Security Manager's Journal: End of year brings SOX, deadlines and layoffs
A busy year ends even busier as our manager works with the outside SOX auditors and tackles security reviews for several projects
Computerworld - The end of the year was busy for me and my team. Already swamped with Sarbanes-Oxley audit activities and end-of-year project deadlines, even more security work came our way after a new round of layoffs.
Over the last couple of months of the year, I had to spend almost all my time with our third-party SOX auditors, poring over the year's records on various security-related things we're supposed to be doing. For the most part, we have been pretty good about keeping up with our SOX obligations, despite numerous challenges and competing priorities that I've written about over the course of this year.
But I have to ask myself what value our shareholders really get out of SOX. The controls don't seem to have much to do with protecting the accuracy of our financial reports, which is what SOX is supposed to be all about. A huge amount of work is generated by the nitpicky SOX process, which sucks up resources needed by both me and my organization, and those outside auditors sure aren't cheap. So, what's the return? Based on our experience, I have to imagine that SOX is costing American companies millions (or maybe billions) of dollars that could be going into more productive endeavors. My colleagues at other companies seem to think the same thing. Some go so far as to say that SOX is a waste of time. Personally, I think there is some value in having oversight into security processes, but I can't help wondering what the return on investment is.
OK, rant over.
While most of my time was being taken up by SOX matters, other business projects didn't seem to slow down at all. I've been working long hours just trying to keep the backlog down, but new projects keep cropping up. It's the end of the year, and it seems as if everybody is rushing to meet deadlines. Some of these projects are pretty big too, and they need serious security review. In some cases, we're signing up with outside services and websites for software-as-a-service applications, and some of those applications would handle financial or other confidential information. In every case, I want to do a thorough review of the vendor's security posture. And I try to drive all applications to our Active Directory for user authentication, which can be a challenge. So I have a professional stake in staying ahead of these projects. But my staff has become practically nonexistent, so it's nearly impossible to keep up.
The layoffs that hit us during this time not only decimated our staff resources, but also highlighted some security holes to add to my to-do list. For example, it turns out that if employees set up an Exchange email forwarding rule, it continues to function even after their account is disabled. That means their email continues to get forwarded to their personal webmail account after they're no longer here. And my Exchange administrator tells me there's no way to find and shut down those rules without opening each mailbox individually, by hand. On top of that, our Windows desktops and laptops all have a built-in administrator account that gives full access, and the password hasn't been changed in years. I got our desktop team to take care of that by setting a group policy to change the password. I found several other holes as well, but staying on top of that while doing everything else seems impossible. And after the layoffs, there's not going to be any budget for hiring additional staff in 2012.
I generally like to end the year on a positive note. But that just seems to keep getting more difficult every year.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
To join in the discussions about security, go to blogs.computerworld.com/security.
More by J.F. Rice
- Security Manager's Journal: Trapped: Building access controls go kablooey
- Security Manager's Journal: We manage our threats, but what about our vendors?
- Security Manager's Journal: With Heartbleed, suddenly the world is paying attention to security
- Security Manager's Journal: A rush to XP's end of life
- Security Manager's Journal: Security flaw shakes faith in Apple mobile devices
- Security Manager's Journal: Cyberattacks just got personal
- Security Manager's Journal: Target breach unleashes fresh scams
- Security Manager's Journal: Giving thanks for SIEM
- Security Manager's Journal: Hashing out secure applications
- Security Manager's Journal: Why the shutdown is like the cloud
Read more about Security in Computerworld's Security Topic Center.
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!