Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Finance
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 
Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

Why network security should go further than Sarbanes-Oxley

John De Santis, Sygate Technologies   Today’s Top Stories    or  Other Security Stories  
 

Sign up to receive Security Resource Alerts

December 04, 2003 (Computerworld) -- There is one good thing about the Sarbanes-Oxley Act: It's a step in the right direction toward getting companies to close the gap between actual behavior and corporate policy. While this ambitious initiative is intended to restore the public's confidence in corporate governance, there is little guidance that is useful to CIOs and their staffs. This initiative is subject to such broad interpretation as to make its implementation and enforcement in the IT world a nightmare.
For IT executives, the most significant section of Sarbanes-Oxley compliance projects, as well as one of its weakest links, is Section 404, regarding certification of internal controls. Section 404 requires companies to perform a self-assessment of risks for business processes that affect financial reporting. Because these processes and internal controls are implemented principally in IT systems, Section 404 audits involve a detailed assessment of these systems. As a CEO of an information security software company, I find this section particularly relevant to my business, since process changes to meet compliance must be documented and implemented by an organization's information security department.
In other words, CEOs and chief financial officers who are signing off on the validity of data must be sure that the systems maintaining that data are secure. If their systems aren't secure, then their internal controls are questionable and those executives could face criminal penalties if a breach is detected. Perhaps this presents another good thing about the Sarbanes-Oxley Act: Security technology is no longer just an IT matter; it's an organizational and an integrity issue to be reckoned with at the executive level.
Ensuring network integrity
Because most organizations rely extensively on the use of technology for financial and other kinds of reporting and because they are increasingly dependent on the open IP network to do business with suppliers, customers and partners, an entirely new category of accountability and best practices is necessary to address Sarbanes-Oxley specifically and the growing concern over network security in general. If enterprises are to be held accountable, they need to ensure the integrity of their use of the open IP network, which is significantly vulnerable today. Slammer and SoBig are proof of that.
Ensuring network integrity requires much more than reports and assessments, which is as far as the Sarbanes-Oxley Act goes. It requires an infrastructure that supports enforceable policies and best practices to ensure compliance, an infrastructure with much deeper guidelines and better, clearer definitions of best practices for specific industries such as banking and insurance.
How do you measure risk in a company's IT system?
The challenge is that while Sarbanes-Oxley tries to put policies and mechanisms in place to capture and quantify the risk of organizations' internal operations, no one has managed to capture the risk of his company's internal IT system. For example, the insurance industry has actuaries who compute insurance risks and premiums based on vast quantities of data relating to weather patterns, health, age and many more factors that help them capture how much risk they're taking on with each insurance premium. The financial and accounting industries also have a litany of controls, definitions and guidelines for conducting business according to best practices, which have evolved over many years.
Comparatively speaking, our use of an open IP network and the guidelines built around it is in an embryonic state today. It's therefore absolutely critical that we get the evolution of this system on the fast track. Companies need to have mechanisms in place that enforce safe user behavior and verify that people are doing the right things on the network. From a security perspective, I'm particularly concerned with addressing and enforcing a specific set of conditions associated with policy and compliance -- required fundamentals that will provide the necessary infrastructure for Sarbanes-Oxley to have meaning.
For example, even after a user is authenticated and control mechanisms are put in place for that user's permitted access, what about the integrity of the device itself? When a new device, such as a server, a notebook or a PC, joins your network, is there a way, in real time, to check the integrity of that endpoint before it's given unfettered access to your network resources? Is antivirus software on and up to date? Is a personal firewall installed and configured according to corporate policy? Are all patches installed and up to date? Are network-access security policies based on user location (for example, home or kiosk)? These are the sorts of tangible controls that build an infrastructure for ensuring network integrity and prevent corruption by SoBig, Blaster or the next worm and are necessary on an IT level to make Sarbanes-Oxley effective.
Compliance with company security policies

