For systems of record that track money or other vital assets, it is likely that established management methods such as ITIL or COBIT provide a good model.
The only section of SOX that touches on cybersecurity mandates the use of a cybersecurity framework such as ITIL or COBIT, yet public companies are still suffering constant successful breaches.
Despite the fact that every security framework from Cobit to ITIL to ISO calls for vulnerability scanning, and PCI DSS requires it, most organizations are still doing it on an ad-hoc basis, if at all.