of 20
8/18/2019 JMSOXNYC
1/20
h
Marimba Product Line
Sarbanes-Oxley
Act:
Automate
Compliance
Processes
ThroughoutSystem Lifecycle
Jeanne Morain
8/18/2019 JMSOXNYC
2/20
S-O an! "T Controls
"nformation technology plays a crucial role insupporting the integrity of #nancialinformation$
The PCAO% au!it stan!ar!s highlighte! theimportance of au!iting &ey "T controls$
PCAO% re'uires (transaction
)al&throughs* of #nancially
signi#cant transactions
an! assessment of
relate! controls +including IT controls$
8/18/2019 JMSOXNYC
3/20
Transaction,al&throughs PCAO% p./-012
3or each signi#cant general le!ger #nancialaccount the au!itor must:
› Trace transactions from origination through thecompany4s information systems until reected
in the company's nancial reports.
› Include the entire process of initiating, authorizing,recording, processing, and reporting individualtransactions … including controls intended to
address the risk of fraud.
8/18/2019 JMSOXNYC
4/20
3inance Systems"nterfaces
8/18/2019 JMSOXNYC
5/20
Procurement System3lo)
8/18/2019 JMSOXNYC
6/20
"T 5eneral Controls
Poor controls in any of the "T infrastructureareas )ill a!6ersely a7ect reliability ofapplication controls$
› hysical security
› !ogical security "access controls#› $ata%ase security› &perating system security› et(ork security
› rogram change management
8/18/2019 JMSOXNYC
7/20
)pplication controls help ensure thecompleteness8 accuracy8 security ofinformation$
› !ogical security "access controls#
› rogram change management› Input controls› rocessing controls› &utput controls
"T Application Controls
8/18/2019 JMSOXNYC
8/20
Control 9ocumentation
A signi#cant tas&,or& in6ol6e! !epen!s on company;s
starting point on control !ocumentation
Many companies !on;t ha6e goo! control
!ocumentation$
8/18/2019 JMSOXNYC
9/20
Control 9ocumentation
Minimum =e'uirements for Control9ocumentation
› $escription of the process
› )ssociated risks
› ontrol activities› ontrol testing
- evaluation
› ontrol gaps
› lans to the gaps
8/18/2019 JMSOXNYC
10/20
Control 3rame)or&
S-O >?> re'uires management to assesscontrols against an establishe! controlframe)or&$
COSO is a recommen!e! control
frame)or&$
CO%"T Control Ob@ecti6es for "T2 is beinguse! for "T control assessments$
CO%"T consists of > speci#c "T controlob@ecti6es$
8/18/2019 JMSOXNYC
11/20
PLANNING AND
ORGANIZATION
ACQUISITION AND
IMPLEMENTATIONDELIVER AND
SUPPORT
COBIT
!USINESS O!"ECTIVES
IN#ORMATION
IT RESOURCES
• e$$ecti%ene&&•
e$$icienc'• con$identia(it'• inte)rit'• a%ai(abi(it'• com*(iance• re(iabi(it'
• data• a**(ication &'&tem&• tec+no(o)'• $aci(itie&• *eo*(e
MONITORING
8/18/2019 JMSOXNYC
12/20
CO%"T Control Ob@ecti6es
A"1 Ac'uire an! Maintain Application Soft)areA" Ac'uire an! Maintain Technology "nfrastructure
A"> 9e6elop an! Maintain Proce!ures
A"B "nstall an! Accre!it Systems
A" /anage hanges
9S/ 9e#ne an! Manage Ser6ice Le6els
9S1 Manage Thir!-Party Ser6ices
9S Manage Performance an! Capacity
9S> Dnsure Continuous Ser6ice 9ata Mgt2
9SB 0nsure 1ystems 1ecurity9SE Manage the Con#guration
9S/? Manage Problems an! "nci!ents
9S// /anage $ata
9S/ Manage Operations
M/ Monitor the Processes
8/18/2019 JMSOXNYC
13/20
S-OF>?> Compliance
The control e6aluation8 !ocumentationan! testing are ma@or tas&s in6ol6ing
signi#cant allocations of resources +
primarily people an! soft)are$
"mplementation of systems base! control
soft)are shoul! result in process F
control consistency an! a re!uce!
