|
|
|
Features
< Back
Sarbanes Oxley : Technology : Security
COBIT + DLP = SOX Compliance
By
Gil Sever
|
|
Gil Sever
CEO
Safend
|
IT best practices are no longer just a good idea for public corporations, they are requirements mandated by legislations such as the Sarbanes-Oxley Act, commonly called SOX. The regulation, which was signed on July 30, 2002, was a reaction to several widely publicized corporate accounting scandals such as Enron and Worldcom that left thousands of people without jobs or retirement funds. The Act’s eleven sections dictate tighter standards for all U.S. public company boards, management and public accounting firms. Additionally, the mandate requires senior executives to attest to the integrity of the internal systems used to comply with the law.
The regulation is generally referred to by its nickname, SOX, in honor of the major sponsors of the Act, Senator Paul Sarbanes (D-MD) and Representative Michael Oxley (R-OH), thus Sarbanes –Oxley or SOX was named. The law contains many titles and provisions, but most of the concern is in regards to information security, found in section 404: Assessment of internal control.
IT’s role in SOX compliance
At first glance, SOX appears to be significant primarily to corporate accounting and financial departments. However, most financial reporting processes are directly tied to an organization’s IT systems with most information being stored electronically. Consequently, the methods used to store and transfer financial information must also be assessed. SOX does not define specifically how an IT department must implement security controls but the agency it established – the Public Company Accounting Oversight Board (PCAOB) – does. The PCAOB suggests that security controls meet recommendations set forth by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), but auditors have also encouraged the use of the Control Objectives for Information and related Technology (COBIT); currently the most commonly used framework.
While most companies have been able to meet compliance requirements, evolving technologies for data storage and the disappearance of the network perimeter due to wireless capabilities, presents an ongoing challenge for the CIOs charged with assessing and certifying their organizations’ information security controls. Recent data losses and attacks at the endpoint have highlighted the need for protection at all levels of the network, including network endpoints. Ensuring security at the endpoints within a network is one of the issues that must be addressed by all organizations seeking to meet SOX requirements.
Staying Ahead of the Technology Curve
Keeping up with technology does not have to be a futile or exhaustive race. By providing built-in security policies designed specifically for SOX compliance administrators have the ability to meet regulatory compliance needs, as well as address business goals and practices and ensure overall system functionality. Understanding the four key processes established by COBIT in combination with the deployment of appropriate data leakage prevention (DLP) solutions on corporate endpoints (PCs and laptops) can significantly ease the frustration of maintaining SOX compliance in an atmosphere of rapidly advancing technology.
Step 1: Plan and Organize
One of the first COBIT requirements is to perform an assessment of the existing infrastructure to determine its strengths and weaknesses. The ideal software solution to satisfy this requirement should allow system administrators to collect information from endpoints and deliver a list of devices, ports and connections that are available for use. As plans are developed, user roles and their corresponding access levels must be defined and maintained for the organization. Once established, the defined user access levels must be distributed throughout the system. Any solution deployed should integrate with existing infrastructure and allow for the modification of user access rights. The solution should also be capable of identifying any violations in access policy.
Step 2: Acquire and Implement
Once a plan is developed, the next step is implementation through the acquisition and deployment of technology. Any chosen DLP solution must be able to meet the demands of the plan and should include: preventative controls that prohibit unauthorized access to information at the endpoint; detective controls that audit information access; corrective controls that alert management to the use of unauthorized access; and the ability to disable restricted devices.
Step 3: Deliver and Support
The Deliver and Support domain is dependent on the security features of the DLP solution a company chooses. Ideally, the solution adopted should protect the confidentiality, integrity and availability of sensitive information by managing user privileges and restricting the transfer of information to users and unauthorized devices.
DLP solutions that support SOX compliance should also monitor the flow of information through corporate endpoints, creating an audit trail and providing a timeline for any violations of established access policies.
Given the increased mobility of today’s workers, device encryption is a key component to any solution that effectively assists in maintaining regulatory compliance. Data on mobile or removable storage devices should be secured in an encrypted format and policies established that control access to the configuration data.
Step 4: Monitor and Evaluate
The final component of COBIT controls focuses on the ability to continuously measure the performance of an organization’s established IT infrastructure. DLP solutions can assist in performance measurement by maintaining a client log of user activity such as a device connection or tampering attempt, creating file logs that record the transfer of files to removable storage devices or media, and recording information pertaining to Management Server and administrative actions such as policy setting changes and backup processes.
Disappearing Boundaries
The traditional model of building a secure perimeter around an organization’s information assets is no longer realistic. Today’s mobile workforce demands that data be portable and instantly accessible from anywhere but in doing so, negates the physical barriers designed to keep information secure. The dilemma of productivity versus security makes the compliance challenge a daunting obstacle for companies struggling to stay competitive.
The demand for a more mobile workforce exposes the networks to a plethora of new threats and increases the risk of potential data leakage. Fortunately, there are software solutions available that allow management to utilize productivity-enhancing technology without sacrificing control over how information is accessed. Appropriately analyzing the compliance demands of the organization and matching them with complementary DLP solutions that sustain COBIT controls can result in a cost-effective strategy for attaining and maintaining an IT infrastructure that supports SOX compliance. Plus, the technical controls can be integrated easily into existing policies and procedures – resulting in controls which can be deployed quickly and cost effectively. Without this type of security counter measure, organizations face serious cracks in any infrastructure designed to be SOX compliant.
In today's volatile economy where incidents like Enron and WorldCom--and now Fannie Mae and Lehman Brothers--are tragically becoming commonplace, it is more important than ever for organizations to safeguard their proprietary electronic data. Legislation like SOX was developed to ensure that this happens. Implementing effective data leakage prevention technologies with a sound data security strategy not only ensures organizations that they are meeting the requirements to comply with SOX, but more importantly taking necessary steps to uphold the integrity of confidential corporate data.
|
|
|
|
