Understanding Change Management and SOX Compliance in 1 Minute

Change Management

Change and patch management is defined as the set of processes executed within the organization's IT department and designed to manage the enhancements, updates, incremental fixes and patches to production systems.

These include:
  • Application code revisions
  • System upgrades (applications, operating systems, databases, etc.)
  • Infrastructure changes (servers, cabling, routers, firewalls,etc.)


Top Five Risk Indicators for Poor Change Management
  • Unauthorized changes (above zero is unacceptable)
  • Unplanned outages
  • Low change success rate
  • High number of emergency changes
  • Delayed project implementations


SOX Overview

SOX requires publicly held companies to implement internal controls over financial reporting (ICFR), to evaluate the strengths and weaknesses of these internal controls in official documents filed with SEC and to make regular disclosures concerning the viability of these controls and potential fraud or losses that may affect the company's financial position.
Because most companies' financial reporting and operations depend heavily on IT, and because many corporate assets now exist in the form of critical data, SOX has significant information security implications for companies governed by the law.


ITSOX Compliance - Ensure IT is in control


Controls of IT fall into two broad categories.

Preventive controls are intended to eliminate lapses, either intentional or inadvertent. For example, segregation of duties in an IT department so that one person approves change and another implements it, a third one checks the implementation. In this way unauthorized or incorrect changes are prevented.

Detective controls are designed to identify errors that already occurred. A software product (such as ESM) that monitor the changes of servers/database, etc.

An essential element of any compliance program is the testing of controls.

Summary:

All IT changes need to be auditable;
All IT changes need to be authorized;
All unauthorized IT changes must be investigated;

What does SOX mean to SA? - ALL CHANGES MUST MUST HAVE APPROVED CHANGE TICKETS! NO TICKET, NO CHANGE.