If you're like plenty of CIOs, compliance requirements have impacted your entire organization -- and your auditors
have made surprising requests that cost you more than you anticipated.
With one year of Sarbanes-Oxley experience under their belts, IT executives have learned valuable lesssons in preparing for audits, such as establishing comparative metrics before the auditors arrive.
One tip sheet for "increasing your audibility" is available in The Visible Ops Handbook, distributed by the Information Technology Process Institute.
To date, 17,000 copies of the $19.95 handbook have been sold, according to Kevin Behr, president and founder of the Information Technology Process Institute, a not-for-profit group focused on researching, benchmarking and developing best practices for IT executives. Here is a portion of one of its popular cheat sheets, excerpted from the handbook.
- Ask the auditors what they are looking for before an audit. Ask them for their audit objectives, if any pre-audit checklists.
- Make sure to list your perceived risks. Sort them in descending order with the highest risks at the top, along with the controls you created to mitigate them.
- Document your preventative controls, and have detective controls in place to show they work. Document the change management process. For each authorized change, document the configuration changes from the detective controls to show that the changes made were within the scope of the work order. File the data collected about change requests and make it readily accessible. In some organizations, all of the above information lives in a physical three-ring binder.
- Use Change Advisory Board meeting minutes to show that meetings are being attended and used to manage change.
- Keep a current and accurate asset inventory of hardware and software.
- Document all internal audit procedures. For example, if your policies state that firewall logs are monitored by a system with exceptions reviewed, then you must have proof of following that policy through logs of one form or another.
- Document all outages and unscheduled downtime in the systems along with corrective actions taken.
- Keep current documentation of all exceptions to policies.
- List any security incidents along with corrective actions taken.
- Be able to produce previous audit findings, analysis of the findings and progress made against findings that warranted corrective action.
"More control doesn't equal more bureaucracy equals more work," Behr said. "It turns out, those with control can do more with less and do it more quickly and with better quality."