Why network security should go further than Sarbanes-Oxley

Zero Data Loss- Disaster Recovery Live Webinar Computerworld presents a 100% free and online security event today! Why SaaS is Vital to Email and Web Security Certify your Software Integrity with thawte Code Signing Certificates Extended Validation SSL Certificates Securing your Online Data Transfer with SSL Fixing Security Blind Spots Sign up to receive Security Resource Alerts

December 04, 2003 (Computerworld) -- There is one good thing about the Sarbanes-Oxley Act: It's a step in the right direction toward getting companies to close the gap between actual behavior and corporate policy. While this ambitious initiative is intended to restore the public's confidence in corporate governance, there is little guidance that is useful to CIOs and their staffs. This initiative is subject to such broad interpretation as to make its implementation and enforcement in the IT world a nightmare.
For IT executives, the most significant section of Sarbanes-Oxley compliance projects, as well as one of its weakest links, is Section 404, regarding certification of internal controls. Section 404 requires companies to perform a self-assessment of risks for business processes that affect financial reporting. Because these processes and internal controls are implemented principally in IT systems, Section 404 audits involve a detailed assessment of these systems. As a CEO of an information security software company, I find this section particularly relevant to my business, since process changes to meet compliance must be documented and implemented by an organization's information security department.
In other words, CEOs and chief financial officers who are signing off on the validity of data must be sure that the systems maintaining that data are secure. If their systems aren't secure, then their internal controls are questionable and those executives could face criminal penalties if a breach is detected. Perhaps this presents another good thing about the Sarbanes-Oxley Act: Security technology is no longer just an IT matter; it's an organizational and an integrity issue to be reckoned with at the executive level.
Ensuring network integrity
Because most organizations rely extensively on the use of technology for financial and other kinds of reporting and because they are increasingly dependent on the open IP network to do business with suppliers, customers and partners, an entirely new category of accountability and best practices is necessary to address Sarbanes-Oxley specifically and the growing concern over network security in general. If enterprises are to be held accountable, they need to ensure the integrity of their use of the open IP network, which is significantly vulnerable today. Slammer and SoBig are proof of that.
Ensuring network integrity requires much more than reports and assessments, which is as far as the Sarbanes-Oxley Act goes. It requires an infrastructure that supports enforceable policies and best practices to ensure compliance, an infrastructure with much deeper guidelines and better, clearer definitions of best practices for specific industries such as banking and insurance.
How do you measure risk in a company's IT system?
The challenge is that while Sarbanes-Oxley tries to put policies and mechanisms in place to capture and quantify the risk of organizations' internal operations, no one has managed to capture the risk of his company's internal IT system. For example, the insurance industry has actuaries who compute insurance risks and premiums based on vast quantities of data relating to weather patterns, health, age and many more factors that help them capture how much risk they're taking on with each insurance premium. The financial and accounting industries also have a litany of controls, definitions and guidelines for conducting business according to best practices, which have evolved over many years.
Comparatively speaking, our use of an open IP network and the guidelines built around it is in an embryonic state today. It's therefore absolutely critical that we get the evolution of this system on the fast track. Companies need to have mechanisms in place that enforce safe user behavior and verify that people are doing the right things on the network. From a security perspective, I'm particularly concerned with addressing and enforcing a specific set of conditions associated with policy and compliance -- required fundamentals that will provide the necessary infrastructure for Sarbanes-Oxley to have meaning.
For example, even after a user is authenticated and control mechanisms are put in place for that user's permitted access, what about the integrity of the device itself? When a new device, such as a server, a notebook or a PC, joins your network, is there a way, in real time, to check the integrity of that endpoint before it's given unfettered access to your network resources? Is antivirus software on and up to date? Is a personal firewall installed and configured according to corporate policy? Are all patches installed and up to date? Are network-access security policies based on user location (for example, home or kiosk)? These are the sorts of tangible controls that build an infrastructure for ensuring network integrity and prevent corruption by SoBig, Blaster or the next worm and are necessary on an IT level to make Sarbanes-Oxley effective.
Compliance with company security policies

	John De Santis is CEO of Fremont, Calif.-based Sygate Technologies Inc., a provider of enterprise endpoint security solutions.