Opinion
John De Santis
One question I always ask in the course of doing business is, "Does your IT department know if there is 100% compliance with your security policies?" Eighty percent? Fifty percent? Chances are, IT has no knowledge, representing a dangerous gap between policy and actual practice that must be closed, or organizations will risk the dire consequences of an unsafe network and all that entails, as well as the punitive measures stipulated by Sarbanes-Oxley (huge fines and even jail).
Sarbanes-Oxley is all about reporting, but reporting by itself has little value. You can go down a lot of ratholes and invest a significant amount of time and money on getting vulnerability assessments and event-correlation reports and doing forensic analysis -- great work for those academically inclined and who have the resources. I personally find the application of technology to discover events after the fact, such as an intrusion or misuse of company assets, to be too little, too late. Think of the nation-building that goes on all over the world today. If we start with building a terrific police force -- complete with interrogation rooms and forensic laboratories -- without having built and reinforced the societal and cultural norms necessary to develop a safe environment in which we can be productive and prosper, we are indeed taking a much more difficult, and possibly even disastrous, path.
We need to get closer to the root of the problem and build a culture around enterprise network integrity. We must establish guidelines and implement mechanisms that prevent the opportunity for security breaches by automatically and proactively enforcing best practices. The key is to automate enforcement and remediation. Much like parents do with children, in order to create useful and productive members of society, we must first gently nudge, then forcefully remind and eventually enforce and crack down on our users to do the right thing -- and frankly, we don't have time to do this through our help desks or to wait for a whole generation of savvy users to be fully educated.
We need solutions that work today to accelerate this cultural and behavioral evolution. Only then will organizations be able to achieve the compliance necessary to ensure that their internal controls and systems are secure. Such compliance provides the foundation for network integrity and ensures the accuracy of reporting and assessments required by Sarbanes-Oxley. Such automated enforcement of compliance allows the CIO to truly say: "We are in compliance with corporate policy, and I can prove it!"



Print this Story Send Us Feedback E-mail this Story Digg! Digg this Story Slashdot this Story
"A video is making the rounds showing how Vista SP1 has significantly improved Vista's immensely annoying User Account Control (UAC)...." Read more...
"So are you getting excited about a nice, long weekend for Memorial Day? Well, before you start cooking hot dogs..." Read more...
Read more Security posts or See all Blogs
Mozilla launches Firefox 3.0 RC1 early
Microsoft: Don't misunderstand UAC, other Vista features
HP confirms XP SP3 endless reboot snafu, promises patch
More top stories...
Microsoft pulls Windows Home Server backup feature
Yahoo tells Icahn that its own board knows best
Tools circulate that crack Debian, Ubuntu keys
Specialists have retrieved about 99% of the data on a disk drive on board the crashed space shuttle Columbia. Don't miss the photographs of the recovered drive.
These big ideas were supposed to revolutionize technology, but they never actually appeared. In a few cases, you'll be glad they didn't.
Nearly 20 years after the first Internet worm, Steven J. Vaughan-Nichols takes stock of the malware/anti-malware landscape and spotlights how the two sides are approaching the battle.
Though some thought it was released too soon, Mac OS X 10.5 has matured into a solid operating system, says reviewer Michael DeAgonia.
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.
Four years from now, the IT field will be a vastly different place. Will you be ready?
All Zones
Application Performance Zone
Enterprise-Class Security Zone
Enterprise Solutions Zone
The File Data Management Zone
Grid Computing on Windows Zone
Security Management Zone
ITIL Best Practices Zone
The SAS Zone
Storage Virtualization Zone
The Data Center Management Zone

Ads by TechWords

See your link here
Why SaaS is Vital to Email and Web Security
Why SaaS is Vital to Email and Web Security
Download this webcast, free, compilments of Webroot Software
Go to the webcast 
Computerworld Executive Bulletin: Building a Robust Antivirus Defense
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
(Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more.
Download this executive briefing download
Eliminate SPAM, Gain Productivity
Get this white paper now!
(Source: MessageLabs) Learn all about the dangers and the costs of spam in all its forms - from stock-touting to spreadsheet. Also, understand the drawbacks of traditional hardware- and software-based defenses - and the unique benefits of MessageLabs multi-layered, managed Anti-Spam solution; as illustrated by a real-world case study where MessageLabs stopped spam cold.
Download this white paper go
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Securing Financial Services Beyond the Perimeter
Intercept Spam & Viruses With MessageLabs
Meeting PCI Compliance with SonicWALL Global Management System
View more whitepapers 
Layered Security Solutions
Although basic network security issues have changed very little over the past decade, the network security landscape has changed dramatically. Today's IT professionals still have the primary responsibility of protecting the confidentiality of corporate information, preventing unauthorized access, and defending the network against attacks. Security experts and analysts agree that a security solution comprised of multiple layers is the best defense against today's increasingly sophisticated attacks.

Download this white paper 
Universal Threat Management - Because Conventional UTM is Not Enough!
This white paper, written by Mark Bouchard of Missing Link Security Services, examines the challenges confronting today's enterprises with respect to managing threats on a network. It also discusses the need for "Universal Threat Management", which is a security solution approach for all physical locations within an enterprise that require threat protection.

Download this white paper 
Selecting the Right Threat Management Solution
This short demo will guide you through key considerations for selecting a solution to manage threats on a network. Learn about the popularity of Unified Threat Management (UTM), and how it fits into an overall security solution. Explore critical elements of a network-wide solution for multisite and large network-size deployments and identify the four key features of a threat management solution.

View this demo