Académique Documents
Professionnel Documents
Culture Documents
Version 1.0
Copyright © 2008 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is
your responsibility. By using or providing feedback on this documentation, you agree to the license agreement
below.
If you are using this documentation solely for non-commercial purposes internally within YOUR company or
organization, then this documentation is licensed to you under the Creative Commons Attribution-
NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or
send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS".
Your use of the documentation cannot be understood as substituting for customized service and information
that might be developed by Microsoft Corporation for a particular user based upon that user’s particular
environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS
ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY
DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.
Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering
subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your
use of this document does not give you any license to these patents, trademarks or other intellectual property.
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-
mail addresses, logos, people, places and events depicted herein are fictitious.
Microsoft, Active Directory, Excel, SharePoint, SQL Server, Visual Studio, Windows, and Windows Server are
either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.
You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to
the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft,
without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You
also give to third parties, without charge, any patent rights needed for their products, technologies and
services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback.
You will not give Feedback that is subject to a license that requires Microsoft to license its software or
documentation to third parties because we include your Feedback in them.
IT Compliance Management Guide iii
Contents
Overview ..................................................................................................... 1
Grant Thornton LLP Statement ..................................................................... 3
Guide Purpose........................................................................................... 4
Guide Scope ............................................................................................. 4
How to Use This Guide................................................................................ 5
Business Drivers ........................................................................................ 6
Support and Feedback ................................................................................ 9
Acknowledgments .................................................................................... 10
Chapter 1: GRC Authority Documents .......................................................... 13
Chapter 2: Using Controls for Compliance Management ............................... 17
Chapter 3: Using an IT Framework for Compliance Management.................. 23
Life Cycle Fundamentals ........................................................................... 23
How Frameworks Benefit Organizations ....................................................... 25
Chapter 4: MOF and Compliance Management ............................................. 27
A Framework for Your Organization ............................................................ 27
Mapping Authority Documents to MOF ......................................................... 28
IT Audit Process ...................................................................................... 29
Chapter 5: Microsoft Technology Solutions for Compliance
Management .............................................................................................. 39
Technology Solutions for IT Control ............................................................ 41
Overview
The IT Compliance Management Guide is designed to help IT managers, business
managers, Microsoft customers, and the ecosystem of Microsoft partners plan for and
address specific IT compliance requirements that relate to applicable governance, risk,
and compliance (GRC) regulations, publications from standards bodies and industry
organizations, organizational policies, and agreements, all of which are collectively
referred to in this guidance as authority documents. The goal is to shift the effort of GRC
requirements enforcement and management to Microsoft products through the
configuration of existing features and functions.
The guide was created with extensive input from GRC auditors, GRC subject matter
experts, consultants, and those members of the technical community who work with
complex GRC requirements in their own organizations. The auditing firm Grant Thornton,
LLP reviewed this guide and associated workbook and provided a statement in the
"Grant Thornton LLP Statement" section.
The guide introduces an approach based on Microsoft® Operations Framework (MOF)
4.0. MOF provides an IT service life cycle process model that helps you address these
compliance requirements as well as organization-wide governance initiatives. Many
frameworks exist that specialize in IT governance, such as Control Objectives for
Information and related Technology (COBIT, for IT services) and ISO 27002 Code of
Practice for Information Security Management. The goal of MOF is to support these
industry-recognized frameworks with concise and meaningful guidance that integrates IT
processes with team accountabilities and defined outcomes. Because MOF uses
question-based guidance and document structure, it is easy to adapt MOF to your
organization or even integrate its identified best practices with your chosen framework.
The Microsoft Excel® workbook IT Compliance Management Resources that
accompanies this guide identifies Microsoft products and technology solutions that can
help you address compliance requirements when your organization is ready to deliver IT
GRC controls and compliant technical solutions.
Although the IT Compliance Management Resources workbook includes specific
technical and configuration guidance for the referenced products and solutions, it is not a
comprehensive GRC solution. Auditor opinions might differ on the sufficiency of a specific
control within your organization. Microsoft recommends that you consult your GRC
subject matter expert, legal counsel, or auditor for answers to specific compliance
questions in your organization, such as gap analysis between the provided configuration
guidance and your organization's GRC requirements. Only they are familiar with your
organization’s requirements to the degree that is required to make such a decision.
