Information security and sarbanes-oxley compliance: An exploratory study

Journal of Information Systems

Volumn 25, Issue 1, 2011, Pages 185-211

  Wallace, Linda ^a   Lin, Hui ^b   Cefaratti, Meghann Abell ^c  

^a VIRGINIA POLYTECHNIC INSTITUTE AND STATE UNIVERSITY   (United States)

^b DEPAUL UNIVERSITY   (United States)

^c NORTHERN ILLINOIS UNIVERSITY   (United States)

Author keywords

Information security; Internal control; ISO 17799; Sarbanes oxley

Indexed keywords

EID: 79961156940     PISSN: 08887985     EISSN: 15587959     Source Type: Journal    
DOI: 10.2308/jis.2011.25.1.185     Document Type: Article

References (38)

1. Anand, S. 2008. Information security implications of Sarbanes-Oxley. Information Security Journal: A Global Perspective 17 (2): 75-70.
2. Armstrong, J. S., and T. S. Overton. 1977. Estimating nonresponse bias in mail surveys. JMR, Journal of Marketing Research 14 (3): 396-403.
3. Baker, W., and L. Wallace. 2007. Is information security under control? Investigating quality in information security management. IEEE Security and Privacy 5 (1): 36-44.
4. Bowen, P. L., M.-Y. D. Cheung, and F. H. Rohde. 2007. Enhancing IT governance practices: A model and case study of an organization's efforts. International Journal of Accounting Information Systems 8 (3): 191-221.
5. Brown, W., and F. Nasuti. 2002. Sarbanes-Oxley and enterprise security: IT governance-What it takes to get the job done. Security Management Practices 14 (5): 15-28.
6. Calder, A., and S. Watkins. 2002. IT Governance Data Security & BS 7799/ISO 17799: A Manager's Guide to Effective Information Security. London, U.K.: Kogan Page.
7. Carlson, T. 2008. Understanding ISO 27002. Bay Area, CA: Orange Parachute. Available at: http://www.orangeparachute.com/documents/Understanding(ISO)27001.pdf.
8. CIOInsight. 2004. EXP Research: Sarbanes-Oxley 2004: Are You Ready to Comply? New York, NY: CIOInsight. Available at: http://www.cioinsight.com/c/a/Research/Research-SarbanesOxley-Are-You-Ready-to-Comply/.
9. Curtis, M. B., J. G. Jenkins, J. C. Bedard, and D. R. Deis. 2009. Auditors' training and proficiency in information systems: A research synthesis. Journal of Information Systems 23 (1): 79-96.
10. Damianides, M. 2004. How does SOX change IT? Journal of Corporate Accounting & Finance 15 (6): 35-41.
11. Damianides, M. 2005. Sarbanes-Oxley and IT governance: New guidance on IT control and compliance. Information Systems Management 22 (1): 77-85.
12. Da Veiga, A., and J. Eloff. 2007. An information security governance framework. Information Systems Management 24 (4): 361-372.
13. Engel, E., R. Hayes, and X. Wang. 2007. The Sarbanes-Oxley Act and firms' going-private decisions. Journal of Accounting and Economics 44: 116-145.
14. Ford, M. 2009. Size, structure and change implementation: An empirical comparison of small and large organizations. Management Research News 32 (4): 303-320.
15. Garcia, V. 2004. Seven points financial institutions should know about IT spending for compliance. Journal of Financial Regulation and Compliance 12 (4): 330-339.
16. Greenfield, D. 2007. IT by the book. InformationWeek 35-38.
17. Harris, S. 2006. Alphabet soup: Understanding standards for risk management and compliance. Information Security Magazine (June 2).
18. Haworth, D. A., and L. R. Pietron. 2006. Sarbanes-Oxley: Achieving compliance by starting with ISO 17799. Information Systems Management 23 (1): 73-87.
19. Information Systems Audit and Control Association (ISACA(. 2005. COBIT Mapping: Mapping ISO/IEC 17799: 2000 with COBIT. Rolling Meadows, IL: ISACA. Available at: http://www.isaca-oregon.org/docs/Mapping%20Cobit%20to%20ISO%2017799.pdf.
20. International Organization for Standardization (ISO). 2005. Information Technology-Security Techniques-Code of Practice for Information Security Management. Geneva, Switzerland: ISO. Available at: http://www.iso.org/iso/iso(catalogue/catalogue)tc/catalogue(detail.htm?csnumber)39612.
21. IT Governance Institute (ITGI). 2006. IT Control Objectives for Sarbanes-Oxley. Available at: http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables?Pages/IT-Control-Objectives-for-Sarbanes-Oxley-2nd-Edition.aspx.
22. Kaarst-Brown, M., and S. Kelly. 2005. IT Governance and Sarbanes-Oxley: The Latest Sales Pitch or Real Challenges for the IT Function? Paper read at Proceedings of the 38th Hawaii International Conference on Systems Sciences, at IEEE.
23. Klamm, B., and M. Weidenmier-Watson. 2009. SOX 404 reported internal control weaknesses: A test of COSO framework components and information technology. Journal of Information Systems (Fall): 1-23.
24. Lazarides, T. 2007. Comply! Resistance is futile. Information Management & Computer Security 15 (5): 339-349.
25. Leskela, L., and D. Logan. 2003. Sarbanes-Oxley Compliance Demands IS Involvement. Stamford, CT: Gartner. Available at: http://www.gartner.com/resources/117800/117873/117873.pdf.
26. Linkous, J. 2008. Puzzle pieces: The relationship between SOX, COSO, and COBIT. Available at: http://eiqviews.wordpress.com/2008/11/20/puzzle-pieces-the-relationship-between-sox-coso-and-cobit/.
27. Ma, Q., A. Johnston, and M. Pearson. 2008. Information security management objectives and practices: A parsimonious framework. Information Management & Computer Security 16 (3): 251-270.
28. McCuaig, B. 2006. The ABCs of reporting on controls. Internal Auditor (October): 35-39.
29. Mock, T. J., L. Sun, R. Srivastava, and M. Vasarhelyl. 2009. An evidential reasoning approach to Sarbanes-Oxley mandated internal control risk assessment. International Journal of Accounting Information Systems 10 (2): 65-78.
30. National Institute of Standards and Technology. 2007. Criteria for Performance Excellence. Gaithersburg, MD: National Institute of Standards and Technology.
31. Praxiom Research Group Limited. 2008. ISO IEC 27002 2005 Introduction. Edmonton, Canada: Praxiom Research Group Limited. Available at: http://www.praxiom.com/iso-17799-intro.htm.
32. Richardson, R. 2008. 2008 CSI Computer Crime & Security Survey. New York, NY: Computer Security Institute. http://i.cmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008.pdf.
33. Tang, J. 2008. The implementation of Deming's System Model to improve security management: A case study. International Journal of Management 25 (1): 54-68.
34. United States Code. 2008. Public Printing and Documents: Definitions. Title 44, Section 3552. Washington, D.C.: United States Code.
35. U.S. House of Representatives, Committee on Financial Services. 2002. Sarbanes-Oxley Act of 2002. Public Law No. 107-204. Washington, D.C.: Government Printing Office.
36. U.S. Small Business Administration. 2006. Table of Small Business Size Standards. Washington, D.C.: U.S. Small Business Administration.
37. von Solms, B. 2005. Information security governance: COBIT or ISO 17799 or both? Computers & Security 24: 99-104.
38. Weidenmier, M., and S. Ramamoorti. 2006. Research opportunities in information technology and internal auditing. Journal of Information Systems 20 (1): 205-219.