|
|
|
Features
< Back
Sarbanes Oxley : Technology : Risk Management
Enforcing Network Integrity
Compliance Strategies in the Age of Material Weaknesses
By
John De Santis
|
|
John De Santis
CEO, President and Chairman of the Board
TriCipher
|
John De Santis, CEO of Sygate Technologies, says the Sarbanes-Oxley Act
raises an important issue for corporate leaders: Information security isn't just
an IT matter, but it's also an organizational and integrity issue to be reckoned
with at the executive level. He calls for putting new measures to gauge network
security on the fast track.
There is one good thing about the Sarbanes-Oxley Act: It's a step in the right
direction toward getting companies to close the gap between actual behavior and
corporate policy. While this ambitious initiative is intended to restore the
public's confidence in corporate governance, there is little guidance that is
useful to CIOs and their staffs. This initiative is subject to such broad
interpretation as to make its implementation and enforcement in the IT world a
nightmare. And, as companies now faced with signing off on the integrity of their internal controls or face SEC scrutiny by claiming material weaknesses, the need for a strong IT compliance strategy is more important then ever.
For IT executives, the most significant section of Sarbanes-Oxley compliance
projects, as well as one of its weakest links, is Section 404, regarding
certification of internal controls. Section 404 requires companies to perform a
self-assessment of risks for business processes that affect financial reporting.
Because these processes and internal controls are implemented principally in IT
systems, Section 404 audits involve a detailed assessment of these systems. As a
CEO of an information security software company, this section is particularly
relevant to my business, as process changes to meet compliance must be
documented and implemented by an organization's information security department.
In other words, CEOs and chief financial officers who are signing off on the
validity of data must be sure that the systems maintaining that data are secure.
If their systems aren't secure, then their internal controls are questionable
and those executives could face criminal penalties if a breach is detected.
Perhaps this presents another good thing about the Sarbanes-Oxley Act: Security
technology is no longer just an IT matter; it's an organizational and an
integrity issue to be reckoned with at the executive level.
Ensuring network integrity
Because most organizations rely extensively on the use of technology for
financial and other kinds of reporting, and because they are increasingly
dependent on the open IP network to do business with suppliers, customers and
partners, an entirely new category of accountability and best practices is
necessary to address Sarbanes-Oxley specifically and the growing concern over
network security in general. If enterprises are to be held accountable, they
need to ensure the integrity of their use of the open IP network, which is
significantly vulnerable today. Slammer and SoBig are proof of that.
Ensuring network integrity requires much more than reports and assessments,
which is as far as the Sarbanes-Oxley Act goes. It requires an infrastructure
that supports enforceable policies and best practices to ensure compliance, an
infrastructure with much deeper guidelines and better, clearer definitions of
best practices for specific industries such as banking and insurance.
How do you measure risk in a company's IT system?
The challenge is that while Sarbanes-Oxley tries to put policies and mechanisms
in place to capture and quantify the risk of organizations' internal operations,
no one has managed to capture the risk of his company's internal IT system. For
example, the insurance industry has actuaries who compute insurance risks and
premiums based on vast quantities of data relating to weather patterns, health,
age and many more factors that help them capture how much risk they're taking on
with each insurance premium. The financial and accounting industries also have a
litany of controls, definitions and guidelines for conducting business according
to best practices, which have evolved over many years.
Comparatively speaking, our use of an open IP network and the guidelines built
around it is in an embryonic state today, and it's therefore absolutely critical
that we get the evolution of this system on the fast track. Companies need to
have mechanisms in place that enforce safe user behavior and verify that people
are doing the right things on the network. From a security perspective, I'm
particularly concerned with addressing and enforcing a specific set of
conditions associated with policy and compliance -- required fundamentals that
will provide the necessary infrastructure for Sarbanes-Oxley to have meaning.
For example, even after a user is authenticated and control mechanisms are put
in place for that user's permitted access, what about the integrity of the
device itself? When a new device, such as a server, a notebook or a PC, joins
your network, is there a way, in real time, to check the integrity of that
endpoint before it's given unfettered access to your network resources? Is
antivirus software on and up to date? Is a personal firewall installed and
configured according to corporate policy? Are all patches installed and up to
date? Are network-access security policies based on user location (for example,
home or kiosk)? These are the sorts of tangible controls that build an
infrastructure for ensuring network integrity and prevent corruption by SoBig,
Blaster or the next worm and are necessary on an IT level to make Sarbanes-Oxley
effective.
Compliance with company security policies
One question I always ask in the course of doing business is, "Does your IT
department know if there is 100% compliance with your security policies?" Eighty
percent? Fifty percent? Chances are, IT has no knowledge, representing a
dangerous gap between policy and actual practice that must be closed, or
organizations will risk the dire consequences of an unsafe network and all that
entails, as well as the punitive measures stipulated by Sarbanes-Oxley
Sarbanes-Oxley is all about reporting, but reporting by itself has little value.
You can go down a lot of rat holes and invest a significant amount of time and
money on getting vulnerability assessments and event-correlation reports and
doing forensic analysis -- great work for those academically inclined and who
have the resources. I personally find the application of technology to discover
events after the fact, such as an intrusion or misuse of company assets, to be
too little, too late. Think of the nation-building that goes on all over the
world today. If we start with building a terrific police force -- complete with
interrogation rooms and forensic laboratories -- without having built and
reinforced the societal and cultural norms necessary to develop a safe
environment in which we can be productive and prosper, we are indeed taking a
much more difficult, and possibly even disastrous, path.
We need to get closer to the root of the problem and build a culture around
enterprise network integrity. We must establish guidelines and implement
mechanisms that prevent the opportunity for security breaches by automatically
and proactively enforcing best practices. The key is to automate enforcement and
remediation. Much like parents do with children, in order to create useful and
productive members of society, we must first gently nudge, then forcefully
remind and eventually enforce and crack down on our users to do the right thing
-- and frankly, we don't have time to do this through our help desks or to wait
for a whole generation of savvy users to be fully educated.
We need solutions that work today to accelerate this cultural and behavioral
evolution. Only then will organizations be able to achieve the compliance
necessary to ensure that their internal controls and systems are secure. Such
compliance provides the foundation for network integrity and ensures the
accuracy of reporting and assessments required by Sarbanes-Oxley. Such automated
enforcement of compliance allows the CIO to truly say: "We are in compliance
with corporate policy, and I can prove it!"
|
|
|
|
