Sarbanes-Oxley Act

User Generated

gnbbsyf

Computer Science

Security Compliance

Colorado Technical University

Description

The management team needs to better understand the Sarbanes-Oxley Act of 2002. They would like you to create a report summarizing the Sarbanes-Oxley Act.

Using the Online Library, the Internet, and all course materials, complete the following:

  • Include a report about at least 3 incidents that are considered a contributing factor for the enactment of this regulation specific to the chosen company’s infrastructure.
  • Ensure to include what specifically the act means to the IT organization.
  • What does it specify that needs to be done?
  • What does the regulation mean for public, private, and government organizations as well as especially to the company the student has chosen.

Add the discussion Sarbanes-Oxley and the incidents that lead to the enactment of the regulation to the section titled: Sarbanes-Oxley Act

Name the document CSS441__IP2.doc

Unformatted Attachment Preview

Running head: GOODWILL SECURITY 1 Goodwill Security Student Institutional Affiliation Section 1 – Company Overview GOODWILL SECURITY 2 The company, Goodwill of North Georgia deals with the operation of stores, donation centers, career centers and also offers diverse employment and job training services across North Georgia. It has also another organization called Goodwill Industries of North Georgia, that has speciality in managing facilities and protective services. Goodwill of North Georgia seeks to provide employability services to the unemployed struggling to find work, people who want a change of careers and ones who seek to start in entrepreneurship. With the it’s support, the people are empowered for employment challenges that come as a result of physical, emotional and developmental limitations, among other challenges. Goodwill donates household goods, clothes and even books in stores across North Georgia and the proceeds are used to support the mission of employing people. Goodwill has an integrated security infrastructure that consists of video cameras, monitored alarms, access control systems, endpoint protection devices that include mobile devises, web filtering, email protection, remote access solutions and training on end-user security awareness • Video cameras(CCTV) are installed in every corner of a room and outside the premises all round used to stream in live feeds to the security team’s smartphone, desktop or tablet to help them keep track of everyone’s activities including any suspicious activity in any part of the company. • The monitored alarms are used to detect and identify specific areas breached in the organization. They do this by emitting audible noises that can be heard by anyone in the organization especially the security personnel. • The access control systems are used to restrict entry to special areas in the organization. The company uses photo identification systems and access cards depending on the areas or GOODWILL SECURITY 3 sections being accessed. The security team ensures that they are well placed and working to ensure the employees and clients are protected from such tragedies. Section 2 – Federal and State Regulations, Directives, and Acts on Security Compliance The laws and regulations of the federal government give industry guidelines on the significant security and privacy impact guidelines. The Sarbanes Oxley Act It requires companies a seven-year maintenance of financial records by companies. Enacted in 2002, after the Enron and WorldCom scandals as a preventive law. The Sarbanes-Oxley Act protects investors and the public through the increase of the reliability and accuracy of corporate disclosures. The Securities and Exchange Commission is mandated to implement it by defining what records and audits businesses should keep and the period. This act affects U.S. public company boards, management and public accounting firms which Goodwill falls under. This act has the following requirements and is organized in 11 key titles which are; Public Company Accounting Oversight, Auditor Independence, Corporate Responsibility, Enhanced Financial Disclosures, Analyst Conflicts of Interest, Commission Resources and Authority, Studies and Reports, Corporate and Criminal Fraud Accountability, White-Collar Crime Penalty Enhancements, Corporate Tax Returns and Corporate Fraud Accountability. The Gramm-Leach-Bliley Act (GLB) Act of 1999 Also the Financial Modernization Act of 1999. This act has guidelines protecting the personal financial information of users that financial entities hold. It has three basic parts that include; Safeguards Rule, the pretexting provisions and Financial Privacy Rule. This act covers GOODWILL SECURITY 4 financial institutions and organizations that provide financial services and products to consumers such as financial advice or settlement services as Goodwill does. Goodwill handles job seekers and advises entrepreneurs on the best way forward and provides financial advice to its clients, therefore, knowledge of this act is critical to its operations. Payment Card Industry Data Security Standard (PCI DSS) The PCI DSS covers the requirements needed to enhance the security of the data of a customer account. It was developed to help in the facilitation of a global adoption of data security measures consistently. Its founders include; American Express, MasterCard Worldwide and Visa, JCB International, Discover Financial Services who form the PCI Security Standards Council. It focuses on areas of policies in security management , procedures in software design, and network architecture. Its regulations are geared towards the reduction of fraud and protection of the information on consumer credit cards. This is quite appropriate to retailers, and companies that handle credit card data such as credit card companies. Since the company sells clothes to other clients through thrift shops and other avenues and the customers may use credit cards to purchase these clothes. The Electronic Fund Transfer Act, Regulation E This was implemented in 1978 and is implemented to ensure the protection of any consumer who engages in electronic fund transfer against fraud or any errors. It helps in establishing the rights, responsibilities, and liabilities of consumers and financial institutions that use and offer EFT services. These transfers include ATM services, direct deposits, the point of sale transfers among others. GOODWILL SECURITY 5 The use of electronic funds transfer is inevitable for shoppers at Goodwill, therefore due diligence is required to ensure the