Sarbanes Oxley News
07/22/2008
Compliance Management a High Cost Process
Prudent business practices demand the securing of key digital
assets and the ability to audit the exchange of those assets both within the
company and externally. Increasingly, regulations demand the same thing—and
more. Examples abound.
Sarbanes-Oxley Act (SOX) requires trading partner certification,
data center validation and information transparency auditing. The Health
Insurance Portability and Accountability Act (HIPAA) insist on the stringent
protection of health information privacy. And, Gramm-Leach-Bliley (GLM) dictates
that the privacy of individualsÂ’ financial information must be protected. Add to that the PCI-DSS standard and you
have an issue that increases the cost of IT. This in turn drives the need to be able
to transfer files to a secure location via a Managed File Transfer Facility
An optimal centralized Managed File Transfer facility should offer
the following:
-
Security: The Managed File Transfer facility
should secure data within the organization and in transit, protect the privacy
and integrity of consumer data, provide multiple levels of encryption, and
support all common security protocols.
-
Central Point of Control: A single solution,
with a single point of control, should manage all file transfer processes for
the entire enterprise.
-
Compliance:
The Managed File Transfer facility should provide the auditing and control
facilities necessary to meet the requirements of: Sarbanes-Oxley 404, internal
auditing standards and the organizationÂ’s contractual and regulatory
obligations. It does this by providing: identity management; process workflow
automation; an audit trail for all transactions, including a record of who
accessed which documents, when they were accessed, and where they were
accessed; and archives and journals that are readily available whenever needed
to respond to legal issues.
-
Visibility, Control and Access: The Managed File
Transfer facility should make all relevant information - structured and
unstructured - easily visible to everyone who needs it, but only to those who
need it.
-
Reliability: The Managed File Transfer facility
should provide checkpoint/restart functionality so that transmissions can be
restarted - preferably automatically - should they be interrupted as a result
of an operator error or a hardware, software or network
failure.
-
Scalability: Your centralized Managed File
Transfer facility must be capable of growing with your business. This includes
supporting all future growth in the number and variety of trading partners,
file sizes, file types and traffic
volumes.
-
Support:
Once an Managed File Transfer solution is adopted, many of your business
processes will succeed or fail based on its success. The Managed File Transfer
facility should, therefore, be a proven solution that is fully supported and
maintained. It must also be upgraded regularly to provide new features and to
support new protocols as they become
available.
more info
07/19/2008
Disaster Recovery and Business Contunity Back-up Requirements Defined by Janco
Disaster Recovery and Business Continuity require data
consistency with the synchronous replication of data over long-distances and /
or journal replication to protect against local and wide-area disasters. This
technology provides other benefits, including:
Maintaining more efficient data currency. Using synchronous
replication over a short distance in a campus or metropolitan area cluster
provides the highest level of data currency without undue impact to application
performance.
Permitting swift recovery. A campus/metropolitan cluster
implementation allows for fast automated failovers after a local area disaster
with minimal to no transaction loss.
Permitting recovery even when a disaster exceeds traditional
regional boundaries. A wide-area disaster could disable both data centers 1 and
2, but with some manual interaction, operations can be shifted to data center 3
and continue after the disaster.
Shifting to staffing outside the disaster area. A wide-area
disaster also affects people located within the disaster area, both
professionally and personally. By moving operations out of the region to a
remotely located recovery data center, operational responsibilities shift to
people not directly affected by the disaster.
Janco has defined a Template with a Backup and Backup
Retention policy that is a complete policy which can be implemented
immediately.
The document is provided in both Word 2003 and Word 2007 format
and is easily modified. This policy is included in the Disaster
Recovery / Business Continuity Template.
Below is a table from the policy.
|
Type of
Data |
Minimal Backup
Policy |
Backup Retention
Policy |
|
System
software |
Latest
Version plus patches
At Least Weekly |
Annual
(verified) Backup
Monthly Generations
Weekly
Generations |
|
Application
software |
Latest
Version plus patches
At Least Weekly |
Annual
(verified) Backup
Monthly Generations
Weekly
Generations |
|
System
data |
Daily |
Annual
(verified) Backup
Monthly Generations
Weekly Generations
Daily
Generations |
|
Application
Data |
Daily
with real time transaction files |
Annual
(verified) Backup
Monthly Generations
Weekly Generations
Daily
Generations |
|
Software
licenses, encryption keys, & Protocol Data |
Weekly |
Annual
(verified) Backup
Monthly Generations
Weekly
Generations |
more info
07/18/2008
PCI Compliance Is A Top Issue For Many
The
PCI standard -- which merges requirements from the Visa Cardholder Information
Security Program (CISP), the MasterCard Site Data Protection (SDP) program, and
other payment vendors -- targets merchants and service providers that store,
process, or transmit cardholder data. Besides stipulations related to network
security, access control, third-party assessment, and vulnerability management,
the PCI Standard requires companies to protect cardholder data and other
sensitive information that they store or transmit across public networks.
If
your company accepts a high volume of credit cards,chances are that you have
already felt the sting of PCI requirements. Although you can't entirely avoid
card-related risk and compliance issues, you can lessen their impact by limiting
storage of credit card numbers and reducing the overall scope of the PCI
Standard on your
organization.
more info
07/12/2008
Metrics Are A Key To Remote Support
Remote desktop control. Agents can access the customer‟s
equipment via a secure web connection, and take control, performing functions as
if they were sitting in front of the machine.
Web chat. Agents may chat with a customer using a Web chat
dialog during the remote control session, freeing up the customer to take a call
or perform other work, with the agent prompting them with the chat dialog when
additional information is required.
- Electronic Collaboration. Leading platforms
offer varying degrees of Web collaboration, ranging from allowing other agents
to join the remote control session to provide assistance to full online
meeting and webcast capabilities.
- Sharing. With screen sharing, the agent can
view the customer‟s desktop, with an option to allow the customer to view the
agent‟s desktop as well. This allows agents to walk customers through
procedures they may be struggling to attempt on their own. Other features may
include joint form fill and page push.
- Monitoring. A new feature now available with
some platforms, supervisors can select a remote control session currently in
progress to see how the agent is handling the situation. Useful for quality
control monitoring, to keep tabs on new agents, or to gage proficiency with
the remote support technology.
- Log files. Different platforms offer various
diagnostics that can be used to pull complete log files of a customer system
for real-time or historicalanalysis. Log files typically are sent to the agent
as a text file at the end of the session and attached to the incident in the
case management system.
more info
Sarbanes Oxley
Resource 
