IT Compliance and Controls

IT Compliance and Controls offers a structured architectural approach, a 'blueprint in effect,' for new and seasoned executives and business professionals alike to understand the world of compliance?from the perspective of what the problems are, where they come from, and how to position your company to deal with them today and into the future.

Preface ix

Acknowledgments xiii

Part One: Coming of Age

Chapter 1 Operating in an Interconnected Universe 3

Chapter 2 How Technology Enables the World Market 19

Chapter 3 Importance of IT Controls 29

Part Two: Influence and Effects

Chapter 4 Death of Siloed IT Strategy 37

Chapter 5 A Regulated Environment 45

Chapter 6 The World is Your Oyster of Resources and Guidance 61

Chapter 7 Reality and Risks to IT Controls Being Effective 71

Part Three: Implementation

Chapter 8 Enterprise Risk Analysis 83

Chapter 9 Principle 1: Technology Strategy Orchestration 113

Chapter 10 Principle 2: Life Cycle Management 139

Chapter 11 Principle 3: Access and Authorization 167

Chapter 12 Principle 4: Sustain Operations 187

Chapter 13 Principle 5: Security and Assurance 201

Part Four: Looking Forward

Chapter 14 This is Not the End 239

Chapter 15 Building a System of IT Compliance and Controls 249

Supportive Publications 263

List of Acronyms 269

Index 271

JAMES J. DELUCCIA IV, CIA, CISA, CISSP, enables organizations to leverage information, technology, and control environments to create competitive advantage and optimize business performance. A recognized expert on risk management, security, and compliance, he provides assurance and advisory services to companies worldwide. DeLuccia, an architect and contributor for international standards and frameworks, provides regular contributions to the PCI and compliance body of knowledge. He holds dual bachelor degrees in information systems and risk management, and an MBA in finance.

IT Compliance and Controls
Best Practices for Implementation

A considerable degree of attention has been placed on organizations to improve and disclose the state of Information Technology (IT) internal controls within the United States as a result of several regulations, most prominently, the Sarbanes-Oxley Act of 2002, Section 404. Whether the result of a newly induced government mandate, a recent court ruling, industry trade groups, or from concerned stakeholders in the organization, these regulations have the ability to disrupt business. But no matter what the source, organizations are being strongly encouraged to have IT internal controls and to disclose these to the requesting parties. Dispensing invaluable insight into the complex world of interweaving government and industry mandates from around the world, IT Compliance and Controls provides a road map to effectively answer the question, "How much is enough?"

Providing CIOs, CTOs, IT auditors, audit managers, and IT managers with an in-depth analysis of the leading influencers, the regulations, and the available frameworks and guidance documents, IT Compliance and Controls begins with a discussion of the challenges enterprises face in adopting internal controls—including how to sell an IT control framework to upper management and how to identify the appropriate controls for the organization—and offers tips and techniques to manage these controls. The book also presents the most important and effective controls being relied upon in the United States and abroad, and validated by auditor tests.

Author James DeLuccia takes a practical approach to evaluating the organization's IT internal control needs and merges these with the regulated mandates as he develops a plan for achieving a balance of business and assurance. The book includes a thorough breakdown of a core set of principles, showing readers how to implement these best practices successfully within their own organizations. It concludes with a discussion of the future of IT internal controls, the challenges that lay ahead, and the technology being employed to enhance the quality and contribution of these control environments.

Written to enlighten those with senior responsibilities on the impact of the technological relationships being established around the world, IT Compliance and Controls provides readers with an in-depth understanding of the business drivers as well as a guided approach to presenting and communicating IT control needs to those at the executive level and board of directors.