IT Security Policy Framework Essay Example | Topics and Well Written Essays - 1000 words

IT Security Policy Framework - Essay Example Recommended sound security controls practices (e.g., people, process, technology). A guide to help reconcile the framework to common and different aspects of generally adopted standards (e.g., COBIT, HIPAA, etc.). An analysis of risk or implications for each component of the framework. A guide of acceptable options or alternatives and criteria, to aid in tailoring to an organizations operating environment. A guide for implementation and monitoring. Toolset for organizations to test compliance against the framework (HITRUST). A complete security framework comes down to three well-known basic components: people, technology, and procedures. When these three elements are correctly assembles such as, the people, technology, and process fundamentals of information security program that works together in order to secure the environment and stay consistent with organization’s objectives. Diagram 1.1 shows the idea of people, process and technology. Figure 1.1 The policies and the prac tices in any organization is established by the Information Security framework. ... tics of The Sarbanes-Oxley Act are: Creation of the Public Company Accounting Oversight Board (PCAOB) It is a five member board that is established by The Sarbanes-Oxley Act for the purpose of controlling the auditing profession. The PCAOB locates and impose auditing, quality control, ethics, independence and other related audit reports. New rules for auditors Significant information to the organization’s audit committee must be provided by the auditors. This includes critical accounting policies and practices, alternative GAAP treatments and auditor-management disagreements. The CPA Auditors are forbidden from performing certain non-audit services for example book keeping, information systems design and implementation, internal audit outsourcing services, management functions, and human resource services for audit customers. Services are not offered to the publicly held companies by the audit firms. New roles for audit committees Audit committee members must be listed on the organization’s board of directors and be independent of the company. However, At least one member of the audit committee must be a financial expert. The audit committee appoints, compensates, and supervises the auditors, who report directly to them. New internal control requirements Section 404 of SOX needs visibly held companies to issue a report associated with the financial statements that reveals management is responsibilities for establishing and maintaining an enough internal control structure and appropriate control procedures. The report must also enclose management’s assessment of internal controls. Question 3 The challenges are alarming for management in providing information security. In fact, information system assets are substantial even for small organizations including data