• The US Sarbannes-Oxley Act 2002 (SOX)
• The New Basel Capital Accord (Basel II)
• Freedom Of Information Act and FOI Act (Scotland)
• ISO 17799 (formerly BS 7799)
• (Visa) Payment Card Industry (PCI) Data Security Standard
• FFIEC (Federal Financial Institutions Examination Council)
• DCID 6/3 (Director of Central Intelligence Directive)
• CobiT (Control Objectives for Information and related Technology)
• ITIL (The IT infrastructure Library)
• Project Management
• Human Resources (HR) & Human Resources Management (HRM)

Please also see http://www.s-ox.com

In response to high profile corporate governance failure the US enacted this legislation to protect, it’s own brand i.e. as a good country to do business in and with, shareholders, employees and the general public from fraudulent practice and compounded errors in accounting practice.

Administered by the Securities and Exchange Commission (SEC), who publish rules and required timescales, although principally aimed at financial integrity it has become a requirement that effects the IT department in a big way.

So what does it say?

Sox states that all business records must be saved for not less than five years.  This includes all electronic records and messages (N.B. not just email).

It states that if you do not comply, fines imprisonment or both may be applied.  Given this imperative companies have tasked IT departments with creating and maintaining corporate records, intact, for five years in a cost effective fashion that satisfies their auditors.

Next level of detail

Three principal rules for managing electronic records.

Rule 1

Sec.802(a) deals with the destruction, alteration and falsification of records.

“Whoever knowingly alters, destroys, mutilates, conceals, covers up, or makes a false entry in any record, document, or tangible object with the intent to impede obstruct or influence the investigation or proper administration of any matter within the jurisdiction of any department of agency of the United States or any case file under title 11, or in relation to or in contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.”

3ami MAS is a product that stores a complete record of your business*, combining a low friction interface with database intelligence to provide a cost effective answer to storage and importantly quick turnaround in information retrieval.  Either on site or locked down in third party storage, 3ami will help you demonstrate compliance.

Rule II

Sec.802(a)(1) deals with the retention period.

“Any accountant who conducts an audit of an issuer of securities to which section 10(a) of the Securities Exchange Act of 1934 (15 USC78J-1(a)) applies, shall maintain all audit or review workpapers for a period of five years from the end of the fiscal period in which the audit or review was concluded”

At 3ami we think we understand the consequences of this retention and have reflected that in our grant of software licence.  3ami MAS can be deployed in real time. In days not weeks or months!

Rule III

Sec.802(a)(2) deals with the types of records that need to be maintained, include electronic communications

“……such as workpapers, documents that form the basis of an audit or review, memoranda, correspondence, communications, other documents, and records (including electronic records) which are created, sent  or received in connection with an audit or review and contain conclusions, analyses, or financial data relating to such an audit or review.

Being safe means keeping everything, out of reach, intact, safe and accessible.  Where anomalies in information are identified a solution is required that can identify the trail information creates within an organisation, a forensic tool that can build the picture as part of its inbuilt intelligence function. 3ami MAS is such a tool, and indeed does all of these things.

In the final analysis Compliance must be about culture and not software fixes.  3ami MAS can demonstrate who copied which files onto a memory stick, took work home made a genuine mistake and then introduced false data into the organisation and in doing so keep your Finance Director out of jail, it cannot instil diligence in the individual, that is a job for business leaders.

Knowing 3ami MAS is running in the background will give those business leaders a very solid platform from which to drive cultural change.

BACK TO TOP

Often referred to as Basel II the Bank for International Settlements deals with the correct capitalization and to some extent liquidity of financial institutions.  One of the biggest changes and certainly of interest to the Operations and IT departments is the inclusion of Operational Risk “the risk of loss resulting from inadequate or failed external processes people and systems or from external events.  Thus it could include failure to comply with SOX if active in US jurisdiction, fraud, technology failure, systems failure, legal uncertainty, political uncertainty, etc. 

3ami MAS as an agent for cultural change reveals the organisation, its people and its transactions within a 3d matrix that intuitively demonstrate a transparency of actions. Staff, management and other stakeholders feel reassured that their actions are capable of interrogation not only at the point of their action but throughout the process change.

“The deployment of 3ami MAS will deter the internal threat, providing an assurance for all stakeholders.” Tim Ellsmore CEO 3ami

BACK TO TOP

Executive Summary.

Similar legislation exists in the EU (European Union) and NAFTA (North American Free Trade Association), these two British Acts were driven by EU legislation.