This Overview includes the following sections:
Grant Thornton LLP Statement. This section is a statement by Grant Thornton LLP,
who was engaged by Microsoft to ensure that this guide aligns with general auditor
expectations, terminology, concepts, and objectives that might be applicable to an
organization managing GRC requirements.
Guide Purpose. This section provides a concise statement of the guide's purpose
and includes an important "Caveats and Disclaimers" subsection.
Guide Scope. This section describes the guide's structure and provides information
about the content of the guide's chapters.
2 IT Compliance Management Guide
How to Use This Guide. This section describes how the information in this guide
can be used to craft and implement an effective compliance strategy based on MOF
and specific Microsoft products and technology solutions.
Business Drivers. This section discusses business drivers for compliance, including
opportunities to establish and improve processes, gain competitive advantage, and
increase return on investment (ROI) for your organization through time and cost
savings. It also includes information about the challenges of regulatory complexity,
achieving and maintaining compliance, and the consequences of noncompliance.
Acknowledgments. This section provides a list of contributors to this guidance.
Overview 3
www.GrantThornton.com/IT-Compliance
4 IT Compliance Management Guide
Guide Purpose
The purpose of this guide is to help your organization identify and plan to implement
available software, tools, and technology solutions to address GRC requirements using
an IT framework.
The guide provides several benefits for your organization. It shows how you can apply a
control framework to both present and future authority documents, which helps to make
the process of interpreting authority document requirements easier and more efficient.
The guide also refers to solutions and software product configuration guidance that can
help you address GRC requirements through the completion of GRC control objectives
encountered for each SMF within MOF.
Guide Scope
The IT Compliance Management Guide provides an overview of potentially applicable
authority documents for your organization that represent a wide range of GRC
requirements. Hundreds of other authority documents might also apply to your
organization. However, the authority documents referenced in this guide show specific
control types that will likely meet the requirements of other authority documents. Consult
your GRC subject matter expert when determining what existing IT GRC controls might
meet additional authority documents.
This guide also provides information about how to address compliance requirements
through control objectives in each function of an IT framework (MOF). In addition, it
provides guidance for applying the Manage layer of MOF and aligning the MOF life cycle
phases to address requirements that pertain to privacy and security controls of applicable
authority documents. The MOF guidance focuses on the tasks prescribed by the GRC
SMF to identify compliance needs and implement effective controls.
The guide consists of the following chapters:
Overview. This chapter introduces the guide, defines its audience, and provides
business driver information. It also includes a "How to Use This Guide" section and a
listing of contributors.
Chapter 1: GRC Authority Documents. This chapter provides a brief overview of
the representative authority documents discussed in the guide.
Chapter 2: Using Controls for Compliance Management. This chapter provides
information about different types of compliance management controls.
Chapter 3: Using an IT Framework for Compliance Management. This chapter
discusses how IT frameworks address compliance objectives and the benefits that
they provide.
Chapter 4: Using MOF for Compliance Management. This chapter provides
information about using the MOF GRC SMF and other SMFs for compliance
management as well as an overview of the IT audit process.
Chapter 5: Microsoft Technology Solutions for Compliance Management. This
chapter includes content to explain how to review each MOF SMF to process GRC
Overview 5
Business Drivers
Many organizations view GRC activities as daunting tasks from which they receive little in
return. Although GRC efforts present significant challenges, they also offer corresponding
benefits. This section discusses business challenges and opportunities related to GRC
efforts.
Business Challenges
Compliance presents a number of challenges, which include managing a complex set of
GRC authority documents, addressing the difficulty of achieving, demonstrating and
maintaining compliance, and understanding the consequences of noncompliance.
After your organization completes its initial GRC efforts, the next challenge is to maintain
compliance in a cost-effective manner. The responsibility to maintain this ongoing effort
often remains dispersed and even unassigned. Unclear lines of responsibility can limit
your organization's ability to view compliance holistically and can increase the risk of
duplicating efforts. For example, if your organization experiences difficulty budgeting for
GRC requirements, consider a review of GRC assignments and authority.