in6estment of (people resources* for
the control e6aluation e7orts$
8/18/2019 JMSOXNYC
14/20
Go) prepare! are youfor an au!itH
8/18/2019 JMSOXNYC
15/20
=e!uce %usiness "mpactof Compliance
)utomate manual processes
› Inventory, 1oft(are $istri%ution
1ecure Apps8 Co!e8 =ecor!s› atch, 11!, ode 1igning› )ccess, 1ystems, 1chedules
)udit =eports across Dnterprise
› )ccess, Inventory, 2ealth› $isparate 1ystems
3educe "mpact
› 3esources, roductivity, 4usiness› Total ost of ompliance
Compliance Automation throughout System Lifecycle
8/18/2019 JMSOXNYC
16/20
Sarbanes Au!it O6er6ie)
8/18/2019 JMSOXNYC
17/20
End UsersInside/Outside
The Firewall
Automated Business Processes throughout Client Lifecycle
Regulatory
Controls
Network
Operations
Help Desk
Call Center
Compliance Automation
Data Center Partners/CustoersOutside The Firewall
Pro!ureent
Pro"isioning
8/18/2019 JMSOXNYC
18/20
Go) !oes CCM AutomateComplianceH
ontrol &%5ective /arim%a )utomates 4y6
7A"1 - Ac'uire an! MaintainApplication Soft)are
7A" I 9e6elop an! MaintainTechnology "nfrastructure
7A"> I 9e6elop an! Maintain
Proce!ures7A"B I "nstall an! Accre!itSystems
7A" I Manage Changes
Centralized Infrastructure & AdminInterface :
7Policy %ase! Targeting -,GOF,GAT
7Orchestration - 5lobal TASs
7Patch =eme!iation - System"ntegrity
79eploy OS8 Apps8 Content I Test8
7Self Ser6ice - 3ailo6er8 =epair8Kerify
7"n6entory I "!entify8 A!!ress =is&s
79S 1 I Manage r! PartySer6ices
79S I Manage Performance Capacity
79S > I Dnsure ContinuousSer6ice 9ata2
7=eporting I Sche!ule!8 Dmail8
7Soft)are 9istribution I Ta&e Action
7Content =eplication I 3ailo6er8
7Patch =eme!iationFSoft)are
Metering7Secure Transport I SSL8 Co!e
8/18/2019 JMSOXNYC
19/20
Compliance Automation: Marimba =eme!y
The Marimba "ntegration for =eme!y Combines Marimba automation an!facility )ith =eme!y applications Asset FCon#guration2 an! )or&o)
Reedy #olutionsReedy #olutions $ari%a #olution$ari%a #olution
Reedy &sset $anageent
$ari%a In"entory Dis!o"eryPopulates Remedy asset repositories with
software/hardware inventory scans providing
current, accurate asset data
$ari%a Desktop/$o%ile/#er"er
$anageent #olutionAutomatic online servicing, or “taking action onsoftware assets that are not in compliance with
corporate policies
Reedy &sset $anageentLicense !anagement " leverage !arim#a$nventory % &oftware 'sage information to
validate procured vs deployed assets
Reedy Change $anageent
Leverage Remedy change process with!arim#a policy #ased configuration
management
8/18/2019 JMSOXNYC
20/20
Gea! Start: CCM
Marimba Integration for Remedy 8 is a @ointly !e6elope!8 fully-!ocumente! pro!uctiNe! integration that features:
› !everage 8endor 9orms &3 0nterprise Integration 0ngine "0I0#:%asedinventory mapping from /arim%a inventory scanner to 3emedy asset
repositories
› )ccess /arim%a consoles and administration from 3emedy applications;
› )utomatically open 3emedy trou%le tickets (hen /arim%a server is o