More on the effect of SOX on information security
Sections 302 and 404 indirectly force the scrutiny of information security controls for SOX compliance.
Section 302 states that the CEO and CFO must assess and report on the effectiveness of internal controls around financial reporting.
Section 404 states that a corporation must assess and report on the effectiveness of its internal controls.
The wording of both is broad and does not provide specific guidance as to which controls must be assessed.
Using COSO and COBIT a specific set of IT control objectives for SOX:
To help further with internal control guidance, PCAOB have selected a framework created by the Committee of Sponsoring Organizations (COSO). COSO provides general guidance such as control environment, risk assessment, control activities, information and communication and monitoring. In addition more specific guidance is provided by Control Objectives for Information and related Technology (COBIT).
Both frameworks complement each other and are often used in tandem for the purposes of compliance with SOX sections 302 and 404. IS Decisions solutions address certain requirements of both frameworks.
COBIT® is a trademark of ISACA registered in the U.S. and other countries.
COBIT Framework is not contained within IS Decisions products.