Why network security should go further than Sarbanes-Oxley

Computerworld - There is one good thing about the Sarbanes-Oxley Act: It's a step in the right direction toward getting companies to close the gap between actual behavior and corporate policy. While this ambitious initiative is intended to restore the public's confidence in corporate governance, there is little guidance that is useful to CIOs and their staffs. This initiative is subject to such broad interpretation as to make its implementation and enforcement in the IT world a nightmare.
For IT executives, the most significant section of Sarbanes-Oxley compliance projects, as well as one of its weakest links, is Section 404, regarding certification of internal controls. Section 404 requires companies to perform a self-assessment of risks for business processes that affect financial reporting. Because these processes and internal controls are implemented principally in IT systems, Section 404 audits involve a detailed assessment of these systems. As a CEO of an information security software company, I find this section particularly relevant to my business, since process changes to meet compliance must be documented and implemented by an organization's information security department.
In other words, CEOs and chief financial officers who are signing off on the validity of data must be sure that the systems maintaining that data are secure. If their systems aren't secure, then their internal controls are questionable and those executives could face criminal penalties if a breach is detected. Perhaps this presents another good thing about the Sarbanes-Oxley Act: Security technology is no longer just an IT matter; it's an organizational and an integrity issue to be reckoned with at the executive level.
Ensuring network integrity
Because most organizations rely extensively on the use of technology for financial and other kinds of reporting and because they are increasingly dependent on the open IP network to do business with suppliers, customers and partners, an entirely new category of accountability and best practices is necessary to address Sarbanes-Oxley specifically and the growing concern over network security in general. If enterprises are to be held accountable, they need to ensure the integrity of their use of the open IP network, which is significantly vulnerable today. Slammer and SoBig are proof of that.
Ensuring network integrity requires much more than reports and assessments, which is as far as the Sarbanes-Oxley Act goes. It requires an infrastructure that supports enforceable policies and best practices to ensure compliance, an infrastructure with much deeper guidelines and better, clearer definitions of best practices for specific industries such as banking and insurance.
How do you measure risk in a company's IT system?
The challenge is that while Sarbanes-Oxley tries to put policies and mechanisms in place to capture and quantify the risk of organizations' internal operations, no one has managed to capture the risk of his company's internal IT system. For example, the insurance industry has actuaries who compute insurance risks and premiums based on vast quantities of data relating to weather patterns, health, age and many more factors that help them capture how much risk they're taking on with each insurance premium. The financial and accounting industries also have a litany of controls, definitions and guidelines for conducting business according to best practices, which have evolved over many years.
Comparatively speaking, our use of an open IP network and the guidelines built around it is in an embryonic state today. It's therefore absolutely critical that we get the evolution of this system on the fast track. Companies need to have mechanisms in place that enforce safe user behavior and verify that people are doing the right things on the network. From a security perspective, I'm particularly concerned with addressing and enforcing a specific set of conditions associated with policy and compliance -- required fundamentals that will provide the necessary infrastructure for Sarbanes-Oxley to have meaning.
For example, even after a user is authenticated and control mechanisms are put in place for that user's permitted access, what about the integrity of the device itself? When a new device, such as a server, a notebook or a PC, joins your network, is there a way, in real time, to check the integrity of that endpoint before it's given unfettered access to your network resources? Is antivirus software on and up to date? Is a personal firewall installed and configured according to corporate policy? Are all patches installed and up to date? Are network-access security policies based on user location (for example, home or kiosk)? These are the sorts of tangible controls that build an infrastructure for ensuring network integrity and prevent corruption by SoBig, Blaster or the next worm and are necessary on an IT level to make Sarbanes-Oxley effective.
