The RSCA approach is used to evaluate the current state of Security and Compliance activities for SOx remediation within a business. RSCA is a three-step methodology designed to manage and provide oversight for business risk and compliance. But keep in mind that neither SOx nor RSCA are designed to eliminate all risk. They are designed to ensure risks are known and either corrected or accepted.
To that end, RSCA addresses your companies governance through:
Planning and Data Collection
Risk and Security Assessment
Tracking and Reporting
These steps have been implemented at many large corporations facing large remediation initiatives. But it’s a method that can be easily scaled to any size business. These steps help to ensure both your business and IT processes are being adhered to, identifies gaps or risks that need to be resolved, tracks those resolution efforts and provides a method of reporting through each chain of command necessary for Governance, Risk Management and Compliance (GRC) Assessments.
See my IT Governance section for more information about IT Audit, and Governance, Risk Management & Compliance (GRC) and Risk, Security & Compliance Assessments (RSCA).
Segregation of Duties (SOD) is one of the biggest issues to hit IT organizations. Especially for those that have been in business for 40 years or more. Companies typically start out with open environments that relied on developers to implement new code straight into production. Many organizations have no change management or change control tools to help strengthen and secure their development, testing, implementation into production and subsequent maintenance changes and emergency fix processes.
Compliance initiatives have done away with the same ole procedures and now require organizations to maintain stronger and more restrictive control over their IT environments. Those that don’t make efforts for control, end up with significant deficiencies called out by their auditors. Continue reading →