In this blog, I describe how you can use Oracle CCG to comply with the COSO and CobiT 4.1 Control Objectives including:
Manage the Configuration
Oracle Configuration Controls Governor (CCG) 5.5.1 provides you with the functionality you need to “Manage the Configuration” to comply with:
- COSO IT Control Objectives (for Sarbanes-Oxley)
- CobiT 4.1
- Using CCG 5.5.1 to Manage the Configuration
COSO IT Control Objective – Manage the Configuration
Controls provide reasonable assurance that IT components, as they relate to security and processing, are well protected, would prevent any unauthorized changes, and assist in the verification and recording of the current configuration
Rationale
Configuration management includes procedures such that security and processing integrity controls are set up in the system and maintained through its life cycle. Insufficient configuration controls can lead to security exposures that may permit unauthorized access to systems and data and impact financial reporting. An additional potential risk is corruption to data integrity caused by poor control of the configuration when making system changes or by the introduction of unauthorized system components.
CobiT 4.1 Control Objective – Manage the Configuration
Ensuring the integrity of hardware and software configurations requires the establishment and maintenance of an accurate and complete configuration repository. This process includes collecting initial configuration information, establishing baselines, verifying and auditing configuration information, and updating the configuration repository as needed. Effective configuration management facilitates greater system availability, minimizes production issues and resolves issues more quickly.
DS9.1 Configuration Repository and Baseline
Establish a supporting tool and a central repository to contain all relevant information on configuration items. Monitor and record all assets and changes to assets. Maintain a baseline of configuration items for every system and service as a checkpoint to which to return after changes.
DS9.2 Identification and Maintenance of Configuration Items
Establish configuration procedures to support management and logging of all changes to the configuration repository. Integrate these procedures with change management, incident management and problem management procedures.
DS9.3 Configuration Integrity Review
Periodically review the configuration data to verify and confirm the integrity of the current and historical configuration. Periodically review installed software against the policy for software usage to identify personal or unlicensed software or any software instances in excess of current license agreements. Report, act on and correct errors and deviations.
Using Oracle CCG 5.5.1 to Manage the Configuration
You can use Oracle CCG 5.5.1 to take snapshot definitions of your approved “baseline” application configuration for each Oracle application. Similarly, you can generate snapshot definitions of your Oracle applications and compare them with your “baseline” snapshots to ensure that the current configuration is consistent with your “baseline” configuration.
Manage Changes
Oracle Configuration Controls Governor (CCG) 5.5.1 provides you with the functionality you need to Manage Changes to comply with:
COSO IT Control Objective – Manage Changes
Controls provide reasonable assurance that system changes of financial reporting significance are authorized and appropriately tested before being moved to production.
Rationale
Managing changes addresses how an organization modifies system functionality to help the business meet its financial reporting objectives. Deficiencies in this area could significantly impact financial reporting. For instance, changes to the programs that allocate financial data to accounts require appropriate approvals and testing prior to the change so that proper classification and reporting integrity is maintained.
CobiT 4.1 Control Objective – Manage Changes
AI6.1 Change Standards and Procedures
Set up formal change management procedures to handle in a standardized manner all requests (including maintenance and patches) for changes to applications, procedures, processes, system and service parameters, and the underlying platforms.
AI6.2 Impact Assessment, Prioritization and Authorization
Assess all requests for change in a structured way to determine the impact on the operational system and its functionality. Ensure that changes are categorized, prioritized and authorized.
AI6.3 Emergency Changes
Establish a process for defining, raising, testing, documenting, assessing and authorizing emergency changes that do not follow the established change process.
AI6.4 Change Status Tracking and Reporting
Establish a tracking and reporting system to document rejected changes, communicate the status of approved and in-process changes, and complete changes. Make certain that approved changes are implemented as planned.
AI6.5 Change Closure and Documentation
Whenever changes are implemented, update the associated system and user documentation and procedures accordingly
Using Oracle CCG 5.5.1 to Manage Changes
You can use the Change Tracking Details reports in Oracle CCG 5.5.1 to identify all changes made to the Oracle application configuration parameters. Similarly, you can use these reports to ensure that each change has been processed properly through the Change Management Process.
“Manage Changes” is one of the COSO and CobiT 4.1 Control Objectives. The Control Objectives for Manage Changes are described in the CobiT process A16 Manage Changes. You can use Oracle CCG 5.5.1 to facilitate compliance with this CobiT Control Objective.
Once you “Deploy” the Change Tracking Definitions, Oracle CCG 5.5.1 tracks EVERY change that a user makes to any object included in the definition. You can review the complete detailed history of changes online and/or generate reports in HTML, PDF and CSV formats. Moreover, you can review the history of changes from the date and time that you first deploy the Change Tracking Definitions through the date and time that you purge Change Tracking Data.
