IT Governance, Controls and Security:

Supporting Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA Compliance

Jim Haggard

Inovis

Topics

• Current State of Compliance• Regulatory Requirements• Security and Privacy Tenants• Sarbanes Oxley• Sarbanes-Oxley Compliance Frameworks• Solutions for Data/Document Security and

Integrity

Current State of Compliance

• Has your organization been working hard over the past year (or more) to comply with government compliance mandates?

• Do the terms Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, COSO and COBiT sound familiar?

• Are the IT controls currently in place within your company lacking in areas that raise serious questions?

Current State of Compliance

• How many security gaps exist because of multiple systems with little to no integration and less than adequate data security?

• How many different technology solutions addressing the same purpose are implemented throughout your company?

• How many processes and systems may compromise the integrity of the data?

• How many possible points of failure may negatively impact the flow and integrity of data that will ultimately be used to produce financial reports?

• How many technology vendors are you dealing with?

Regulatory Requirements

• Sarbanes-Oxley Act (SOX)– Holds Senior Executives accountable (CEO and CFO) – Includes implementation of Controls and Procedures– SOX applies directly to public companies– Public companies are scrutinizing private companies

• Gramm-Leach-Bliley (GLB)– “Financial Privacy Rule” and “Safeguards Rule” – Applies directly to Financial organizations– GLB may impact companies in the extended Financial Services Value

Chain (FSVC)

• HIPAA– Privacy of personal health information– Applies to all companies/organizations that maintain or exchange personal

health information

Key Security and Privacy Tenants

• Privacy – Message content privacy is provided via data encryption

• Authentication – Provided via the Sender’s digital signature

• Integrity – Hash totals are enclosed in Message Disposition

Notifications (MDNs)

• Non-repudiation – Provided via signed MDN receipt acknowledgment

Key Infrastructure Security Fundamentals

• User login, authentication, password/access policy

• Connections to internal systems are NOT initiated from the DMZ

• Connections through the firewall MUST be managed from inside the firewall

• HTTP messages (data/documents) are NOT stored on the hard disk in the DMZ

• Messages (data/documents) MUST be pulled inside the firewall, NOT pushed in

H-R 3763: “Sarbanes-Oxley Act of 2002”

• Purpose: Executive accountability

• Why: Reaction to corporate scandals

• What: Requires high levels of accountability from companies and their senior executives

• Who: Publicly traded companies and near IPO companies, and specifically named CEO and CFO

Sarbanes-Oxley Titles

• I - Public Company Accounting Oversight Board

• II - Auditor Independence

• III - Corporate Responsibility

• IV - Enhanced Financial Disclosures

• V - Analyst Conflicts of Interest

• VI - Commissions Resources and Authority

• VII - Studies and Reports

• VIII - Corporate and Criminal Fraud Accountability

• IX - White Collar Crime Penalty Enhancements

• X - Corporate Tax Returns

• XI - Corporate Fraud Accountability

SOX Title I:Public Company Accounting Oversight Board

BriefDescription

• Establish and Oversight Board• Audit quality, standards, investigation and

disciplinary actions• Accounting standards, foreign public

accounting FundingIT Issues • Section 103: IT can contribute to the quality

control and related security and systems needed to maintain source data that could be accessed and used for audit purposes

SOX Title III:Corporate Responsibility

BriefDescription

• CEO and CFO (signing officers) are required to sign and attest to the accuracy of financial reports

• The signing officers are responsible for internal controls and for disclosing any internal control shortcomings

IT Issues • Section 302: Corporate Responsibility for Financial Reporting, implies that the CEO and CFO will require IT to provide strong proof that internal controls are in place

SOX Title IV:Enhanced Financial Disclosures

BriefDescription

• Title IV establishes requirements for enhanced disclosures in financial reports includes conflict of interest provisions

• Disclosures of transactions and management assessment of internal controls

IT Issues • Section 404: The most important Sarbanes-Oxley provision as it applies to IT - Control structures and procedures on the transport, exchange, processing, tracking, security and integrity of data/ documents