protection of their data by the organization. The Children's Online Privacy Protection Act This act addresses the collection of data on children below the age of thirteen online. Federal Trade Commission (FTC) monitors this act and dictates the limits on collection and the disclosure of the children’s data. They, therefore, determine the contents of a websites privacy policy and the process of receiving consent from parents and the operator’s responsibility. Goodwill’s services also include settlement services that may need information on children, thus they must be keen to ensure this act is not broken. Identify and describe 2 State Regulations Massachusetts 201 CMR 17 (aka Mass Data Protection Law) This law implemented in 2010 seeks to protect the Massachusetts residents against fraud and identity theft cases. It has a requirement that any institution storing personally identifiable information about any of this state’s resident have a written and a plan that is regularly audited to protect the information. Its main aim is to mitigate any risk to the security of information. Businesses such as Goodwill that use information from residents of Massachusetts for purposes of providing various services or products or employment are affected. Nevada Personal Information Data Privacy Encryption Law NRS 603A This law was passed to ensure the data security of any data stored of a consumer’s personal information through encryption. GOODWILL SECURITY 6 Goodwill may sell their services to a resident of Nevada and may need personal data of a Nevada resident; therefore, it should adhere to this law. Section 3 - Compliance Plan For Goodwill Company, the compliance plan seeks to explain the roles and responsibilities of different personnel in the IT infrastructure security, information classification, marking and handling, security categorization of the information systems, the security control requirements, and contingency planning among others. Describe Policies, Standards, Processes, and Guidelines The Chief information officer of Goodwill is responsible for the development and maintenance of the company’s information security program and works with the systems security officer ensures the operational security posture maintenance for all information systems and programs. Discuss the relationship between Controls and Audits Controls refer to all the planning by an organization to safeguard all the assets of an organization while ensuring that information is reliable and consistent to ensure efficient and effective operation so as to enable compliance to the set rules and regulations. Audits help in ensuring controls are executed by assessing and evaluating all the activities in a company or organization. Section 4 – Acceptable Use Policy GOODWILL SECURITY 7 The Goodwill Acceptable Use Policy(AUP) addresses the issues of safeguarding the user’s access to their services. It entails the description of prohibited activities, responsibility on systems security, enforcement of the UAP, changes and reporting of any breaches to the UAP The Goodwill company uses Safe Harbor principles that ensure that the customers are notified of the purposes of the data collected and used. The company also ensures it discloses to the client if the data they take will be disclosed to a third party, whether the purposes will be the same or incompatible. This comes with the choice of the clients, especially when collecting their data for employability purposes opting out of the agreement if they do not wish that their data be used by third parties. Goodwill also ensures that the third party adheres to the same terms of use. In case of data breaches, the company already has mechanisms to counter these. Acceptable Use Policy and Enforcement Ethics Goodwill of North Georgia has no guarantee for no breach of data. It however believes in two basic principles; privacy and protection of client data. It is therefore unethical and illegal for any of its employees to cause breaches of these data. Section 5 – Certification and Accreditation DIACAP The Goodwill of North Georgia looks forward to ensuring that it complies with the Department of Defense’s(DOD) certification process to ensure it applies risk management to its information systems through the DoD Information Assurance Certification and Accreditation Process (DIACAP) GOODWILL SECURITY 8 The company has already begun the process of ensuring it gets this certification and is currently at the third phase of the process which is decision-making process of certification determination and accreditation. ISO27002 Goodwill Company has the ISO27002 certification and has a clear guideline for its information security as an organization. This includes guidelines for the controls in selection, implementation, and management based on its information security risk environment. The organization has already implemented information security controls that are commonly accepted. It has also developed its own information security management guidelines. Section 6 - Preparing for Certification The organization has already implemented information security controls that are commonly accepted. It has also developed its own information security management guidelines in preparation for its certification. GOODWILL SECURITY 9 References Retrieved from https://www.sans.org/security-resources/policies/general/pdf/acceptable-usepolicy Retrieved from http://acqnotes.com/acqnote/careerfields/dod-information-assurancecertification-and-accreditation-process-diacap Information Security Compliance: Which regulations relate to me? (2018, January 18). Retrieved from https://www.tcdi.com/information-security-compliance-whichregulations/ ISO/IEC 27002:2013 - Information technology -- Security techniques -- Code of practice for information security controls. (n.d.). Retrieved from https://www.iso.org/standard/54533.html Relationship Between Internal Control, Internal Audit, and Organization Commitment With Good Governance: Indonesian Case. (2012). China-USA Business Review, 11(09). doi:10.17265/1537-1514/2012.09.006 Staff, C. (2012, December 19). The security laws, regulations and guidelines directory. Retrieved from https://www.csoonline.com/article/2126072/compliance/compliance-thesecurity-laws-regulations-and-guidelines-directory.html#Childrens-Online-Privacy Suyono, Eko & Hariyanto, Eko. (2012). Relationship Between Internal Control, Internal Audit, and Organization Commitment With Good Governance: Indonesian Case. China-USA Business Review. 11. 1237-1245
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

hellohow are ...

Related Tags