Noncompliance Consequences
Many businesses are compelled to address GRC requirements to avoid the legal
consequences and risks of noncompliance. Consequences of noncompliance often
include references to financial, civil, and criminal penalties, but consider first the effect on
the organization’s reputation to its customers and shareholders and its ability to access
the resources it needs to succeed. In many ways, the financial and legal consequences
are not as compelling and are more remote than the real cost of diminished brand
reputation.
The consequences of noncompliance vary from one regulation to another, but they can
include:
Loss of reputation, customer and business partner trust
Loss of market share if competitors comply and your organization does not
Loss of focus from business goals and objectives
Significant fines (both personal and organizational)
Personal legal liability and even incarceration for extreme offenses
Litigation from shareholders and other parties
Limited access to capital markets and loss of listings in the stock markets
Diminished credit ratings
Limited ability to do business in specific jurisdictions
Increased regulatory oversight
The threat of these potential consequences provides significant motivation to
organizations and their executives to manage compliance effectively and proactively.
Business Opportunities
Compliance not only presents challenges to overcome, it also offers opportunities for
improvement within your organization. Such business opportunities include the chance to
improve processes, create competitive advantage, and further integrate IT into your
business to improve ROI.
Workflow automation for user access granting, modification, and termination that can
be developed using Windows® SharePoint® Services.
Automated change control solutions such as Microsoft Visual Studio®.
Automated identity management provides a good example of how an automated process
improves efficiency. Many auditors have drawn attention to the lack of technical controls
around the user life cycle management process that involves user account and profile
creation, modification, and deletion. To address this deficiency, organizations have
implemented automated identity management tools such as AD DS. Although the
purpose of such tools is primarily to automate the technical controls around critical
business processes, implementing them also improves the efficiency of the user
management process.
Competitive Advantage
In many industries, strong or early adherence to industry-recognized GRC authority
documents and related GRC practices can create a competitive advantage for an
organization. Organizations that provide services to other businesses can benefit from
early and proven compliance with regulations, because other organizations are more
likely to do business with compliant organizations that are in a position to help them
address their own compliance requirements in a visible and proven manner. When the
competition might agree to contractual GRC requirements without a comprehensive
solution, your organization can tout a GRC solution that is a clear competitive edge.
IT outsourcing firms, service bureaus, information processing industries, and health
insurance administration firms are examples of organizations that stand to benefit from
this competitive advantage. Implementation of standards can also lead to better IT agility,
and allow an organization to deliver more quickly and completely on business needs, in a
compliant manner.
There are available examples or public statements such as press releases and Web site
endorsements that should be considered. Microsoft recommends that you consult with
your auditor and legal counsel when developing a public statement regarding compliance
because there are certain limitations.
Privacy is another significant concern for businesses and individuals today. Strong
compliance with privacy regulations also provides a competitive advantage for
organizations. Organizations can market their compliance with privacy regulations to
build trust and market share with consumers, and allay the prevalent concern over
privacy and identity theft among the public. In addition, because compliance with the
EUDPD is a prerequisite to doing business in some European countries/regions,
compliance with this regulation can open up new markets for an organization's products
and services.
As IT managers become partners with management, they can benefit from increased
management visibility and communications to develop IT initiatives that can achieve
efficency gains and cost savings for the organization. For example, initiatives focused on
process automation and sound security principles such as authentication and data
retention can address compliance requirements while also delivering additional benefits
for the organization.
Acknowledgments
The Solution Accelerators – Security and Compliance (SA-SC) team would like to
acknowledge and thank the team that produced the IT Compliance Management Guide.
The following people were either directly responsible or made a substantial contribution
to the writing, development, and testing of this guidance.
Users designated with an asterisk * worked on the original version of the Regulatory Compliance
Planning Guide. Users designated with a cross † worked on the original version and on this
updated and enhanced version.
Authors
Ross Carter *
John Cobb Wadeware LLC †
Lana Earhart *
Anthony Noblett Socair Solutions †
Content Contributors
Accenture LLP, Technology Consulting – Security
Derick Campbell
John Cobb Wadeware LLC
Graham Hill KPMG
Karen Massie Genesa Tech
Don McGowan *
Colin Mitchell
David Mowers *
Sai Sireesh Pachava
Frank Simorjay
Product Manager
Frank Simorjay
Program Managers
Bill Canning *
Jeff Coon Volt Information Sciences *
Luis Martinez
Jeffrey Miller
Editors
John Cobb Wadeware LLC †
Jennifer Kerns Wadeware LLC *
Steve Wacker Wadeware LLC
Testers
Gaurav Singh Bora *
Overview 11
Release Managers
Karina Larson
Karl Seng Siemens Agency Services *
Shealagh Whittle Sakson & Taylor
Douglas Leland
Don Lemmex
Uri Lichtenfeld
Brendon Lynch *
Tod Manning
John Marshall
Alan Meeus
Noelle Mendez-Villamil
Giovanni Mezgec
Colin Mitchell
James Mizell
Betsy Norton-Middaugh
John Novak
Olav Opedal
Sai Sireesh Pachava
Barney Regen Gaylord Entertainment *
Thomas Rizzo
Miles Romello Wachovia *
Kim Sanchez
Peter Shablik Grant Thornton LLP
Mark Simon Eclipsecurity, LLC *
Ben Smith *
Nathan Snyder Electronic Evidence Discovery, Inc.
Diana Spickerman
Kaushal Toprani
John Traynor
Gary Verster
Ann Vu
Aaron Weller Protiviti
Jono Wells
Jeff Williams *
John Wylder *
Raymong Yamka, Jr. Grant Thornton LLP
Chapter 1: GRC Authority Documents
Increased government oversight in recent years has resulted in new regulations that
affect organizations in a wide range of international industries. In addition, GRC efforts
need to address authority documents that include publications from standards bodies and
industry organizations as well as organizational policies and agreements with clients,
vendors, and partners.
This chapter provides brief descriptions of the eight representative GRC authority
documents that this guide uses as authority documents that might apply to your
organization. If additional authority documents apply to your organization, it's likely that
they share requirements with these GRC authority documents. Consult your subject
matter expert(s) for further advice.
Sarbanes-Oxley Act (SOX)
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
European Union Data Protection Directive (EUDPD)
Payment Card Industry Data Security Standard (PCI DSS)
ISO 27002 Code of Practice for Information Security Management (ISO 27002)
Control Objectives for Information and related Technology (COBIT) 4.1
American Institute of Certified Public Accountants (AICPA) Generally Accepted
Privacy Principles (GAPP)
The following subsections describe these authority documents. Although this guide does
not specifically address other authority documents, the analysis in the guide might also
be used to help you address other compliance scenarios that apply to your organization,
such as newly devised data breach legislation or localized regulations. Consult your GRC
subject matter expert for gap and overlap analysis of any new GRC authority document.
COBIT
The Information Systems Audit and Control Association (ISACA) and IT Governance
Institute (ITGI) publish and maintain a single volume of IT practices labeled Control
Objectives for Information and related Technology (COBIT 4.1). COBIT provides a
structure to plan, organize, acquire, implement, deliver, support, monitor, and evaluate IT
infrastructure. COBIT provides generic management principles that can be applied
across a range of IT frameworks and compliance requirements. Therefore, it
complements other authority documents in this document. COBIT and MOF share IT
focus, and can leverage each other when managing and implementing GRC solutions
within an organization.
Chapter 2: Using Controls for
Compliance Management
In this guide, controls are specific activities performed by people or systems designed to
minimize the risk of business and compliance objectives not being addressed.
Organizations use controls to regulate their business processes, which include
production, distribution, finance, and so on. Controls help organizations to ensure desired
behavior, and to reduce and prevent the spread of problems and errors.
Many regulations have the sole purpose of ensuring that organizations have proper
controls in place. For instance, HIPAA requires that proper controls over information
security and privacy are in place to protect patient records. The Securities and Exchange
Commission (SEC) and Public Company Accounting Oversight Board (PCAOB)
regulations associated with SOX require that publicly traded companies in the United
States implement controls to minimize the probability of a material misstatement in
financial statements.
