Ross Armstrong Senior Research Analyst Info-Tech

Info-Tech Research Group sees strong interest among IT decision makers in the relationship between Sarbanes-Oxley (SOX) compliance and the IT Infrastructure Library (ITIL) framework. There is, however, no straightforward connection between the two, even though certain applications of ITIL can help with SOX compliance.

The Issue
Designing secure internal controls for financial reporting and establishing auditability for IT systems are important steps in meeting the requirements of SOX and other legislation. However, ITIL does not address governance in a comprehensive way and cannot be used on its own to ensure SOX compliance. This is largely because ITIL is heavily focused on the help desk and “IT as a service” and not on control objectives.

Despite ITIL’s shortcomings for governance, many IT professionals are under the impression that because it is a framework, ITIL must therefore be suitable for compliance as well. Exacerbating the matter are vendor claims of “ITIL compliance” for their software products (e.g. Altiris, Axios, BMC, CA, HP, etc.), giving the impression that ITIL is a standard. However, this is not the case. ITIL is a set of best practices that can be implemented as the user sees fit. In the strictest sense, there is no such thing as compliance with ITIL, much less SOX.

Where ITIL Does (and Doesn’t) Work for Compliance
Granted, there are a small handful of ITIL processes that can be used as part of a SOX compliance strategy. Most, however, cannot. For example, ITIL’s Financial Management module provides a plan that ensures that the financial resources are in place to operate IT according to business requirements. This includes the budgeting of IT, assessment of real versus projected costs, and performance monitoring. But the Financial Management process does not provide for a financial audit of IT, therefore failing to provide direct correspondence with SOX.

ITIL can provide some supplemental assistance for SOX-affected areas. The table below also provides a quick glance at ITIL’s relevance to SOX overall. Some SOX-pertinent ITIL processes include:
• Change management and control– Incident, change, and release management for in-house software development.
• Software configuration– To push out licensing compliance, permission changes, patch management, etc.
• Asset management– Guidance for creating a configuration management database (CMDB) and configuration items (CI), accounting for and monitoring IT assets and the processes for managing them.
• Security management– Describes how information security should be fitted into the management organization (Note: ITIL’s Security Management module is based on ISO 17799. ISO is moving to a new standard, 27001, which is stronger in software/application security and logical security than the ITIL approach).

The COBIT Connection
Many enterprises will have run into The Control Objectives for Information and related Technology (COBIT) before considering ITIL. If SOX compliance is on the agenda, COBIT is not an option but rather a requirement. COBIT was published, and is maintained by, the Information Systems Audit and Control Foundation (ISACA) and the IT Governance Institute. Like ITIL, COBIT is in the public domain.
COBIT puts emphasis on the factors that matter most for risk management, security, consistency of data, and cost control. To this end, COBIT establishes 34 control objectives, each linked to a number of specific activities. These are tied together by means of a common control framework, supported by numerous management guidelines.

Recommendations
1. For SOX compliance only, go with COBIT. The Securities and Exchange Commission (SEC) considers COBIT an acceptable control framework standard for governance, security, and internal control best practices. While COBIT adoption is not mandatory for SOX compliance, it is the de facto framework to relate to SOX compliance. COBIT focuses on the following guidelines:


• Acquire and maintain application software.
• Acquire and maintain technology infrastructure.
• Develop and maintain policies and procedures.
• Install/accredit software technology infrastructure.
• Manage changes.
• Define and manage service levels.
• Manage third-party services.
• Ensure systems security.
• Manage the configuration.
• Manage problems and incidents.
• Manage data.
• Manage operations.

2. IT shops with fewer than 10 employees should look at COBIT Quickstart. Info-Tech strongly advises the use of COBIT Quickstart (currently being reworked by ISACA and available in August 2007) to help small and mid-sized enterprises (SMEs) meet compliance goals. COBIT Quickstart is a baseline for SMEs for whom IT is not mission-critical. Quickstart is a subset of the larger COBIT publication, and contains only the most critical control objectives. These objectives were specifically chosen because they retain COBIT’s fundamental principles, but can be implemented quickly.

3. For compliance and service management, use COBIT and ITIL concurrently. ITIL maps well with COBIT, the de facto North American governance framework. COBIT is commonly used alongside ITIL to formalize the accountability links between various aspects of IT and the financial governance structure of an enterprise.

4. For IT security-centric shops, adopt the ISO 27001 standard. ISO 27001 provides the framework and accreditation processes by which an enterprise designs, implements, manages, maintains, and enforces security processes and controls. Like other ISO certifications, ISO accreditation lets the world know that the enterprise is committed to high standards of quality, including information security. For more information on security, refer to the McLean Report research note, “New ISO Certification Validates Security Processes.”

• ISO 27001 compliance is completely optional for enterprises. Privately-owned enterprises can use the certification to demonstrate SOX levels of IT security when dealing with publicly-traded entities.

• Other benefits commonly associated with ISO certification include marketing potential to encourage new business opportunities as well as improved relations with existing business partners.

Bottom Line
Beneficial though ITIL may be for improving service management, compliance is not its core function. Explore the potential of more suitable frameworks such as COBIT or ISO.