One question I always ask in the course of doing business is, "Does your IT department know if there is 100% compliance with your security policies?" Eighty percent? Fifty percent? Chances are, IT has no knowledge, representing a dangerous gap between policy and actual practice that must be closed, or organizations will risk the dire consequences of an unsafe network and all that entails, as well as the punitive measures stipulated by Sarbanes-Oxley (huge fines and even jail).
Sarbanes-Oxley is all about reporting, but reporting by itself has little value. You can go down a lot of ratholes and invest a significant amount of time and money on getting vulnerability assessments and event-correlation reports and doing forensic analysis -- great work for those academically inclined and who have the resources. I personally find the application of technology to discover events after the fact, such as an intrusion or misuse of company assets, to be too little, too late. Think of the nation-building that goes on all over the world today. If we start with building a terrific police force -- complete with interrogation rooms and forensic laboratories -- without having built and reinforced the societal and cultural norms necessary to develop a safe environment in which we can be productive and prosper, we are indeed taking a much more difficult, and possibly even disastrous, path.
We need to get closer to the root of the problem and build a culture around enterprise network integrity. We must establish guidelines and implement mechanisms that prevent the opportunity for security breaches by automatically and proactively enforcing best practices. The key is to automate enforcement and remediation. Much like parents do with children, in order to create useful and productive members of society, we must first gently nudge, then forcefully remind and eventually enforce and crack down on our users to do the right thing -- and frankly, we don't have time to do this through our help desks or to wait for a whole generation of savvy users to be fully educated.
We need solutions that work today to accelerate this cultural and behavioral evolution. Only then will organizations be able to achieve the compliance necessary to ensure that their internal controls and systems are secure. Such compliance provides the foundation for network integrity and ensures the accuracy of reporting and assessments required by Sarbanes-Oxley. Such automated enforcement of compliance allows the CIO to truly say: "We are in compliance with corporate policy, and I can prove it!"

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"A video is making the rounds showing how Vista SP1 has significantly improved Vista's immensely annoying User Account Control (UAC)...." Read more... "So are you getting excited about a nice, long weekend for Memorial Day? Well, before you start cooking hot dogs..." Read more... Read more Security posts or See all Blogs

Mozilla launches Firefox 3.0 RC1 early Microsoft: Don't misunderstand UAC, other Vista features HP confirms XP SP3 endless reboot snafu, promises patch More top stories...

Microsoft pulls Windows Home Server backup feature Yahoo tells Icahn that its own board knows best Tools circulate that crack Debian, Ubuntu keys

