The Connection Between SOX and Security
Section 404 of the Sarbanes-Oxley Act mandates that all publicly-traded organizations demonstrate due diligence in the disclosure of financial information. They must also implement internal controls and procedures to communicate, store and protect that data. They must protect these controls from internal and external threats and unauthorized access, including those that could occur through online systems and networks. Why might this be hard?
- Budget constraints
- Security best practices are not well defined
- Security expertise can be in short demand
- Difficulties in deploying and managing required technology
- The need to maintain security during ever-changing technical environments
What should SOX implementers do?
- Keep an eye on the prize - security for its own sake. Compliance efforts should complement ongoing security efforts - not overshadow them. They should be designed to address specific risks that are documented as part of your organization’s risk plan.
- Recognize that your company may face multiple security-related regulations. What’s needed is an enterprise security policy and plan that addresses common demoninators as well as specific needs.
- Ensure that SOX personnel - even those who are not technical specialists - understand risks and the implications of security measures. They need to be able to articulate how levels of security build upon each other (e.g., how application security builds on database security, which builds upon operating system security).
- Ensure that the appropriate level of security testing is included in SOX 404 compliance efforts. Consider fast, scalable risk assessments performed on a regular basis. Bring in outside expertise if needed.
- Ensure that key security controls are defined, documented, and proved, and that they demonstrate accountability and transparency. Map them to COSO, COBIT, and/or ISO frameworks.
Many companies are using the ISO security standard ISO-17799 as a framework for implementing an information security program. The ISO framework defines security controls and outlines a risk management approach. It does not, however, specify a particular implementation approach. The standard can be purchased from ISO.
Here are links to examples of security policies and guidance:
- 10 Golden Security Rules
- The NIST Computer Security Resource Center
- dmoz Open Directory Project Policy Samples
- How to Write an Information Security Policy
The Institute of Internal Auditors has published a presentation, Audit & Security Controls That Work.
The United States Government Accountability Office has a wide variety of recent reports regarding IT Security.
- Analysis: The Vendor-Neutral Security Certification Landscape
- Guide To Vendor-Specific Security Certs
- SearchSecurity.com Guide to Infosec Certifications