Compliance with company security policies

1 2 3 Next » Recommend Digg Twitter ShareThis Email Print Send Feedback Reprints Additional Resources Xerox Win a color printer! By using solid ink technology only from Xerox, you could save up to 65% by printing color for the cost of black and white. Enter for a chance to WIN a PhaserTM 8860 network color printer! Microsoft Upgrade to Internet Explorer 8 today. Save time and mitigate security risk. Deploy it now. Sybase NEXT-GENERATION MOBILITY PLATFORMS In this white paper, IDC analyzes the role of next-generation mobile enterprise platforms as organizations seek a more strategic deployment of mobile solutions. Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase. White Papers & Webcasts Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs Since the adoption of SOX, much has been learned about IT compliance. Discover how to make SOX efforts more effective in "Sustaining Sox...   Why Compliance Pays This OnDemand webcast explores the relationship that firms with best compliance records have higher revenue, greater customer retention, lower financial losses from data... IDC White Paper: CCM for IT Compliance and Risk Management Learn from industry analysts how IT organizations are using configuration management to meet compliance requirements and instill best practices. Find out how these...   Best Practices for Managing Business Risks from the Use of IT (Source: Symantec) Based on exhaustive benchmarks conducted by the IT Policy Compliance, this session highlights the relationship between business risks and use of... Keep it Clean: Maintaining the Integrity of your CMDB through Change Detection Learn how configuration drift can challenge configuration management database (CMDB) integrity and how a configuration audit tool and an effective change management process...   Managing And Protecting Your Ever Increasing Mobile Assets (Source: Absolute Software) Your users are becoming more mobile each day. This is great for productivity - yet challenging for IT control. Natalie... The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164 HIPAA requires businesses that handle personal health information (PHI) to set up strong controls to ensure the security and integrity of that information....   Sun OpenSSO Enterprise Webinar (Source: Sun) This webinar replay discusses Sun OpenSSO Enterprise innovation--the single, open-source solution that helps your business solve the challenges around internal access... Configuration Assessment: Choosing the Right Solution Configuration assessment lets businesses proactively secure their IT infrastructure and achieve compliance with important industry standards and regulations. Learn why configuration assessment is...   Agile Enterprise Content Management (ECM) for Rapid ROI (Source: IBM) Content rich business processes are a core feature of daily operations at just about any organization today. Very often these essential... All White Papers | All Webcasts Computerworld Reports An Interactive eBook: Enterprise Security The Business Case for Server Virtualization Computerworld Technology Briefing: Intelligent Users Use Business Intelligence All Computerworld Reports Sign up to receive updates on the latest Security resources   White Papers Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs Keep it Clean: Maintaining the Integrity of your CMDB through Change Detection Configuration Assessment: Choosing the Right Solution Addressing Compliance Initiatives with Tripwire and the Center for Internet Security An All-in-One Approach to Web Security Open Source Security Myths Dispelled IT Compliance Interactive Tools Solution Overview: Symantec Control Compliance Suite 9.0 Information Security Brief by Enterprise Strategy Group EMA's 2008 Survey of IT Governance, Risk and Compliance Management in the Real World IDC White Paper: CCM for IT Compliance and Risk Management The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164 Beyond PCI Checklists: Securing Cardholder Data with Tripwires Enhanced File Integrity Monitoring Centralized Data Backup and Your WAN The Hidden Dangers of Spam Best Practices for Backing Up VMware® with Veritas NetBackup™ Symantec Security Compliance Brochure Improving Results for Legal Custody of Information Risk Readiness and Redundancy: PCI Compliance Automation Managing Spend on Information Security and Audit for Better Results Sponsored Links HP StorageWorks products-control, consolidation and confidence. 64-page prescriptive guide to security, compliance, and IT operations. Looking to add Unix/Linux functionality to Windows? FREE guide to saving up to 95% on network hardware costs. Start saving today! Enhance your career with a Boston University online Master's in CIS Find IT jobs in the Healthcare industry on Dice.com Network Tools Made By Engineers for Engineers Live Webcast: Building a More Productive Organization  A User Perspective With the NEW KODAK i700 Series Scanners get full speed at 300dpi! ITwhitepapers.com - Access thousands of white papers on 300+ technical topics. Leverage Your Cisco infrastructure for Superior Application Performance Learn about the AMD Virtual Experience Introducing: Project Icebreaker Introducing the new HP ProLiant G6 server family Wait for the upturn, or get ready for it with Capgemini's Technovision study. Download it here. Instantly know your IT service state - anytime, anywhere @ AccelOps.net Try the best rules engine free! Decisions.FICO.com Learn How to Create a High Performance Workplace Thrill Dad this Fathers Day and save up to 66% plus 4 FREE Caramel Apple Tartlets from Omaha Steaks. ESET NOD32 with ThreatSense(R) - Get your free trial now! Join the conversation about the hottest IT trends with Computerworld on Twitter. Create business data you can believe in with data governance Not All QSAs Are Created Equal: What You Should Know Before You Buy The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability The AMD Virtual Experience Virtual Trade Show About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.