Section 6.7.  Summary

6.7. Summary In this chapter, we discussed automation and why it should be a key component of any small to medium-sized company's Sarbanes-Oxley compliance activities. We also developed guidelines by which you can assess your in-house expertise as they relate to the skill sets that will be necessary to use open source tools. We also provided actions and alternatives for acquiring the necessary skill set if it does not currently exist within your organization. Additionally, we looked at the various control objectives of the Acquisition and Implementation domain, and identified those that relate specifically to Sarbanes-Oxley compliance, using our fictitious company as an example. In summarizing this chapter, there are three fundamental things you should take away with you: Let your unique organizational structure drive the applicable domain items. Automation will be critical, but resist the urge to over implement. Use of good project management methodologies will better position your compliance effort for success. The remainder of the chapter shows examples of automation, project planning, and tracking for the sample companies. BuiltRight construction has decided to redeploy a Web application to improve availability and security. The project consists of migrating an IIS Web server using ASP scripting and an Access database to an Apache server using PHP and a MySQL database. NuStuff Electronics has opted to augment its security infrastructure with an IDS. Snort has been selected as a network-based detection system, since it is the leading open source solution and there is copious documentation and several books written for its deployment. To leverage the hard work of the open source community, the NST Live Security CD will be deployed since it contains both the Snort IDS and a testing framework. These project examples are then put through the COBIT framework for approval, planning, and implementation, using the example workflow, project management, and documentation modules on the Live CD. The chapter closes with a discussion of additional example change management workflows where there might be special considerations, such as the need for additional activities on one side of the spectrum and the desire to simplify the generic change management workflow on the other, which ultimately demonstrates the flexibility of the system.