Section 5.9.  Summary

5.9. Summary In this chapter, we discussed the difference between SOX and COBIT. We also discussed a basic process for developing IT strategic plans in an effort to comply with the Planning and Organization domain. Finally, we looked at some real-world examples of forms and processes used to comply with the Sarbanes-Oxley Act. In summarizing this chapter, there are three fundamental things you should take away with you: Let your unique organizational structure drive the applicable domain items. When developing processes, ensure that they follow a good quality methodology, such as PDCA (Plan, Do, Check, and Act). Above all, if you have existing processes that are good sound processes and are already ingrained within the organization, customize and modify them to work within COBIT. We also explored the definition and approval routing of your IT business policies, which form the core of your IT strategy and are the basis from which all procedures grow. Several policies are outlined as a representative set of items you will need to consider for SOX compliance. You can define or modify your own policies; we give you the details on how to accomplish this. You can also define or modify the policy approval workflow process if it does not suit your needs. We also looked at the first concrete examples on the Live CD in the context of planning and organization. Once you have identified your controls as an organization, it is important to state this in a policy that can later be applied by implementing solutions later in the book that fulfill the requirements of your policies. In addition, we introduced the "approval" type of workflow, the first of many workflow categories we will explore in the remaining chapters. The approval workflow in this example demonstrates the ability to route specific versions of your policies to a chain of approval.