Security Manager's Journal: SOX is out of control
Complying with the act is consuming more and more time and detracting from real security work
Computerworld - In my last column, I talked about how time-consuming SOX compliance is for companies like mine. Unfortunately, it's about to get worse.
For various reasons I won't go into here, the number of Sarbanes-Oxley Act controls we must deal with and the amount of evidence we need to gather is increasing by about 30%, starting this quarter. On top of that, I'm spending a lot of time in meetings reviewing each control, both old and new.
I'm all for anything that improves security, and regulations like SOX seem to be very effective at forcing companies to do the right things. But regulations are a double-edged sword. We've definitely crossed the line of diminishing returns -- we're spending more time documenting our control activities for the benefit of the auditors, and spending more time with the internal and external auditors themselves, than we spend on performing security-enhancing activities like user account review, checking and certifying the security settings of servers, and validating backups. In fact, I would say we're spending at least twice as much time on the audits than we spend on the activities. Our internal audit department has four times the number of people that I have -- and our external auditors resemble a small army. That seems unbalanced, and inefficient. And I'm only dealing with the security-related SOX controls, which are only a fraction of all the SOX controls in my company.
There's got to be a better way. It's reaching the point where SOX compliance is almost all I'll be able to spend my time on -- displacing other, important security activities and the expansion and improvement of our security posture. As I said, I'm in favor of regulations that improve security. They can be effective in getting security the focus and priority it should have. But I'm starting to think SOX is harming us at the same time, because it's overblown and expensive, and it's consuming resources better spent elsewhere.
Part of the problem is that SOX activities tend to be very manual. There's a lot of human effort involved in performing controls, collecting evidence, inputting data into a system of record, reviewing script results and settings (and creating new scripts when new controls are added). And after all that work is done, we spend even more time sitting with the auditors going through it all. Twice. Once with the internal auditors, and again with the external auditors.
I would like to automate some of the work, to cut down on the manual effort. The production of SOX-related data has already been automated (so people don't have to run reports or pull data from systems), but it's hard to see how the rest of the work can be automated. Human review is part of the process, and so is the audit work. I don't know how we can reduce that work effort.
More by J.F. Rice
- Security Manager's Journal: Security flaw shakes faith in Apple mobile devices
- Security Manager's Journal: Cyberattacks just got personal
- Security Manager's Journal: Target breach unleashes fresh scams
- Security Manager's Journal: Giving thanks for SIEM
- Security Manager's Journal: Hashing out secure applications
- Security Manager's Journal: Why the shutdown is like the cloud
- Security Manager's Journal: Thinking about passwords
- Security Manager's Journal: Android panic
- Security Manager's Journal: Auto-forwarded emails could be a huge problem
- Security Manager's Journal: Our network infrastructure has fallen far out of date
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts