Sarbanes Oxley Information Technology and ISO 17799

Millions of dollars are being wasted by information technology departments trying to comply with an every changing interpretation of Sarbanes Oxley requirements on IT from accounting firms. Some accounting firms are just reusing their Y2K (2000) efforts with some additions; others are adding requirements with each audit. The least cost solution for most information technology departments is to conform to the relevant technology standards of ISO 9000 and ISO 17799.

Sarbanes Oxley specifically points to financial and information technology systems and raises the awareness of their criticality by making executives attest to the accuracy of their company's reported financial information. ISO 17799, a standard for managing data security comprised of a series of security best practices approved in 2000. Sarbanes Oxley focuses on financial reporting and disclosure, and the data integrity behind those efforts; it doesn't require compliance with 17799. However being are compliant with 17799, meets the expectations of Sarbanes Oxley. Computer security resources for Sarbanes Oxley Information Technology are listed at http://www.4terrorism.com/computersecurity.htm at www.4terrorism.com .


In implementing any policy action designed to tighten security against hacking, spyware, and terrorism, a company or agency should consider the potential consequences as well as the costs of the action. Security issues, both physical and cyber, are only one element of what affects an entity's operations. Sarbanes-Oxley primary concern is the financial systems and where the information and finances meet. A listing of Sarbanes Oxley Information Technology resources are at http://www.projectbailout.com/PM/Sarbanes-Oxley-IT.htm or at www.projectbailout.com .

Security systems are much talked about but many remain uncertain about what they entail and how to build and maintain one. An important step in establishing a system is to have an external audit of what a company now does for defense against a security violation. It is also important for those businesses and agencies that have a security system to have it periodically checked by an outside audit. The object of an audit is not to try to find vulnerabilities but to assess the overall effect of any vulnerability on effective operations. Simply finding vulnerabilities can often lead to misrepresenting the efforts of internal staff, unnecessary expenditures for internal remediation, possible negative impact on production systems, as well as increasing the risk by providing a road map to hackers. The best and most valuable security audit not only details vulnerability, but also gives an overall assessment. The report highlights the overall level of risk to the business and indicates what executive level decisions that should be made to improve and to maintain a consistent information security program: http://www.4terrorism.com/securityaudits.htm


ISO17799 is actually "a comprehensive set of controls comprising best practices in information security". It is essentially, in part (extended), an internationally recognized generic information security standard http://www.iso-17799.com/

Compliance Utilizing ISO 17799 Best Security Practices Matrix: http://documents.iss.net/marketsolutions/SOXISO17799Brochure.pdf

The best and most valuable security audit not only details vulnerability, but also gives an overall assessment: http://www.4terrorism.com/securityaudits.htm