Organizations implement controls for many reasons, including the following:
Reduce the risk of fraud
Protect organization and customer assets
Prevent disclosure of organization and customer secrets
Comply with regulations
Improve business awareness
Improve efficiency
Improve accuracy
The following figure illustrates how different types of controls relate to each other.
Administrative Controls
Although all controls are put in place to address risks to the business, administrative
controls and technical controls differ in how they are implemented. Administrative
controls regulate and guide the business processes of the organization. For example, the
requirement for management approval of purchase orders is a business control that is
designed to require specific authorization, prevent unnecessary expense, and other
business-related requirements. Administrative controls might exist for almost every
process in an organization, from hiring, to purchasing, to sales, to financial reporting.
Technical Controls
Technical controls regulate and guide the operation of IT in the organization, including all
of the processes, and systems within it. These controls focus on processes that concern
IT managers, including availability, change management, user provisioning, security, and
other processes. There are two broad IT control categories: general controls and
application controls.
General Controls
General controls apply to the entire IT infrastructure of the organization. Organizations
must have reasonable general controls in place before they can rely on their application
controls. Reasonableness is usually determined by the organization’s auditors and GRC
subject matter experts.
General controls focus on many areas of responsibility for IT managers and staff,
including:
IT organization
Policy creation and communication
System security
Operations
Change management
Incident handling
Monitoring
Service, system, and application performance
Application Controls
Application controls are unique to each application that your organization uses to run its
business. In this respect, application controls are the IT components that support
administrative controls. Application controls help to minimize mistakes and prevent or
detect unauthorized or improper actions, such as potential fraud. Because application
controls are so closely tied to the business processes their applications support, these
controls are often considered administrative controls implemented by information
technology.
Application controls focus on:
Data preparation procedures. These procedures help to minimize errors and
omissions. For example, during data origination, error-handling procedures help to
detect, report, and legitimately correct errors that are specific to the data while
logging any findings and actions.
Accuracy, completeness, and authorization checks. These checks help to ensure
change control and validation for input data as close to its point of origin as possible.
Transaction data processing is subject to a variety of procedural controls to enforce
these checks.
Data processing integrity. Such integrity helps to ensure separation of duties,
which strengthens data integrity. A greater degree of data validity is achievable by
Chapter 2: Using Controls for Compliance Management 19
including automated and logged checks and balances that separate duties and
require the actions of one individual to be verified by another.
Output distribution. This distribution is enabled to ensure quality and consistency in
data that is output from IT systems. For example, affected controls include those that
define or communicate management policies and describe the proper procedures
and format for distribution of data.
Sensitive information transmission protection. These procedures help ensure
that adequate protective measures are in place to prevent unauthorized access to
and tampering with sensitive information during electronic transmission and transport.
Cumulative Controls
Sometimes a single control is not sufficient to address an organization’s needs. In this
case, more than one control might be necessary to reach the level of control that is
required. When several controls combine to achieve a specific control objective, they
become cumulative controls, sometimes referred to as redundant controls.
Organizations often use cumulative controls when they must rely on manual controls, or
when the risk that the organization faces is large in scope. For example, if a policy or
manual preventive control is the only way to enforce a password length requirement, it
also would be advisable to implement a manual or automated detective control to monitor
the level of compliance.
Cumulative controls could also be helpful when your organization must address a
significant risk. For example, running critical business functions on an obsolete operating
system is generally considered a large security risk. However, if your organization has no
other choice, you can implement other controls to compensate for this risk. In this case,
you might not allow the vulnerable system to connect to the network. In addition, the use
of removable media on computers could be prohibited to reduce the risk of malicious
Chapter 2: Using Controls for Compliance Management 21
software infection. Any one of these controls might not be enough to address this
problem. However, they can be effective when you combine them.
Compensating Controls
Sometimes a control or a set of controls achieves the same desired outcome of a GRC
requirement, but does not do so with the same level of precision as the primary control.
When individual controls or sets of controls combine to achieve the same outcome as a
GRC requirement, they become compensating controls.
