The intersection of Sarbanes-Oxley and insider threats

Computerworld - Sarbanes-Oxley Act compliance should not be a distraction to security where the focus is on writing mountains of policies and procedures.

It should, however, be used as a business differentiator, as an enabler for risk management and as a mechanism to use frameworks and certifications to better align business goals and process with security best practices. Nowhere is this more evident than issues surrounding insider threats.

There is a growing trend for information security budgets to be shared between traditional security projects and compliance-related agendas. This makes sense because the consequences of an insider threat, for example, parallel many of the concerns around Sarbanes-Oxley: loss of confidential or intellectual property, exposed sensitive information, damaged or destroyed assets, and severed communications. This can result in legal fees, fines, diminished reputation, loss of customers and of shareholder faith and financial harm. While the focus of this article is specifically on Sarbanes-Oxley, it can also be applied to the European Union's Eighth Directive and Basel II.

A primer on the insider threat

These are threats from within, perpetrated by trusted employees, consultants, partners and temps. Theses individuals may act out of pure malice or for financial gain, and they may commit their crimes in concert with outsiders such as competitors, identity thieves, criminals or organized crime groups. In some organizations, there may even be potential ties to terrorism and nation-state threats; however, in most cases, criminal activity for profit will be the most prevalent motive.

Since these insiders already have access beyond many or all of an organization's safeguards, they can be harder to detect. As an example, it doesn't take a skilled hacker or a great deal of time to plug in an MP3 player and download 25MB of customer data from an organization's intranet.

How to address Sarbanes-Oxley and insider threat simultaneously

This approach will exclusively consider Sarbanes-Oxley and not supporting frameworks. It should be noted that it would be possible to evaluate these strategies within potential frameworks, such as COSO, Cobit, ITIL and ISO/IEC 17799:2005. There are three primary sections within Sarbanes-Oxley that are most relevant; each will be explored individually.

1. Section 302: Corporate responsibility for financial reports

The threat is that these reports may be modified by an unauthorized user. Access to this type of information may be a prime target for an insider with malicious intent. There are several ways to protect this information, including strong authentication, access controls, encryption and file-integrity systems.

However, if you thought your intrusion-prevention system and firewall was chatty, wait until you start pulling operating system, database, application and access-control logs. It can be an absolute flood of data. IT departments need to use all the information produced by these systems by constantly monitoring the various log types. This enables IT departments to filter out false positives and aggregate, correlate and prioritize information so the results can be quickly acted upon and understood. This understanding typically takes the form of graphical dashboards, reports, automated trouble tickets, alerts and real-time remediation tools.