PO4.5:
PO 4.5 IT Organizational Structure
Control Objective:
Establish an internal and external IT organizational structure that reflects business needs. In addition, put a process in place for periodically reviewing the IT organizational structure to adjust staffing requirements and sourcing strategies to meet expected business objectives and changing circumstances.
Applicability:
- Sarbanes-Oxley
- HIPAA
- GLBA
- PCI
- FISMA
- NIST SP 800-66
- Ditscap
- Control Exception
- User Defined
Risk Association Control Activities:
- 1. Risk: Development and maintenance of system with potential impact to financial reporting bypass processes for identifying business requirements, risks, and for designing needed controls.
- a. SOX.1.14 Controls provide reasonable assurance that systems with potential impact to financial reporting are developed and maintained in a controlled manner through the use of a development methodology.
- a. SOX.1.14 Controls provide reasonable assurance that systems with potential impact to financial reporting are developed and maintained in a controlled manner through the use of a development methodology.
- 1. Risk: Development and maintenance of system with potential impact to financial reporting bypass processes for identifying business requirements, risks, and for designing needed controls.
- 2. Risk: IT function does not meet the organizational needs.
- a. SOX.2.0.1 Organizational policies and management procedures are in place to ensure the IT function is controlled properly.
- a. SOX.2.0.1 Organizational policies and management procedures are in place to ensure the IT function is controlled properly.
- 2. Risk: IT function does not meet the organizational needs.
- 3. Risk: Financial systems fail due to a lack of operational procedures being executed.
- a. SOX.2.0.2 Controls provide reasonable assurance that IT daily operation procedures are executed.
- a. SOX.2.0.2 Controls provide reasonable assurance that IT daily operation procedures are executed.
- 3. Risk: Financial systems fail due to a lack of operational procedures being executed.
- 4. Risk: Business needs may not be met by IT operations.
- a. SOX.2.7.1 The IT department and functions are aligned with end-user business needs and end-user computing policies and practices are in place to ensure the integrity of data through security and end user development methodology.
- a. SOX.2.7.1 The IT department and functions are aligned with end-user business needs and end-user computing policies and practices are in place to ensure the integrity of data through security and end user development methodology.
- 4. Risk: Business needs may not be met by IT operations.
- 5. Risk: IT security measures are not aligned with business requirements.
- a. SOX.2.7.2 Controls provide reasonable assurance that IT security measures are aligned with business requirements.
- a. SOX.2.7.2 Controls provide reasonable assurance that IT security measures are aligned with business requirements.
- 5. Risk: IT security measures are not aligned with business requirements.
- 6. Risk: In-House and/or Package applications may not meet all business and application control requirements.
- a. SOX.4.3.1 The organization acquires / develops systems software in accordance with its acquisition, development and planning process.
- a. SOX.4.3.1 The organization acquires / develops systems software in accordance with its acquisition, development and planning process.
- 6. Risk: In-House and/or Package applications may not meet all business and application control requirements.
- 7. Risk: Users may have inappropriate access to the application system.
- a. SOX.5.1 Access to the application system is appropriately restricted to prevent unauthorized activity.
- a. SOX.5.1 Access to the application system is appropriately restricted to prevent unauthorized activity.
- 7. Risk: Users may have inappropriate access to the application system.
Implementation Guide:
Process Narrative
Insert a description of the process narration that is applicable to the existing control statement this narrative refers to.
Process Illustration
Insert a process diagram, flowchart or other visual representation here to illustrate the process narrative.
File:Someimage.jpg
Control Commentary
Insert a description of the control that is applicable to the existing control statement this commentary refers to.
Control Exception Commentary
Insert a description of the control exception that is applicable to the existing control statement this commentary refers to.
Evidence Archive Location
Insert Evidence Description Here.
Control Status and Auditors Commentary
Describe the condition of the applicable control and its effectiveness. Set the color icon to a redlock.jpg, yellowlock.jpg or greenlock.jpg.
File:Redlock.jpg
Remediation Plan
Insert remediation plan, applicability, or any information that indicates what needs to be done.
Supplemental Information:
ITIL The Business Perspective, Roles, Responsibilities and Interfaces.
ITIL 8.1 Overall IS role and the interactions.
Implementation guidance
Insert guidance in this section if it helps to elaborate upon the subject matter. Examples of evidence that would help guide the end user is desirable.