide to use Control Objectives for Information and related Technology (COBIT) that provides framework for generic management principles that organization may adapt it to its own unique needs. Axelrod (2004) combined CISSP and ISO 17799 into ten security considerations, namely:  Security Management Practices covers various security management aspects, including, among other things, personnel physical and emotional security.  Asset Management Practices discusses importance of data classification protection when considering IT outsourcing. Data, and identify theft in particular, has been a regular headline in recent times with thieves stealing thousands of sensitive records. As an example, consider a 2005 case, when Card Systems Solutions, a third-party processor for credit cards and other payments for banks and merchants, had its network hacked and 40 million credit card accounts stolen and sold all over the world (CCRC, 2005).  Application and System Development provides an overview of what is happening during the application and system development outsourcing. Currently, there is a movement towards educating software developers on security aspects in order to improve application security from the bottom-up (North, North, and North, 2009).  Operations Security and Operations Risk involves controlling processes and making sure that the third party to which the task is outsourced follows set standards. Government laws and regulations are increasingly mandating these standards.  Security Models and Architecture presents solid foundation upon which the rest of processes can be built and includes architecture framework and set of industry-accepted design standards and implementation adaptations by the organization.  Physical and Environmental Security is by far the strongest security measure for the organization and current trends present companies integrating logical and physical security in order to provide complete environmental security (Axelrod, 2004).
  • 4.  Telecommunications and Network Security describes various aspects of communication lines and network security, including such activities as wire-tapping and induction loops. Axelrod (2004) also describes the convergence of voice and data providers into a single carrier, aid discusses risks of relying on a single vendor.  Cryptography provides an extra level of protection to messages sent and received without wrong eyes viewing it. There are three types of cryptography algorithms, namely: 1). Secret Key Cryptography (SKC); 2). Public Key Cryptography (PKC); and 3). Hash functions. By far, the most popular is PKC, though not without problems.  Disaster Recovery and Business Continuity – Organizations big and small, private, public and government must do everything in their power to avert and defend against disasters – manmade or acts of God. However, statistical probabilities dictate that some events cannot be prevented and organizations need to be prepared to contain the damages and be able to proceed with business as usual. Hall and Liedtka (2007) describe a case of the Montreal Urban Community that was not able to perform any business functions for two months as they were switching from one outsourcing vendor to another one. The success of Business Continuity Plan is based on the thorough and accurate security risk assessment. “Risk cannot be mitigated if not defined.” (Carlson, n.d., p. 13). ISO/IEC 1799 requires an organization to:  identify and prioritize its business processes;  identify and assess possible security risks that could threaten business operations;  estimate likelihood of the risk exposure; and,  analyze the impact that risk can cause on the business, including operational interruptions, slow down, or shut down.  Legal Action – Axelrod (2004) suggests consulting a lawyer at the beginning of an outsourcing relationship in order to ensure proper contract negations. In addition, if problems do arise, legal advice will be necessary. Since 2002, many companies, including Microsoft, have been creating compliance software applications aimed to help companies manage their policies. Microsoft Operations Framework (MOF) is an IT control framework that allows companies to avoid overlapping efforts in addressing common IT control
  • 5. CxT Group Michigan,2415 E.Hammond Lake DriveSte,219 BloomfieldHills, MI 48302 Contact No:(248) 282-5599 Toll Free:(877) 439-2539 objectives (Microsoft, 2008). As stated earlier in the paper, SOX was created as a government’s response to rising number of investor and government fraud by few crooked corporate citizens. As a result, all public organizations must comply with the law in order to avoid investor losses and rebuild their confidence. However, a company that is able to exhibit its full compliance with various GRCs may gain a competitive advantage, as other compliant companies would prefer doing business with another GRC company. Organizations may also include their GRC into marketing material. References Addison-Hewitt Associates. (2006). SARBANES-OXLEY ACT 2002. Retrieved June 12, 2010, from www.soxlaw.com/ All Business. (2005, March 14). Capital Automotive REIT Outsources Information Technology Management to Alteritech. Retrieved June 13, 2010, from www.allbusiness.com/banking-finance/financial-markets-investing/5038651-1.html Cannon, J. C., & Byers, M. (2006, September). Compliance Deconstructed. ACM Queue , 30-38. Carlson, T. (n.d.). Information Security Management: Understanding ISO 17799. Lucent Technologies Worldwide Services. CCRC Staff. (2005, July 08). Computer Crime Research Center. Retrieved June 14, 2010, from Russia, Biggest Ever Credit Card Scam : www.crime-research.org/news/08.07.2005/1349/ Hall, J. A., & Liedtka, S. L. (2007). The Sarbanes-Oxley Act: IMPLICATIONS FOR LARGE-SCALE IT OUTSOURCING. Communications of the ACM , 50 (3), 95-100. Microsoft. (2008). IT Compliance Management Guide. Redmont, WA: Microsoft. North, M. M., North, S. M., & North, M. M. (April 2009). Security from the Bottom-up: Compliance Regulations and the trend towards design-oriented web applications. CCSC: South Central Conference (pp. 65-71). Atlanta: ACM.