For systems of record that track money or other vital assets, it is likely that established management methods such as ITIL or COBIT provide a good model.
The only section of SOX that touches on cybersecurity mandates the use of a cybersecurity framework such as ITIL or COBIT, yet public companies are still suffering constant successful breaches.
Despite the fact that every security framework from Cobit to ITIL to ISO calls for vulnerability scanning, and PCI DSS requires it, most organizations are still doing it on an ad-hoc basis, if at all.
For example, there are 189 ISO standards for information security, our National Institute of Standards and Technology ( NIST) has produced a full set of world-class materials on information security, and the Information Systems Audit and Control Association ( ISACA) has developed its best practices, the Control Objectives for Information Technology ( CobiT).