Security Manager's Journal: End of year brings SOX, deadlines and layoffs
A busy year ends even busier as our manager works with the outside SOX auditors and tackles security reviews for several projects
Computerworld - The end of the year was busy for me and my team. Already swamped with Sarbanes-Oxley audit activities and end-of-year project deadlines, even more security work came our way after a new round of layoffs.
Over the last couple of months of the year, I had to spend almost all my time with our third-party SOX auditors, poring over the year's records on various security-related things we're supposed to be doing. For the most part, we have been pretty good about keeping up with our SOX obligations, despite numerous challenges and competing priorities that I've written about over the course of this year.
But I have to ask myself what value our shareholders really get out of SOX. The controls don't seem to have much to do with protecting the accuracy of our financial reports, which is what SOX is supposed to be all about. A huge amount of work is generated by the nitpicky SOX process, which sucks up resources needed by both me and my organization, and those outside auditors sure aren't cheap. So, what's the return? Based on our experience, I have to imagine that SOX is costing American companies millions (or maybe billions) of dollars that could be going into more productive endeavors. My colleagues at other companies seem to think the same thing. Some go so far as to say that SOX is a waste of time. Personally, I think there is some value in having oversight into security processes, but I can't help wondering what the return on investment is.
OK, rant over.
While most of my time was being taken up by SOX matters, other business projects didn't seem to slow down at all. I've been working long hours just trying to keep the backlog down, but new projects keep cropping up. It's the end of the year, and it seems as if everybody is rushing to meet deadlines. Some of these projects are pretty big too, and they need serious security review. In some cases, we're signing up with outside services and websites for software-as-a-service applications, and some of those applications would handle financial or other confidential information. In every case, I want to do a thorough review of the vendor's security posture. And I try to drive all applications to our Active Directory for user authentication, which can be a challenge. So I have a professional stake in staying ahead of these projects. But my staff has become practically nonexistent, so it's nearly impossible to keep up.
The layoffs that hit us during this time not only decimated our staff resources, but also highlighted some security holes to add to my to-do list. For example, it turns out that if employees set up an Exchange email forwarding rule, it continues to function even after their account is disabled. That means their email continues to get forwarded to their personal webmail account after they're no longer here. And my Exchange administrator tells me there's no way to find and shut down those rules without opening each mailbox individually, by hand. On top of that, our Windows desktops and laptops all have a built-in administrator account that gives full access, and the password hasn't been changed in years. I got our desktop team to take care of that by setting a group policy to change the password. I found several other holes as well, but staying on top of that while doing everything else seems impossible. And after the layoffs, there's not going to be any budget for hiring additional staff in 2012.
I generally like to end the year on a positive note. But that just seems to keep getting more difficult every year.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at email@example.com.
To join in the discussions about security, go to blogs.computerworld.com/security.
More by J.F. Rice
- Security Manager's Journal: A rush to XP's end of life
- Security Manager's Journal: Security flaw shakes faith in Apple mobile devices
- Security Manager's Journal: Cyberattacks just got personal
- Security Manager's Journal: Target breach unleashes fresh scams
- Security Manager's Journal: Giving thanks for SIEM
- Security Manager's Journal: Hashing out secure applications
- Security Manager's Journal: Why the shutdown is like the cloud
- Security Manager's Journal: Thinking about passwords
- Security Manager's Journal: Android panic
- Security Manager's Journal: Auto-forwarded emails could be a huge problem
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts