Security Manager's Journal: End of year brings SOX, deadlines and layoffs
A busy year ends even busier as our manager works with the outside SOX auditors and tackles security reviews for several projects
Computerworld - The end of the year was busy for me and my team. Already swamped with Sarbanes-Oxley audit activities and end-of-year project deadlines, even more security work came our way after a new round of layoffs.
Over the last couple of months of the year, I had to spend almost all my time with our third-party SOX auditors, poring over the year's records on various security-related things we're supposed to be doing. For the most part, we have been pretty good about keeping up with our SOX obligations, despite numerous challenges and competing priorities that I've written about over the course of this year.
But I have to ask myself what value our shareholders really get out of SOX. The controls don't seem to have much to do with protecting the accuracy of our financial reports, which is what SOX is supposed to be all about. A huge amount of work is generated by the nitpicky SOX process, which sucks up resources needed by both me and my organization, and those outside auditors sure aren't cheap. So, what's the return? Based on our experience, I have to imagine that SOX is costing American companies millions (or maybe billions) of dollars that could be going into more productive endeavors. My colleagues at other companies seem to think the same thing. Some go so far as to say that SOX is a waste of time. Personally, I think there is some value in having oversight into security processes, but I can't help wondering what the return on investment is.
OK, rant over.
While most of my time was being taken up by SOX matters, other business projects didn't seem to slow down at all. I've been working long hours just trying to keep the backlog down, but new projects keep cropping up. It's the end of the year, and it seems as if everybody is rushing to meet deadlines. Some of these projects are pretty big too, and they need serious security review. In some cases, we're signing up with outside services and websites for software-as-a-service applications, and some of those applications would handle financial or other confidential information. In every case, I want to do a thorough review of the vendor's security posture. And I try to drive all applications to our Active Directory for user authentication, which can be a challenge. So I have a professional stake in staying ahead of these projects. But my staff has become practically nonexistent, so it's nearly impossible to keep up.
The layoffs that hit us during this time not only decimated our staff resources, but also highlighted some security holes to add to my to-do list. For example, it turns out that if employees set up an Exchange email forwarding rule, it continues to function even after their account is disabled. That means their email continues to get forwarded to their personal webmail account after they're no longer here. And my Exchange administrator tells me there's no way to find and shut down those rules without opening each mailbox individually, by hand. On top of that, our Windows desktops and laptops all have a built-in administrator account that gives full access, and the password hasn't been changed in years. I got our desktop team to take care of that by setting a group policy to change the password. I found several other holes as well, but staying on top of that while doing everything else seems impossible. And after the layoffs, there's not going to be any budget for hiring additional staff in 2012.
I generally like to end the year on a positive note. But that just seems to keep getting more difficult every year.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
To join in the discussions about security, go to blogs.computerworld.com/security.
More by J.F. Rice
- Security Manager's Journal: Security flaw shakes faith in Apple mobile devices
- Security Manager's Journal: Cyberattacks just got personal
- Security Manager's Journal: Target breach unleashes fresh scams
- Security Manager's Journal: Giving thanks for SIEM
- Security Manager's Journal: Hashing out secure applications
- Security Manager's Journal: Why the shutdown is like the cloud
- Security Manager's Journal: Thinking about passwords
- Security Manager's Journal: Android panic
- Security Manager's Journal: Auto-forwarded emails could be a huge problem
- Security Manager's Journal: Our network infrastructure has fallen far out of date
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts