Computerworld - We're just finishing up the integration of an acquisition's poorly secured IT infrastructure into our information systems. We've disabled almost all external access to its network, except for two services.
The first is a virtual private network tunnel to allow employees to continue accessing the acquired firm's software development environment. The other service is the firm's file transfer protocol server, which we'll keep until we can migrate its content to our own FTP server. By the end of the week, my team and I hope to have all critical information and services migrated so we can shut down the other company's offices.
Now I can turn my attention back to our ongoing Sarbanes-Oxley Act compliance audit. Meeting this law's financial accounting and reporting requirements is the No. 1 priority of our executive staff -- and that's a great enforcement mechanism. Nobody wants to be responsible for the audit's failure, so people usually bend over backward to accommodate my requests once I say the magic words: "This is for the upcoming Sarbanes-Oxley audit."
I've completed a security standards document and am now assigning ownership of the 90 or so standards it contains to the appropriate functional units in the company.
For example, I developed several standards for data backup. Now I must ensure that the data center manager, who is responsible for our backup infrastructure, can prove that we comply with those standards.
The compliance-checking process is too time-consuming for me to accomplish alone, so I plan to assign compliance efforts to others in my department. There are many areas in which we don't meet requirements, but that's OK because the standards document can help us expedite compliance.
I've started regular meetings with our IT auditor, who has been concentrating on identifying what he calls "key controls." Sarbanes-Oxley requires us to create a "credible body of evidence" that attests to what we say we're doing. That evidence includes statements and documentation demonstrating that we're in compliance with our identified controls.
For example, if you process credit card information as we do and your policy states that you store credit card data in an encrypted field in an Oracle database, showing the auditor a copy of that policy isn't enough. You might need to run a script on the Oracle database that prints out the database fields with associated security controls. If you run this script on a daily or weekly basis and can show that the database administrator is regularly reviewing the reports, that's an acceptable control.
In a large company
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
