Security Manager's Journal: SOX is out of control
Complying with the act is consuming more and more time and detracting from real security work
Computerworld - In my last column, I talked about how time-consuming SOX compliance is for companies like mine. Unfortunately, it's about to get worse.
For various reasons I won't go into here, the number of Sarbanes-Oxley Act controls we must deal with and the amount of evidence we need to gather is increasing by about 30%, starting this quarter. On top of that, I'm spending a lot of time in meetings reviewing each control, both old and new.
I'm all for anything that improves security, and regulations like SOX seem to be very effective at forcing companies to do the right things. But regulations are a double-edged sword. We've definitely crossed the line of diminishing returns -- we're spending more time documenting our control activities for the benefit of the auditors, and spending more time with the internal and external auditors themselves, than we spend on performing security-enhancing activities like user account review, checking and certifying the security settings of servers, and validating backups. In fact, I would say we're spending at least twice as much time on the audits than we spend on the activities. Our internal audit department has four times the number of people that I have -- and our external auditors resemble a small army. That seems unbalanced, and inefficient. And I'm only dealing with the security-related SOX controls, which are only a fraction of all the SOX controls in my company.
There's got to be a better way. It's reaching the point where SOX compliance is almost all I'll be able to spend my time on -- displacing other, important security activities and the expansion and improvement of our security posture. As I said, I'm in favor of regulations that improve security. They can be effective in getting security the focus and priority it should have. But I'm starting to think SOX is harming us at the same time, because it's overblown and expensive, and it's consuming resources better spent elsewhere.
Part of the problem is that SOX activities tend to be very manual. There's a lot of human effort involved in performing controls, collecting evidence, inputting data into a system of record, reviewing script results and settings (and creating new scripts when new controls are added). And after all that work is done, we spend even more time sitting with the auditors going through it all. Twice. Once with the internal auditors, and again with the external auditors.
I would like to automate some of the work, to cut down on the manual effort. The production of SOX-related data has already been automated (so people don't have to run reports or pull data from systems), but it's hard to see how the rest of the work can be automated. Human review is part of the process, and so is the audit work. I don't know how we can reduce that work effort.
More by J.F. Rice
- Security Manager's Journal: Trapped: Building access controls go kablooey
- Security Manager's Journal: We manage our threats, but what about our vendors?
- Security Manager's Journal: With Heartbleed, suddenly the world is paying attention to security
- Security Manager's Journal: A rush to XP's end of life
- Security Manager's Journal: Security flaw shakes faith in Apple mobile devices
- Security Manager's Journal: Cyberattacks just got personal
- Security Manager's Journal: Target breach unleashes fresh scams
- Security Manager's Journal: Giving thanks for SIEM
- Security Manager's Journal: Hashing out secure applications
- Security Manager's Journal: Why the shutdown is like the cloud
- The Pivotal Big Data Suite- Reducing the Risks of Big Data The explosion of big data and the rapid evolution of big data tools and technologies is challenging IT to meet the demands of...
- A Survival Guide for Data in the Wild All corporate data used to reside in the data center. Safe and sound behind the corporate firewall. But now, employees have multiple devices...
- Transforming Security: Designing a State-of-the-Art Extended Team The information security mission is no longer about implementing and operating controls.
- The Big Data Security Analytics Era Is Here New security risks and old security challenges often overwhelm legacy security controls and analytical tools.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!