SOX, Lies and Security Matters
by Nick Lowe - Check Point - Monday, 8 September 2008.
When it comes to compliance, itís fairly easy to find out what companies need to do to achieve it. But itís much harder for companies to find out how they should go about it. The Sarbanes-Oxley Act of 2002 (SOX) is detailed and prescriptive in terms of what controls are needed, especially in section 404 of the act, ďManagement Assessment of Internal Controls.Ē This requires that a corporation annually report the following:
  • Managementís responsibility to establish and maintain adequate internal control over financial reporting.
  • The framework used as criteria for evaluating the effectiveness of the companyís internal control over financial reporting.
  • Managementís assessment of the effectiveness of internal company control over financial reporting, and disclosure of any material weaknesses.
Section 404 also requires that external auditors certify the accuracy of these statements, which have been signed by the CEO and CFO of the company.

How to comply

While IT security systems play a vital part in establishing many of these internal controls to meet requirements, SOX doesnít provide any insight into how a company should go about it, or what types of solutions help deliver those controls. What methods and frameworks can help with this? The Control Objectives for IT (COBIT) is an IT governance model that provides both company and activity-level objectives along with associated controls. And using COBIT, an organization can design a system of security applications and controls to comply with SOX. Hereís a guide to how companies can interpret SOX demands and ensure they meet regulatory compliance using COBIT Objectives, by deploying the right security solutions in the right areas.

Identity management

COBIT suggests that all users should be uniquely identifiable. User identities and access rights should be maintained in a central repository and cost-effective technical and procedural measures should be deployed and kept current to establish user identification, to implement authentication and to enforce access rights. Itís important that an IT solution includes access control. It should also allow for the creation of granular access and authorization rules, and enforce access policies at the perimeter and on the internal network. This also ensures that companies make their systems resistant to tampering.

User account management

A set of user account management procedures are advised to address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges, as well as perform regular management reviews of all accounts and related privileges. Certain management tools allow administrators to create policies, including the mapping and assignment of groups (of users and endpoints) to resources. Solutions can also be configured to provide inline, real-time password policy validations for password length or alphanumeric requirements.

Security testing, surveillance and monitoring

Proactively testing and monitoring the IT security implementation is considered very important by COBIT. A logging and monitoring function will enable early prevention or detection, and subsequent timely reporting, of unusual or abnormal activities that may need to be addressed. Any solution should update, monitor and report of system events and activity, enabling enterprises to gain a holistic view of their security and network activity trends. The consistent presentation of data across the enterprise enables more effective data collection, analysis and response.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th