Shuttle Columbia's hard drive data recovered from crash site Specialists have retrieved about 99% of the data on a disk drive on board the crashed space shuttle Columbia. Don't miss the photographs of the recovered drive. The top 15 vaporware products of all time These big ideas were supposed to revolutionize technology, but they never actually appeared. In a few cases, you'll be glad they didn't. Opinion: Malware vs. anti-malware, 20 years into the fray Nearly 20 years after the first Internet worm, Steven J. Vaughan-Nichols takes stock of the malware/anti-malware landscape and spotlights how the two sides are approaching the battle. Leopard at six months: Does it live up to the early hype? Though some thought it was released too soon, Mac OS X 10.5 has matured into a solid operating system, says reviewer Michael DeAgonia. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland SecurityAsk a Premier 100 IT LeaderBlackBerry Legal BattleData Security BreachesElectronic VotingFirefoxH-1B VisasHP's Boardroom ScandalHandheld DevicesHurricane Katrina AftermathMicrosoft Legal IssuesMicrosoft's VistaOpen SourceRFID TechnologySCO's Linux FightSarbanes-Oxley ActSpamVoice Over IPWi-FiWindows Meta File VulnerabilityWindows XP Service Pack 2 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class2006 Computerworld Horizon Awards2006 Premier 100 IT Leaders2006 Salary Survey2007 Best Places to Work in IT2007 IT Forecast2007 Premier 100 IT Leaders40 Years of ComputerworldASPs, Take TwoBest Places to Work in IT 2003Best Places to Work in IT 2004Best Places to Work in IT 2005Best Places to Work in IT 2006Business Intelligence Home RunsBusiness Intelligence: Smarter BIBusiness Intelligence: The Future of BICRM Goes VerticalCRM: Sober CRMCareer Planning Guide 2005Careers: IT Profession 2010Computerworld Horizon Awards 2005Data Management: Mining for GemsData Management: Taming Data ChaosDevelopment: Hard-Workin' Web SitesDevelopment: New Tools New ChoicesDevelopment: The New World of Application DevelopmentDevelopment: The Web Services TsunamiDevelopment: Web Services HurdlesDisaster Recovery: Preparing for the WorstE-commerce Grows UpE-mail/Groupware: Big DecisionsFaces of Mobile ITForecast 2006Global MobileHardware: Multiple Cores, Multiple ChallengesHardware: On-Demand Un-HypedHardware: The Shape of Things to ComeHorizon Awards: 10 Cool Cutting Edge TechnologiesIT Management: Guide to Managing VendorsIT Management: Navigating Global ITIT Management: Recovery AheadIT Management: The Future of ITIT Management: The Resourceful Project ManagerInnovative Technology Awards 2004Management: Reinventing ITMicrosoft in TransitionMobile/Wireless Leaders and LaggardsMobile/Wireless: The Untethered WorkerMobile/Wireless: Tiny Gadgets, Huge CostsNetwork Management: Taking ControlNetworking: Turbulence Ahead!Networking: VoIP Goes MainstreamOperating Systems: In the Slow LaneOperating Systems: Linux Goes GlobalOperating Systems: Should You Nix Unix?Outsourcing: Offshore Buyer's GuideOutsourcing: Outsourcing DangersPremier 100 IT Leaders 2004 Best in ClassPremier 100 IT Leaders 2005 Best in ClassROI: Do the Math!Salary Survey 2003Salary Survey 2004Salary Survey 2005Security Action PlanSecurity: Compliance HeadachesSecurity: Proactive SecuritySecurity: Risk and RewardSecurity: Tips From Security ProsSouped-up SecurityStorage: Battling ComplexityStorage: Cheap & Secure Data StoresStorage: Stretching Your Storage DollarsStorage: The Lean Storage MachineStorage: The New Rules of StorageStorage: The Ultimate Backup GuideSupply Chain: Missing LinksSupply Chain: RFID Reality CheckThe Business of SecurityWeb 2.0 SecurityWireless: Wireless At Work All Zones Application Performance Zone Enterprise-Class Security Zone Enterprise Solutions Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone The Data Center Management Zone See your link here

Why SaaS is Vital to Email and Web Security Why SaaS is Vital to Email and Web Security Download this webcast, free, compilments of Webroot Software Go to the webcast  Computerworld Executive Bulletin: Building a Robust Antivirus Defense Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs. (Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more. Download this executive briefing  Eliminate SPAM, Gain Productivity Get this white paper now! (Source: MessageLabs) Learn all about the dangers and the costs of spam in all its forms - from stock-touting to spreadsheet. Also, understand the drawbacks of traditional hardware- and software-based defenses - and the unique benefits of MessageLabs multi-layered, managed Anti-Spam solution; as illustrated by a real-world case study where MessageLabs stopped spam cold. Download this white paper  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Securing Financial Services Beyond the Perimeter Intercept Spam & Viruses With MessageLabs Meeting PCI Compliance with SonicWALL Global Management System View more whitepapers

• Mozilla launches Firefox 3.0 RC1 early
• Microsoft: Don't misunderstand UAC, other Vista features
• HP confirms XP SP3 endless reboot snafu, promises patch
• More top stories 

Security Management Zone Security management is the process of developing a comprehensive data protection plan. It takes into account all potential threats, the existing network environment, the future needs of the organization, and lays out a multi-tiered blueprint to integrate the security technology needed to combat these threats. CDW can help keep your network and data secure. Visit the CDW Security Management Zone now See All Zones



Fired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT – the good, the bad, and the rest of the weird stuff you deal with every day. New baits



"Security Directions" virtual trade show 2008's Code-Red Security Issues for Protecting the Enterprise Webcasts, white papers, demos, and more. Presented in a unique 3-d environment. Enter our show right now! Click here to enter



In Security There's plenty of talk about how to behave during a Customs search of your computer and gear, but Jon Espenschied's got tips for securing your data (and privacy) before you reach the border. Click here to read the latest column by Jon Espenschied