IT departments have long followed frameworks provided by NIST, SANS and ISO. Boards and CFOs, at least at public companies, are now mindful of the COSO framework to assess internal controls – a cornerstone of Sarbanes-Oxley – that was changed in 2013 to put an emphasis on technology controls. CFOs, controllers, internal and external auditors, risk managers, and even a Board's audit committee members are now obliged to ensure that companies achieve a substantially higher standard of housekeeping when it comes the management of technology. For example, when an organization gets hit with a security breach, what does that say about the controls they had over data, arguably their most important asset? Considering the liabilities CEOs and CFOs face each time they sign their Section 404/302 certifications, the stakes for compliance have never been higher.