Standard

This policy provides guidance to ensure that company use of blogging and online dialogue appropriately considers the responsible engagement in this new, rapidly growing space of relationship, learning and collaboration.

1. Knowing and following Company Code of Conduct
2. Blogs are not corporate communications but are individual interactions. Identify yourself but ensure to protect your privacy,
3. Use a disclaimer when posting a blog that has something to do with work or subjects associated with Company.
4. Respect copyright, fair use and financial disclosure laws.
5. Don't provide confidential or other proprietary information.
6. Don't cite or reference clients, partners or suppliers without their approval.
7. Respect your audience and show proper consideration for others' privacy on topics that can be inflammatory such as politics and religion.
8. Find out who else is blogging on the topic and cite them.

PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, cracking and various other security vulnerabilities and threats. A company processing, storing, or transmitting payment card data must be PCI DSS compliant or risk losing their ability to process credit card payments and being audited and/or fined.

The control objectives and their requirements are:
1. Build and Maintain a Secure Network
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy

Source: wikipedia.org

Sample Mapping:

Sarbanes Oxley

ISO 27001

For the latest two year, I have been working with Sarbanes Oxley section 404 especially in IT general control. I have been working both in design Risk Control Matrices (RCM) or performing testing thorough the control. And after hundred hours of discussion with auditee, hundred days of never ending meeting or checking document, I have a conclusion that implementing SOX is very-very difficult and sometimes not effective. Here is the reason:

1. Multi interpretation statement
IT Auditee: "Your significant level is different than mine"
SOX Auditor: "My interpretation in this matter is more specific than you do"
IT Auditee: "I understand but in here, this process is could not be performed"

SOX RCM Guidance is multi interpretation. If you hire a person from ABC audit firm to help you design RCM, than after a year we hire from DEF audit. I'm definitely sure that the result is will be different. Does it mean that the guy from ABC audit firm is smarter? No this is multi interpretation statement.

Just take a look at this: list of significant application. The rule is simple, every application that impact the financial statement. But how this could be explained more detail? Does firewall and router include as significant application? Or does a gateway application which pass the data without any parameter will be included? Or simple one, a big and integrated module is considering an application or not? What if the vendors who develop the module are different than the core vendor?

I'm definitely sure that a lot of question when designing SOX RCM, trust me, the multi interpretation statement is major source of a never ending meeting.

Many friend of mine keep asking me about what is should be implemented first to improve their information system management: whether taking Cobit, ITIL, or ISO27001. And the next question usually which one is the easiest to be implemented in their company.

To be able to answer this question, let me tell you the definition of this three major standard in information system, who has a little bit difference in basic concept.

COBIT

Cobit is stand for Control Objective over Information and Related Technology. Cobit issued by ISACA (Information System Control Standard) a non profit organization for IT Governance. The Cobit main function is to help the company, mapping their IT process to ISACA best practices standard. Cobit usually choosen by the company who performing information system audit, whether related to financial audit or general IT audit.

ITIL

ITIL is stand for Information Technology Library. ITIL issued by OGC, is a set of framework for managing IT Service Level. Although ITIL is quite similar with COBIT in many ways, but the basic difference is Cobit set the standard by seeing the process based and risk, and in the other hand ITIL set the standard from basic IT service.

ISO27001

ISO27001 is much more different between COBIT and ITIL, because ISO27001 is a security standard, so it has smaller but deeper domain compare to COBIT and ITIL.

Val IT is a suite of documents that provide a framework for the governance of IT investments, produced by the IT Governance Institute (ITGI). It is a formal statement of principles and processes for IT portfolio management.
Contents

Val IT allows business managers to get business value from IT investments, by providing a governance framework that consists of
* a set of guiding principles, and
* a number of processes conforming to those principles that are further defined as a set of key management practices.

The major processes are:
* Value Governance (VG prefix)
* Portfolio Management (PM prefix)
* Investment Management (IM prefix)

source:
wikipedia.org
isaca.org/valit

I'm very surprised hear report from TSA (Transportation Security Administration) of US Government that said Bali Airport does not meet the security standards of the International Civil Aviation Administration. And I'm getting more surprised reading this from wikipedia, the website read by million of people and sometimes used as primary source of information.

Absolutely Bali is more famous than Indonesia, the beautiful paradise island, beach and sea. Many tourist visit Bali every day for its beautiful view and nice people. And knowing that this airport doesn't meet the international standard makes me sad. I think Indonesia government should become more serious repairing Indonesia image to the world.

ISO/IEC 27001 part of a growing family of ISO/IEC standards, the 'ISO/IEC 27000 series' is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems -- Requirements but it is commonly known as "ISO 27001".

It is intended to be used in conjunction with ISO/IEC 27002, the Code of Practice for Information Security Management, which lists security control objectives and recommends a range of specific security controls. Organizations that implement an ISMS in accordance with the best practice advice in ISO/IEC 27002 are likely simultaneously to meet the requirements of ISO/IEC 27001 but certification is entirely optional (unless mandated by the organization's stakeholders).

The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.

COBIT was first released in 1996. Its mission is “to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.” Managers, Auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.