SOX Notes

• Will vary from industry to industry and on the ability of a company to address “internal controls” (plans and execution)

• Conservative and risk adverse interpretation:

– Any internal control structure or procedure that may have an impact on the financial reporting

– Any internal control structure and procedure that may impact a companies ability to operate

– Applies to supporting IT infrastructure, data security, auditablity

• Applies to mission critical systems/apps such as:

– Financial software applications

– Applications that handle the data/file transfer of business docs & transactions (intra/inter-company)

Compliance Frameworks

• COSO • Committee of Sponsoring Organizations of the

Treadway Commission

• Originally formed 1985 to study and define practices to preserve accuracy in financial reporting.

• PCAOB (formed by the Sarbanes-Oxley Act) determined that COSO would be used as the primary set of guidelines & framework for SOX

• For more information on COSO:– The COSO website at www.coso.org

Compliance Framework

• COBiT • Control Objectives for Information and Related

Technology• An internationally accepted standard presented in non-

technical language. • COBiT has been crossed referenced directly to COSO • COBiT controls and procedures extend beyond the COSO• For more information on COBiT:

– The IT Governance Institute website at www.itgi.org – The Information Systems Audit and Control Association website

at www.isaca.org/cobit

Compliance Frameworks

This chart is provided courtesy of the IT Governance Institute the Information Systems Audit and Control Association.

Compliance Framework

• SAS-70• Statement on Auditing Standards No 70 (SAS 70)• Defined by American Institute of Certified Public

Accountants (AICPA)• For all entities that use a service company for conducting

transactions and maintaining related accountability and/or for recording transactions and information processing

• Provides guidelines to auditors engaged by service organizations to report on the internal control policies and procedures

• For more information on SAS-70:– The AICPA website at www.aicpa.org

B2B Gateway - Business Integration

• A B2B gateway provides more than operational efficiency

• Backbone for the secure exchange of documents/data

• Internal and external integration• Secure managed file transfer• Audit trail of document flow and setup changes• Will interact with a myriad of business

processes• Will handle all business integration

– Application-to-application– Internal department-to-department– Business-to-business with external parties

Benefits of a B2B Gateway

• Focus resources

• Streamline operations

• Real-time visibility into business activities

• Real-time event management & alerts

• Audit trail & dashboard

• Improve security and control

• IT Control for Sarbanes-Oxley

Secure File and Data Transfer

Transaction Management

Community Management

Data Mapping and Transformation

Rules Event Mgmt

Process Mgmt Workflow

AnalysisBAM

Performance Mgmt

Dashboards

J2EE Compatible Service Oriented Architecture

Adaptive Layer

Internal Infrastructure and Systems

Perimeter Security Services

External Trading and Business Partners

Inovis BizManager

• Supports IT governance, controls and security needed for Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley

• Audit trail of all business data/documents exchanged • Integrated business-to-business and secure file transfer• Several secure managed file transfer options:

– Secure transports that include AS2, AS3, FTP/s, HTTP/s, ebXML

– Secure transaction mailbox (MailLink)

• Non-repudiation with proof of transmission and receipt– Message Disposition Notifications and mailbox

acknowledgements

• Integrity of business data/documents– Signed and encrypted documents – Encrypted HTTP/s and FTP/s connections

BizManager: Business Benefits

• Cut inefficiencies and reduce cycle times• Minimize transaction-processing costs• Decrease operational costs• Address security and IT control issues related to

Sarbanes Oxley and other regulatory initiatives

• Perform real-time, any-to-any “secure” data/document exchange

• Consolidate systems, control and management• Simplify business trading community management with

integrated solutions• Gain real-time visibility into business activity and

performance• Plan for future growth with a flexible, scalable solution for

companies of any size

Inovis Solution Set

BizManager

IT Governance, Controls and Security:

Supporting Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA Compliance

Jim HaggardInovis