While I was preparing a speach about the influence of national and international laws on the content and design of GRC tools, I did a research and tried to find all the laws and regulations that you need to follow when you run your business.
I started with SOX sections 404 (we all know them well), moved to J-SOX, EuroSOX and then to the national laws of Germany like Abgabenordnung (AO), which is part of the Handelsgesetzbuch (HGB)… it was quite interesting to read all those modern sections detailing out the traditional laws. Well, I continued and looked into the German data protection law “Bundesdatenschutzgesetz”, followed by some research on German corporate governance law KonTraG (Gesetz zur Kontrolle und Transparenz im Unternehmensbereich).
If you then start to look into specific regulations for industrial sectors, you will find many many more – a very prominent one is Basel II for the Banking sector, regulating which risks a Bank should take and which ones are too dangerous because it would burn the substance (equity quotes).
After browsing through German BSI IT-Grundschutz (equivalent to ISO27001), I thought it could be pretty simple… I had three letters in my mind – guess which ones´it could be?
Nothing changed over years and years when those laws were published and evolved. It is all about handling the complexity of more and more information and data which is handled in your IT systems.
In the end, the essence of all those laws is about establishing transparency by building up an Internal Control System. And here pops the Segregation of Duties concept in – a control system means that you need to establish SoD checks and no one should be able to have the power over a full business process. It is all about SoD – nothing more or less…