Skip the navigation

Security Manager's Journal: SOX is out of control

Complying with the act is consuming more and more time and detracting from real security work

By J.F. Rice
May 9, 2012 12:27 PM ET

Computerworld - In my last column, I talked about how time-consuming SOX compliance is for companies like mine. Unfortunately, it's about to get worse.

For various reasons I won't go into here, the number of Sarbanes-Oxley Act controls we must deal with and the amount of evidence we need to gather is increasing by about 30%, starting this quarter. On top of that, I'm spending a lot of time in meetings reviewing each control, both old and new.

I'm all for anything that improves security, and regulations like SOX seem to be very effective at forcing companies to do the right things. But regulations are a double-edged sword. We've definitely crossed the line of diminishing returns -- we're spending more time documenting our control activities for the benefit of the auditors, and spending more time with the internal and external auditors themselves, than we spend on performing security-enhancing activities like user account review, checking and certifying the security settings of servers, and validating backups. In fact, I would say we're spending at least twice as much time on the audits than we spend on the activities. Our internal audit department has four times the number of people that I have -- and our external auditors resemble a small army. That seems unbalanced, and inefficient. And I'm only dealing with the security-related SOX controls, which are only a fraction of all the SOX controls in my company.

There's got to be a better way. It's reaching the point where SOX compliance is almost all I'll be able to spend my time on -- displacing other, important security activities and the expansion and improvement of our security posture. As I said, I'm in favor of regulations that improve security. They can be effective in getting security the focus and priority it should have. But I'm starting to think SOX is harming us at the same time, because it's overblown and expensive, and it's consuming resources better spent elsewhere.

Part of the problem is that SOX activities tend to be very manual. There's a lot of human effort involved in performing controls, collecting evidence, inputting data into a system of record, reviewing script results and settings (and creating new scripts when new controls are added). And after all that work is done, we spend even more time sitting with the auditors going through it all. Twice. Once with the internal auditors, and again with the external auditors.

I would like to automate some of the work, to cut down on the manual effort. The production of SOX-related data has already been automated (so people don't have to run reports or pull data from systems), but it's hard to see how the rest of the work can be automated. Human review is part of the process, and so is the audit work. I don't know how we can reduce that work effort.

Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!