Computerworld - There is one good thing about the Sarbanes-Oxley Act: It's a step in the right direction toward getting companies to close the gap between actual behavior and corporate policy. While this ambitious initiative is intended to restore the public's confidence in corporate governance, there is little guidance that is useful to CIOs and their staffs. This initiative is subject to such broad interpretation as to make its implementation and enforcement in the IT world a nightmare.
For IT executives, the most significant section of Sarbanes-Oxley compliance projects, as well as one of its weakest links, is Section 404, regarding certification of internal controls. Section 404 requires companies to perform a self-assessment of risks for business processes that affect financial reporting. Because these processes and internal controls are implemented principally in IT systems, Section 404 audits involve a detailed assessment of these systems. As a CEO of an information security software company, I find this section particularly relevant to my business, since process changes to meet compliance must be documented and implemented by an organization's information security department.
In other words, CEOs and chief financial officers who are signing off on the validity of data must be sure that the systems maintaining that data are secure. If their systems aren't secure, then their internal controls are questionable and those executives could face criminal penalties if a breach is detected. Perhaps this presents another good thing about the Sarbanes-Oxley Act: Security technology is no longer just an IT matter; it's an organizational and an integrity issue to be reckoned with at the executive level.
Ensuring network integrity
Because most organizations rely extensively on the use of technology for financial and other kinds of reporting and because they are increasingly dependent on the open IP network to do business with suppliers, customers and partners, an entirely new category of accountability and best practices is necessary to address Sarbanes-Oxley specifically and the growing concern over network security in general. If enterprises are to be held accountable, they need to ensure the integrity of their use of the open IP network, which is significantly vulnerable today. Slammer and SoBig are proof of that.
Ensuring network integrity requires much more than reports and assessments, which is as far as the Sarbanes-Oxley Act goes. It requires an infrastructure that supports enforceable policies and best practices to ensure compliance, an infrastructure with much deeper guidelines and better, clearer definitions of best practices for specific industries such as banking and insurance.
How do you measure risk in a company's IT system?
The challenge is that while Sarbanes-Oxley tries to put policies and mechanisms in place to capture and quantify the risk of organizations' internal operations, no one has managed to capture the risk of his company's internal IT system. For example, the insurance industry has actuaries who compute insurance risks and premiums based on vast quantities of data relating to weather patterns, health, age and many more factors that help them capture how much risk they're taking on with each insurance premium. The financial and accounting industries also have a litany of controls, definitions and guidelines for conducting business according to best practices, which have evolved over many years.
Comparatively speaking, our use of an open IP network and the guidelines built around it is in an embryonic state today. It's therefore absolutely critical that we get the evolution of this system on the fast track. Companies need to have mechanisms in place that enforce safe user behavior and verify that people are doing the right things on the network. From a security perspective, I'm particularly concerned with addressing and enforcing a specific set of conditions associated with policy and compliance -- required fundamentals that will provide the necessary infrastructure for Sarbanes-Oxley to have meaning.
For example, even after a user is authenticated and control mechanisms are put in place for that user's permitted access, what about the integrity of the device itself? When a new device, such as a server, a notebook or a PC, joins your network, is there a way, in real time, to check the integrity of that endpoint before it's given unfettered access to your network resources? Is antivirus software on and up to date? Is a personal firewall installed and configured according to corporate policy? Are all patches installed and up to date? Are network-access security policies based on user location (for example, home or kiosk)? These are the sorts of tangible controls that build an infrastructure for ensuring network integrity and prevent corruption by SoBig, Blaster or the next worm and are necessary on an IT level to make Sarbanes-Oxley effective.
Compliance with company security policies
Free Insider Guide