Why network security should go further than Sarbanes-Oxley

Computerworld - There is one good thing about the Sarbanes-Oxley Act: It's a step in the right direction toward getting companies to close the gap between actual behavior and corporate policy. While this ambitious initiative is intended to restore the public's confidence in corporate governance, there is little guidance that is useful to CIOs and their staffs. This initiative is subject to such broad interpretation as to make its implementation and enforcement in the IT world a nightmare.
For IT executives, the most significant section of Sarbanes-Oxley compliance projects, as well as one of its weakest links, is Section 404, regarding certification of internal controls. Section 404 requires companies to perform a self-assessment of risks for business processes that affect financial reporting. Because these processes and internal controls are implemented principally in IT systems, Section 404 audits involve a detailed assessment of these systems. As a CEO of an information security software company, I find this section particularly relevant to my business, since process changes to meet compliance must be documented and implemented by an organization's information security department.
In other words, CEOs and chief financial officers who are signing off on the validity of data must be sure that the systems maintaining that data are secure. If their systems aren't secure, then their internal controls are questionable and those executives could face criminal penalties if a breach is detected. Perhaps this presents another good thing about the Sarbanes-Oxley Act: Security technology is no longer just an IT matter; it's an organizational and an integrity issue to be reckoned with at the executive level.
Ensuring network integrity
Because most organizations rely extensively on the use of technology for financial and other kinds of reporting and because they are increasingly dependent on the open IP network to do business with suppliers, customers and partners, an entirely new category of accountability and best practices is necessary to address Sarbanes-Oxley specifically and the growing concern over network security in general. If enterprises are to be held accountable, they need to ensure the integrity of their use of the open IP network, which is significantly vulnerable today. Slammer and SoBig are proof of that.
Ensuring network integrity requires much more than reports and assessments, which is as far as the Sarbanes-Oxley Act goes. It requires an infrastructure that supports enforceable policies and best practices to ensure compliance, an infrastructure with much deeper guidelines and better, clearer definitions of best practices for specific industries such as banking and insurance.
How do you measure risk in a company's IT system?
The challenge is that while Sarbanes-Oxley tries to put policies and mechanisms in place to capture and quantify the risk of organizations' internal operations, no one has managed to capture the risk of his company's internal IT system. For example, the insurance industry has actuaries who compute insurance risks and premiums based on vast quantities of data relating to weather patterns, health, age and many more factors that help them capture how much risk they're taking on with each insurance premium. The financial and accounting industries also have a litany of controls, definitions and guidelines for conducting business according to best practices, which have evolved over many years.
Comparatively speaking, our use of an open IP network and the guidelines built around it is in an embryonic state today. It's therefore absolutely critical that we get the evolution of this system on the fast track. Companies need to have mechanisms in place that enforce safe user behavior and verify that people are doing the right things on the network. From a security perspective, I'm particularly concerned with addressing and enforcing a specific set of conditions associated with policy and compliance -- required fundamentals that will provide the necessary infrastructure for Sarbanes-Oxley to have meaning.
For example, even after a user is authenticated and control mechanisms are put in place for that user's permitted access, what about the integrity of the device itself? When a new device, such as a server, a notebook or a PC, joins your network, is there a way, in real time, to check the integrity of that endpoint before it's given unfettered access to your network resources? Is antivirus software on and up to date? Is a personal firewall installed and configured according to corporate policy? Are all patches installed and up to date? Are network-access security policies based on user location (for example, home or kiosk)? These are the sorts of tangible controls that build an infrastructure for ensuring network integrity and prevent corruption by SoBig, Blaster or the next worm and are necessary on an IT level to make Sarbanes-Oxley effective.
