Home
News
E-mail Newsletters
Blogs
Tech Dispenser
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Print Subscriptions

Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Finance
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 

Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

Sarbanes-Oxley trumps IM at some firms

Concerns about security, archiving prompt companies to unplug instant messaging systems
Thomas Hoffman   Today’s Top Stories    or  Other Legislation/Regulation Stories  
 

Sign up to receive Security Resource Alerts

August 08, 2005 (Computerworld) -- In another case of fallout from the passage of the Sarbanes-Oxley Act, some companies are disabling their instant messaging systems because of concerns that the technology's security and archival controls aren't strong enough to comply with the law, according to IT executives, lawyers and auditors interviewed last week.
Section 302 of Sarbanes-Oxley requires CEOs and chief financial officers to certify that their companies have established internal controls and are regularly evaluating the effectiveness of the control measures. Although vendors such as FaceTime Communications Inc. and IMlogic Inc. offer tools for storing messaging traffic and protecting against malware, users like Jefferson Wells International Inc. are erring on the side of caution by simply unplugging their IM systems.
Jefferson Wells disconnected its MSN Messenger system because of concerns that the company wouldn't be able to detect software viruses embedded in messages, said Scott Robertson, manager of corporate IT operations at the Brookfield, Wis.-based provider of technology risk management and other professional services.
"We never had the comfort level that we could scan instant messages appropriately," Robertson said. Another factor that contributed to the decision to disable the IM system last year is that many of the company's employees work at client locations, he added. Executives from Jefferson Wells didn't want to run the risk of having a virus or worm infect a customer's network.
Jefferson Wells is a subsidiary of Manpower Inc. The decision to unplug IM was made as part of the unit's evaluation of whether its IT controls met the provisions of Sarbanes-Oxley, said John Rostern, New York-based director of technology risk management at Jefferson Wells.
Since the system was disabled, the company's IT staff hasn't bothered to evaluate the available IM security tools because it isn't being pushed by workers to re-establish IM, Robertson said.
Steve Ross, a director at Deloitte & Touche LLP in New York and a past president of the Information Systems Audit and Control Association, said he knows of two Deloitte clients that have disabled their IM systems because of Sarbanes-Oxley concerns. Ross declined to identify the companies, saying only that one is a services company in the southern U.S. and the other is a large New York-based insurer.
Other corporate users are taking steps to strengthen the data security and archiving capabilities of their IM systems in order to satisfy Sarbanes-Oxley's requirements.
For example, Chevron Corp. is moving to block outside connections to an IM system used within one of its operating units, said Jay White, global information protection architect at the San Ramon, Calif.-based energy company. The expanded effort follows the adoption in June 2003 of controls for maintaining audit records and reducing security risks on the IM system.
"We manage our own IM system internally on our WAN, but the external connections have presented security [issues]," added White, who declined to identify the business unit involved.
Some observers contended that companies are overreacting to Sarbanes-Oxley by disabling IM. "You can't control a phone call, so I don't see what the difference is between IM and a phone call," said Diana McKenzie, chairwoman of the IT group at Chicago-based law firm Neal Gerber Eisenberg LLP. "To me, it's not logical."
Greg Hedges, managing director of technology risk at Protiviti Inc., a Menlo Park, Calif.-based company that provides internal auditing and business-risk consulting services, said some companies have disconnected IM systems under the pretense of complying with Sarbanes-Oxley instead of justifying those actions for business purposes.
"Sarbanes-Oxley is a wonderful vehicle for taking things out of people's hands," said Hedges, who added that some companies have applied the same rationale for disconnecting wireless systems.
But Ross said that viruses embedded in instant messages could cripple networks. "Given that [corporate] management feels the necessary controls haven't been implemented or can't be," he said, "unplugging instant messaging wouldn't be overkill."




Print this Story Send Us Feedback E-mail this Story Digg! Digg this Story Slashdot this Story

Blogs

"Let's face it, the energy IT can save through green technology for society is modest. But that doesn't mean it..." Read more...
"Earthlink partnership with Philly crashes and burns, defeated by mocha lattes and Big Macs..." Read more...
Read more Government & Regulation posts or See all Blogs

HP confirms XP SP3 endless reboot snafu, promises patch
Microsoft pulls Windows Home Server backup feature
Yahoo tells Icahn that its own board knows best
More top stories...
Tools circulate that crack Debian, Ubuntu keys
Elgan: Hyperconnectivity: Friend or foe?
Former Microsoft manager offers free fix for XP SP3 'endless reboot'

Shuttle Columbia's hard drive data recovered from crash site
Specialists have retrieved about 99% of the data on a disk drive on board the crashed space shuttle Columbia. Don't miss the photographs of the recovered drive.
The top 15 vaporware products of all time
These big ideas were supposed to revolutionize technology, but they never actually appeared. In a few cases, you'll be glad they didn't.
Opinion: Malware vs. anti-malware, 20 years into the fray
Nearly 20 years after the first Internet worm, Steven J. Vaughan-Nichols takes stock of the malware/anti-malware landscape and spotlights how the two sides are approaching the battle.
Leopard at six months: Does it live up to the early hype?
Though some thought it was released too soon, Mac OS X 10.5 has matured into a solid operating system, says reviewer Michael DeAgonia.

FROM THE BLOGOSPHERE

Windows Vista A to Z
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.
IT Careers 2010
Four years from now, the IT field will be a vastly different place. Will you be ready?
All Zones
Application Performance Zone
Enterprise-Class Security Zone
Enterprise Solutions Zone
The File Data Management Zone
Grid Computing on Windows Zone
Security Management Zone
ITIL Best Practices Zone
The SAS Zone
Storage Virtualization Zone
The Data Center Management Zone


Ads by TechWords

See your link here
Computerworld Report: Storage Gets Strategic
Download this Computerworld Report, free, compliments of HP.
(Source: Computerworld) Data Storage has emerged from the back room to become a key part of regulatory compliance, disaster recovery and strategic tecnhology plans. Learn more in this new this Computerworld report, a $49.95 value, available free for a limited time, compliments of HP.
Download this executive briefing download
Long Tail Supplier Collaboration - What's In It For You?
Long Tail Supplier Collaboration - What's In It For You?
Download this webcast, free, compliments of Sterling Commerce
Go to the webcast 
Developing FIPS 140-validated Solutions for the Federal Government Using RSA BSAFE Software
Get this white paper!
(Source: RSA) The U.S. House of Representatives' Committee on Government Reform recently released the 2005 edition of its Federal Information Security Management Act (FISMA) report card. Unfortunately, the news was not good. The 25 major government agencies reported 15% of the IT systems remained uncertified/unaccredited while 6 agencies lacked effective corrective action plans, illustrating little improvement in the level of information security for government agencies compared to previous reports. Government agencies at all levels are entrusted with sensitive information about citizens, military personnel and others. As is the case with private industry, breaches of that information can create a public relations debacle and end up costing dearly-not just monetarily, but in public trust. Defense, security and diplomatic agencies are entrusted with even more sensitive information, which, in the wrong hands, could threaten national and international security.
Download this white paper go
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Extended Validation SSL Certificates
Securing your Online Data Transfer with SSL
Discover the Secret to Secure Remote Access: GoToMyPC Corporate Security White Paper
View more whitepapers 

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDG Connect IDG World Expo Infoworld
The Industry Standard ITworld JavaWorld LinuxWorld MacUser Macworld Network World PC World Playlist
Copyright © 2008 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.