For example, a legacy system might not be able to comply with current data encryption
guidelines. However, additional tools can be used to compensate and provide the
appropriate encryption. Another example might be organizations that rely on periodic
evaluations of authorized users to compensate for potential deficiencies with the user
account maintenance controls.
holistic approach that examines how they relate to each other and develop common
controls that meet current and future GRC demands.
The following figure illustrates how you can use technical controls simultaneously to help
address many primary authority documents.
The next chapter describes how you can use MOF to achieve all of these compliance
benefits for your organization.
Chapter 4: MOF and Compliance
Management
This chapter of the IT Compliance Management Guide focuses on mapping regulations to
technology solutions and their prescribed configurations. It introduces and defines the
process that was developed to translate relatively nonprescriptive regulations to specific
technologies that can help address compliance and privacy assurance objectives.
This chapter uses tables to depict GRC authority document relationships within MOF
Service Management Functions (SMFs). Each intersection in the tables indicates
coverage of GRC authority document concepts and requirements within the indicated
rows.
This chapter includes the following sections:
A Framework for Your Organization. This section explains why Microsoft
recommends using Microsoft® Operations Framework (MOF) 4.0 as the foundation
for managing compliance efforts in an organization.
Mapping Authority Documents to MOF. This section presents an overview of how
the example authority documents map to specific MOF SMFs.
IT Audit Process. This section provides step-by-step guidance for how to properly
prepare for a compliance audit, and how to remediate compliance issues identified
during an audit.
Table 4.1. Major Authority Documents Map to MOF Service Management Functions
X's represent where control categories intersect with the GRC authority documents.
ISO 27002
MOF
PCI DSS
Service
EUDPD
COBIT
HIPAA
GLBA
GAPP
MOF Management
SOX
Phase Function
Manage GRC X X X X X X
Manage Change &
Configuration X X
Management
Manage Team X X X X X X X X
Plan Business / IT
X X X
Alignment
Plan Reliability X X X X X X X
Plan Policy X X X X X X X X
Plan Financial
X X X X X X X X
Management
Deliver Envision X X X X X X X X
Deliver Project Planning X
Deliver Build X X
Deliver Stabilize X X X X X X X X
Deliver Deploy X X X X X X X X
Operate Operations X X X X X X X
Operate Service
X X X X X X X X
Monitoring
Operate Customer
X X X X X X X
Service
Operate Problem X X X X
Management
IT Audit Process
Audits are a critical component of the compliance process. In general, it is the auditors
who will determine whether your organization sufficiently complies with the authority
documents that it must address. For example, with regard to SOX, external auditors will
often determine the sufficiency of internal controls within your organization as part of the
audit in relation to quarterly financial reporting. Understanding how the audit process
works and how auditors operate is important because it informs IT managers how to
establish an environment that is compliant and easy to audit. This section focuses on
30 IT Compliance Management Guide
how auditors generally conduct an IT audit. Consult your GRC subject matter expert for
specific details of audits that apply to your organization.
It is important to understand what auditors look for during a GRC-related audit. During the
audit, the auditors seek to verify the following conditions:
The organization has designed reasonable and effective controls as part of a control
program to address applicable GRC requirements and there are no design
deficiencies.
The control documentation or related assertions provided by the organization fairly
represent the control environment.
The controls were placed into operation at a specific date and time.
The organization consistently applies the controls they have designed and there are
no operational deficiencies.
Exceptions that the organization experiences are addressed in an authoritative,
timely and productive manner while being clearly documented.
If the auditors determine that an effective control environment does not exist or that the
organization does not adhere to the control environment, they note these deficiencies in
their final audit report and might issue a corrective action, which is an auditor demand
that a control or incident be managed within a certain timeframe. This audit report is
generally provided to the organization’s audit committee so that identified issues are
appropriately exposed to management. Obviously, it is preferable that no deficiencies are
noted in this report and no corrective actions issued.
