Section 3.9.  Frequently Asked Questions

3.9. Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the "Ask the Author" form. You will also gain access to thousands of other FAQs at ITFAQnet.com. Q: Are there any other repercussions if a company fails to comply with the Sarbanes-Oxley Act? A: Yes. In addition to possible litigation and negative publicity, a company could possibly be de-listed if it fails to comply with the Sarbanes-Oxley Act. Q: Are open source tools really effective for complying with the Sarbanes-Oxley Act? A: If done properly, yes. Keep in mind that applications and tools are merely one piece of the puzzle in your efforts to comply with the Sarbanes-Oxley Act. Just as important will be your ability to customize the COBIT guidelines to your environment, select the best application or tool for your environment, and configure them correctly. Q: Are the applications and tools listed in this chapter the only ones available? A: Absolutely not. Many sites on the Internet offer open source tools for free, and proprietary tools for a very low cost. A few good places to start are: Shareware downloads www.download.com/ Open source downloads http://freshmeat.net Open source projects http://sourceforge.net/ Q: How important is it to customize the COBIT guidelines to our environment? A: Very important, for two reasons. This process has the potential to reduce the number of activities you will need to undertake, and will provide requirements for the type of applications and tools you may want to deploy. Q: How important is change management? A: Very important. You can have the best policies, applications, tools, and controls in place; however, you will never be able to completely eliminate the "Human Factor." Therefore, if you fail to address the area of change management, you may fail Sarbanes-Oxley compliance regardless of your other efforts. Q: Can I really use some of my exiting policies? A: Yes. You may have to make some slight modifications, but as long as they are documented and support a control, they can be used.