• Under the Act public sector bodies must
  • Adopt and make public a “publication scheme”.
    • Detailing the information it will make available.
    • Stating any associated charges.
  • Comply with all valid requests for information.
    • Confirm request for information.
    • Stating expected turnaround.
  • Bill and collect charges
  • Apply disclosure exemptions in a consistent manner.
  • Record performance.
  • Make records available for audit.
  • Cooperate with other public sector organisations
• Should enhance a public bodies adoption of sensible information strategies.
• Will increase understanding of Data Protection Acts.
• Will focus on storage and search costs and hence return on investment of any software tools

  BACK TO TOP

ISO 17799 was adapted from the Department of Trade and Industry (UK) publication, which became BS 7799.

ISO 17799 is a range of controls needed for information systems within an organisation.  It requires that an organisation adopt a security strategy that varies control such that the risk appetite of the organisation is comfortable with the level of security associated with the risk.

An operational risk (The Basel II definition of Operational Risk “…. the risk of direct or indirect losses due to failure on Systems, Processes, People and External factors”) audit reveals threats/opportunities, vulnerabilities, control systems, escalation procedures etc. This audit then forms the baseline for future security and event management (SIEM).

Compliance with this ISO requires a system that can monitor access to all systems, or accept feeds from those systems it cannot monitor. It must be able to store and provide search facilities of all system logs. (SOX requires only financial records/logs are kept, ISO 17799 should keep a company one step ahead of auditors who can require audit trails through all systems info as part of a SOX investigation or audit)

ISO 17799 can also ensure HIPAA compliance.

BACK TO TOP

---

(Visa) Payment Card Industry (PCI) Data Security Standard

Mastercard and Visa require all merchants, banks and service providers to comply with the PCI Data Security Standard, this requires network monitoring and testing procedures for identity verification, file integrity synchronisation and the storage of all logs associated with the systems and network

BACK TO TOP.

FFIEC

FFIEC comprises, Federal Reserve Board (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).

This US standard requires financial institutions to collect, store and audit/review logs and audit trails in critical control points such as User Access Rights Admin (URAA) identification and validation, firewall policy, remote access, non standard port access.

Also requiring the retention of activity Logs is:

BACK TO TOP.

DCID 6/3

The Director of Central Intelligence Directive 6/3 (USA) requires that all and any systems containing intelligence data must adhere to the standards laid down in the manual associated with the directive.

Requirements include log retention for five years, log monitoring, auditing and a standard reporting methodology.

This covers activity on all IP nodes in the Network; hosts, servers; routers; dbs, applications, IP Phones have yet to be specified but could be construed as falling within the remit of the directive.

BACK TO TOP.

CobiT

CobiT is framework and vehicle for the IT Governance Institute to continuously evolve and improve international technical standards, codes of conduct, professional standards and industry best practice.

Now on its 4^th edition CobiT has increased its focus on IT management, an increased stakeholder base in building proactive assurance, governance as a board level issue, integration of the three main stakeholders (IT, Management and Auditors), focus on the general standards (ISO17799 and ITIL) to ensure they remain a credible focus for best practice capable of absorbing increased levels of legislation.

BACK TO TOP.

ITIL

The IT infrastructure Library, has been set up in the UK to catalogue and promote best practice in IT Services Management, aimed principally at IT service providers, It directors and CIOs, it sets out to improve IT services, reduce costs, educate and illuminate standards, whilst providing guidance and educating the workforce.

As ever the plethora of compliance standards wont let up, ITIL sees delivery and best practice in service delivery coming with the implementation of ISO15000.

BACK TO TOP.

Project Management

Prince2 and the Project Management Body of Knowledge (PMBOK), offer consistent methodologies for project delivery that can help keep a project on board, in budget and subject to later audit.

BACK TO TOP.

Human Resources (HR) & Human Resources Management (HRM)

Human Resource Management, HR Optimisation, Human Asset management, call it what you will; are you letting your HRM team get the most out of your employees.

The legal monitoring of employees when conducted within the framework of a rigorously defined internal ICT Policy document and aligned to individuals development plans and the organisations goals, will significantly improve productivity in the workplace.

Salary.com estimates that 2hrs a day may be lost if management practice is ineffective.

3ami MAS a monitoring and audit tool may be used to proactively demonstrate best practice cycles within the working day.  Setting guidelines to certain activities and monitoring all team members for exceptions MAS provides a path towards greater productivity, which is transparent to all team members.

The product has been described as Telemetry for Business, all seeing and all knowing the product is a dynamic tool for enhancing all forms of workplace productivity. 

If you are an human resource professional interested in productivity monitoring and audit products please contact, in the first instance sales@3ami.com

BACK TO TOP

MAS Putting you in Control of Your Business