The following process describes the general activities that auditors conduct during an
audit. Your auditor might conduct the audit using a slightly different approach, and the
audit frequency could be affected by how often internal audits are conducted. If internal
audits are conducted quarterly, an external audit may likely occur semi-annually or
annually as prescribed by applicable GRC authority documents:
Step 1: Plan the audit (auditor)
Step 2: Hold audit kickoff meeting (auditor/organization)
Step 3: Gather data and test technical controls (auditor/organization)
Step 4*: Remediate identified deficiencies (organization)
Step 5*: Test remediated risks and risk assessment (auditor/organization)
Step 6: Analyze and report findings (auditor)
Step 7: Respond to findings (organization)
Step 8: Issue final report (auditor) and repeat these steps from Step 1
conduct depend on the type of controls that they test, in addition to the criticality of the
system that the technical controls address.
For example, an IT administrator might demonstrate to the auditor how users complete
and submit a form to create access for themselves to the system. The auditor verifies that
the information requested of the user addresses both regulatory and operational
requirements. For manual controls related to this process, the auditor examines the
validity and thoroughness of policy documentation for the organization and observes the
operation of corresponding controls in the same manner. The auditor will also verify that
appropriate approvals are obtained.
Figure 4.4. Gathering data and testing technical controls for the IT audit process
Figure 4.6. Retesting controls that remediate risks identified in the IT audit process
approach will help you to more effectively address a variety of regulations with a
single set of controls.
MOF can provide you with planning options to realize IT control efficiencies for your
organization. A framework links business requirements to IT activities through a
consistent model. You can use this model to identify the IT resources you need to define
and achieve your organization's IT control objectives.
Figure 4.10. MOF life cycle phases (Plan, Deliver, and Operate) and the Manage
layer
Chapter 5: Microsoft Technology
Solutions for Compliance Management
This section presents the technology solution categories that are relevant to GRC. So far,
this guide has focused on how requirements from authority documents can drive specific
IT control requirements. Now the focus shifts to the technology solutions that can help
address those requirements.
A list of technology solutions was created and validated, along with the categories for
them that are relevant to compliance, against ISO 27002, National Institute of Standards
and Technology (NIST SP800) recommendations, and other frameworks. Based on this
process, the following 19 technology solution categories were derived:
Document Management. Document management solutions combine software and
processes to help you manage unstructured information in your organization. This
information might exist in many digital forms, including documents, engineering
drawings, XML files, images, and audio and video files.
Business Process Management. Business process management (BPM)
applications help provide end-to-end visibility and control over all segments of
complex, multistep information requests or transactions that involve multiple
applications and people in one or more organizations.
Project Management. Project management solutions apply knowledge, skills, tools,
and techniques to a broad range of activities to help meet the requirements of a
particular project. Project management knowledge and practices are best described
in terms of component processes. These processes divide into five process groups:
envision, plan, develop, stabilize, and deploy.
Risk Assessment. This category can have several meanings. The information
security community defines it as a systematic method to identify the assets of an
information-processing system, the threats to those assets, and the vulnerability of
the system to those threats. In the context of regulatory compliance, risk assessment
is the process of assessing the level of compliance and compliance inadequacies
within an organization.
Change Management. Change management systems are process structures that
cause IT managers to review proposed changes for technical and business readiness
in a consistent manner. The IT managers can then relax or strengthen the changes to
adjust to business needs and experiences.
For example, an organization could involve a database to help personnel make better
decisions about future changes based on historical data that indicates the success or
failure of similar changes it has tried in the past. Change management is also a
structured process that communicates the status and existence of changes to all
affected parties. The process can yield an inventory system that indicates what
actions were taken and when, which affects the status of key resources to help
determine problems and resource management.
Network Security. Network security solutions constitute a broad solution category
designed to address the security of all aspects of the network for the organization,
including firewalls, servers, clients, routers, switches, and access points.
Host Control. Host control solutions control the operating systems in servers and
workstations. Their functions also include implementing security best practices at all
levels of the operating system in each host, maintaining the most current updates
and hotfixes, and using secure methods for daily operations.
40 IT Compliance Management Guide
from beginning to end. The actual system functionality closely matches the Customer
Relationship Management (CRM) business application category.
The next section illustrates how each of the Microsoft Operations Framework (MOF) 4.0
life cycle phases map to specific technology solutions. You can use these mappings to
help determine the types of controls that you want to implement for your organization.