Compliance with company security policies

1 2 3 Next » Recommend Digg Twitter ShareThis Email Print Send Feedback Reprints Jump to comments Security Additional Resources Xerox Win a color printer! By using solid ink technology only from Xerox, you could save up to 65% by printing color for the cost of black and white. Enter for a chance to WIN a PhaserTM 8860 network color printer! Microsoft Upgrade to Internet Explorer 8 today. Save time and mitigate security risk. Deploy it now. Sybase NEXT-GENERATION MOBILITY PLATFORMS In this white paper, IDC analyzes the role of next-generation mobile enterprise platforms as organizations seek a more strategic deployment of mobile solutions. Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase. White Papers & Webcasts Share our Strength Download Now   Lower the Cost and Complexity of a Mobile Workforce through Automation Download This Resource Now! Top 10 Things to Know about Data Protection Download Now   Managing Mobility: Improve Data Security, Compliance and Manageability Download This Resource Now! Top 10 Actions a CIO Can Take to Prepare for a Hurricane Download Now   Managing Secure File Transfer to Save Time, Money and IT Resources Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with... Ponemon Study: The Business Risk of a Lost Laptop Download Now   Security Convergence Equals Network Security Cost Savings Listen to IBM Internet Security Systems' take on network security convergence. Airport Insecurity: The Case of Lost Laptops Download Now   Disaster Recovery 2008: Reduced Costs and Improved Performance How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this... All White Papers | All Webcasts Computerworld Reports 8 Questions To Ask About Your Intrusion-Security Solution Computerworld Technology Briefings IT Service Management Computerworld Briefing - Analytics: The Art and Science of Better All Computerworld Reports Sign up to receive updates on the latest Security resources   White Papers Share our Strength Top 10 Actions a CIO Can Take to Prepare for a Hurricane Airport Insecurity: The Case of Lost Laptops Optimizing Information Insight: How to Make Fast, Reliable Decisions Based on Consolidated Information Encompassing All Your Data Retooling IT for a Mobile Workforce: The Importance of Automation The Forrester Wave™: Web Filtering, Q2 2009 PCI DSS Compliance in the UNIX/Linux Datacenter Environment A Process-based Approach to Protecting Privileged Accounts & Meeting Regulatory Compliance From Trust to Process: Closing the Risk Gap in Privileged Access Control Can Heuristic Technology Help Your Company Fight Viruses? Top 10 Things to Know about Data Protection Ponemon Study: The Business Risk of a Lost Laptop Mitigating Litigation Risk with Email Management Tools Solving On-premise Email Challenges with On-demand Services Leverage the full power of VMware The Forrester Wave™: Email Filtering, Q2 2009 Privileged Access Lifecycle Management: How PALM Enables Security, Compliance, and Efficiency for Enterprise IT Preventing Data Breaches in Privileged Accounts Using Access Control The State of PCI DSS Compliance at Organizations Today Why Email Must Operate 24/7 and How to Make This Happen Sponsored Links Play NetApp's New Data Defense Game. Return on Information: Google Enterprise Search pays you back. Get the facts. How Do You Rank as an Innovation Leader? Download Recent Study. See how AT&T can help protect your network. 3 Innovations. 3 Free Downloads. Free trials of Windows 7, Windows Server 2008 R2 and Exchange Server 2010. Citrix NetScaler with nCore Outperforms F5 BIG-IP - Learn More 64-page prescriptive guide to security, compliance, and IT operations. Streamline IT Costs. Boost Performance with WAN Optimization Enterprise Network & Server Monitoring Software. Cross over to Traverse... Increase UPS efficiency without sacrificing protection Crystal Reports Server: Single server access to reports & dashboards Create new opportunities. See business making progress now ESET NOD32 with ThreatSense(R) - Get your free trial now! Looking to add Unix/Linux functionality to Windows? Join the conversation about the hottest IT trends with Computerworld on Twitter. ITwhitepapers.com - Access thousands of white papers on 300+ technical topics. Leverage Your Cisco infrastructure for Superior Application Performance Learn about the AMD Virtual Experience Introducing: Project Icebreaker Stay informed with custom newsletters from Tech Dispenser New DW Options and Price Points. View Teradata Platform Family Data Sheet. To get a better view of your entire data center, you need a better vantage point. Improve your vision with Hitachi IT Operations Analyzer - Free 30 day trial Play NetApp's New Data Defense Game. Take the Netezza TwinFin TestDrive! NetScaler VPX : Harness the Power of Virtualized Web App Delivery Get more enterprise mobility value for up to 25% less. Unified Communications: Thoughts, Strategies and Predictions. Join the discussion. NYUs M.S. in Management and Systems. Offered Online and On-site. Crystal Reports Server: More options. Not more money. Parallelism is not just for HPC. Create rich apps from desktop to device. Get the eval. Tolly Performance Report  "Citrix NetScaler with nCore Outperforms F5 BIG-IP" Save up to 61% plus Free Cheesecake Find IT jobs in the Healthcare industry on Dice.com With the NEW KODAK i700 Series Scanners get full speed at 300dpi! Not All QSAs Are Created Equal: What You Should Know Before You Buy The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability The AMD Virtual Experience Virtual Trade Show About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.