|
|
|
Features
< Back
Sarbanes Oxley : Technology : COBIT
Are You Ready For A SOX Audit?
By
Marv Goldschmitt
|
|
Marv Goldschmitt
VP Business Development
Tizor Systems
|
In 2004, public companies hired consultants by the gross to help them understand how to take a general, one hundred and eighty word directive (Section 404 of the Sarbanes-Oxley Act) and turn it into actionable and manageable processes. SOX was rushed “to market” in the wake of corporate scandals that called into question the trust that served as the foundation of the investment community. It came with requirements, but no directions for implementation. Under penalty of law, corporate management was required to attest to both the history and quality of financially and operationally sensitive data. Virtually every department in the corporation was impacted and the IT department was in the center of the storm.
But the metrics that public corporations would be measured by were unclear. They needed a framework that would help them both understand the challenges and define the steps to be taken. Enter COBIT (Control Objectives for Information and Related Technologies ) and the consultants. COBIT was the core of the common law for data responsibility. In the world of COBIT the consultants were the interpreters and the auditors and the SEC were the judges. The IT professionals, tasked with the job of implementing the controls, became the defendants.
COBIT was a tool ready for deployment. The result of early work at the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI), COBIT provided a comprehensive set of high level goals, metrics and steps to help organizations gain control of their most critical corporate asset: information. The problem was that COBIT was not a perfect fit for SOX. It needed to be modified or retrofitted for the purpose of SOX compliance. This became the province of the consultant. Using COBIT as the model, they generated long lists of specific controls and metrics–with the emphasis on the word control.
From an IT perspective, the first wave of requirements focused on making sure that the gold in the corporate vaults--critical data--was protected. The well trodden paths of network and information security were now in the spotlight. Are firewalls in place? Is anti-virus software up to date? Is there a model for segregation of duties to restrict who has access to what information? Is the model supported by the existence of identity and access management systems (IAM) to enforce those rules? Are applications designed and tested to ensure that they aren’t vulnerable to attacks? In short, do you know for a fact that the people working with your data are the people you want working with it?
“Control, control, control” became the chant of the IT professionals who had to deal with SOX. It was hard to criticize this as a goal, because without control of your environment you haven’t passed the first test as a fiduciary of sensitive data.
Creating controls in a world of changing technologies insufficient budgets and permeable perimeters is not an easy task, but it is an understandable goal, reasonably imposed by a society that has just been taken for a ride by greedy corporate executives. So, the first job in preparing for the inevitable SOX audit is to understand that the control requirements are a necessity. From there the process becomes collaborative. IT security and compliance budgets are beginning to approach and pass the 10% of total IT spend level, indicating that senior management understands the strategic value and importance of data control. The challenge is to maximize the IT investment that these growing budgets enable and meet corporate goals of external representation and internal advantage.
To put this challenge in context, you are being asked to help your corporation take a leap into a world where information is king. This reality may not be well stated but it is not hard to discern. Essentially, a SOX audit is a guidepost towards a greater goal: developing a comprehensive data governance process. SOX is only one example of a new focus on corporate responsibility towards data. Gramm-Leach-Bliley in the banking realm, HIPAA in healthcare, the Payment Card Industry Data Security Standard (PCI), all ask the same question: “Do you know what’s happening to the sensitive data in your care?”
Companies that can answer “yes” to this question for one requirement, have a good chance of answering “yes” to most or even all data compliance requirements. But what constitutes a “yes”? Is control all that matters? The answer is “no”.
Simply controlling data doesn’t mean that it is under control. The idea is for its greatest value to be realized. Real control means using the data to the maximum advantage of all stakeholders while keeping that data safe. So the real question is, “ how can we use data as a corporate asset and still be responsible to all stakeholders, including society?” And, how does providing this capability relate to SOX?
The answer to the first question is to know what is actually happening to the data wherever and however it is used in the organization. This goes significantly beyond control to knowledge.
Know where your sensitive data is, who is touching it, what they are doing with the data and when the data isn’t being used the way you want. Having this knowledge is the basis of any data governance process. If you know these basic things about the data under your care, you can decide what data, activities and users need deeper and constant scrutiny. This will allow you to report with confidence on your role as a fiduciary of information and, generically, satisfy a broad range of external compliance requirements.
An added bonus for you and your firm is not just compliance and security but also insight. Having your finger on the pulse of how data is used in your organization has the potential to provide your organization with a unique view that can translate into business advantage. As with any other significant corporate asset, understanding how data is used, where it is going, how it carries values, allows your company to incrementally optimize that value. And companies that learn to optimize assets end up as winners. Gaining this insight may sound daunting but a new class of technologies, data auditing and protection and database activity monitoring products, has recently become available to simplify and automate the task. But while it is certainly strategically compelling to develop this comprehensive data usage view, is there a SOX justification for doing it? Will your auditors expect this of you when they come knocking at your door? Once again, the answer is “yes”.
When the first wave of SOX controls were deployed, the auditors and consultants realized that another problem existed. There is a class of users you can’t control: privileged users. If you place constraints on them, you stop them from doing their jobs. Of course, the problem deepens when you realize that these trusted users, DBAs and other professionals with unlimited access to systems and applications, are not just the users with the greatest potential to help a company run efficiently but also the users with the greatest potential to create havoc. This is no small conundrum. Control doesn’t work for the user you most need to control.
This realization caused a re-think in the SOX compliance world that resulted in the acceptance of monitoring as a viable alternative to control. If you demonstrate that you know, in as much detail as possible, what a privileged user is doing within the sensitive data systems in real-time and can identify and act on behavior that is suspicious or violates policy then you have the proxy for control which will satisfy your auditors.
But intelligent monitoring of users, including privileged users, provides something else--the equivalent of an angiogram of how information flows through your company. Extended beyond privileged user monitoring, you now have the rudiments in place to attest to the integrity of the data mandated by SOX and its interpreters. You also have the means to identify anomalies and provide significant business intelligence into how your data is used. Identifying anomalies as they occur helps protect your company against very public data breaches and satisfies regulations far beyond SOX. The business intelligence that is the byproduct of doing the right thing, is as valuable (if not more) as meeting compliance requirements.
Getting ready for your SOX audit, while clearly dominated by satisfying specific requirements and implementing specific controls, is also about attitude and orientation. This is an opportunity for you and your company to show leadership. You are in a unique position to help your company go beyond information security to value.
By taking the right steps, choosing the right technologies and promulgating the right vision, you can help your company build trust and advantage in an environment shaped by fear driven regulations and myopia.
So, practically speaking, what do you need to do? While, no doubt, the list from your auditors will be long and exhausting, a few basic pointers may help simplify your world.
• Familiarize yourself with COBIT. You won’t need or be able to accomplish everything that is detailed in it but it’s very helpful to know how your consultants and auditors are thinking.
• Recognize that the audit isn’t aimed at you but at a larger societal problem. There are no easy answers and whatever metrics will evolve will happen through a collaborative and iterative process.
• Solve problems in a manner that gives you the ability to answer the questions and satisfy the requirements that have either not yet been formed or have not yet hit your desk. GLBA, HIPAA, PCI and the myriad of other regulations that may impact you in the future should not spawn new expensive and time consuming projects, just new reports from solutions already in place.
• Deploy technologies that allow you to truly understand how people interact with your data. This won’t just give you the baseline for compliance but the knowledge necessary to help you and your company truly understand and benefit from an incredible and growing asset.
|
|
|
|
