Security professionals may soon find themselves fielding calls from their companies' upper management concerning
the Sarbanes-Oxley Act.
Sarbanes-Oxley, named for the two Congressmen who sponsored it, on the surface doesn't have much to do with IT security. The law was passed to restore the public's confidence in corporate governance by making chief executives of publicly traded companies personally validate financial statements and other information.
President Bush signed on the law on July 30, 2002. Initially, companies had to be in compliance this fall, but extensions were granted. Large corporations now have until June 15, 2004, to meet the requirements of Sarbanes-Oxley. Smaller companies have to comply by April 15, 2005.
Congress passed the law in quick response to accounting scandals surrounding Enron and other companies. Sarbanes-Oxley deals with many corporate governance issues, including executive compensation and the use of independent directors. "When it was initially adopted, the last thing on their minds was security. The law was passed to address things such as off-book transactions," said Gary Saidman, an attorney specializing in information security matters with Atlanta-based law firm Kilpatrick Stockton.
Yet in the law there is a provision mandating that CEOs and CFOs attest to their companies' having proper "internal controls." It's hard to sign off on the validity of data if the systems maintaining it aren't secure. "It's the IT systems that keep the books," Saidman said. "If systems aren't secure, then internal controls are not going to be too good."
Sarbanes-Oxley doesn't mandate specific internal controls such as strong authentication or the use of encryption. "But if someone can easily get in your system because you have a four-character password, for me, that is a no-brainer [as a sign of noncompliance]," Saidman said.
What the law will likely do is open a dialogue between upper-level management and their security staff on what is needed to ensure that proper and auditable security measures are in place. The executives who have to sign off on the internal controls have a lot to lose if things aren't kosher; they could face criminal penalties if a breach is detected.
"Some companies spend more on coffee than on security. I think [Sarbanes-Oxley] will do a lot to change that," Saidman said.
Security product vendors smell potential sales, so they are using Sarbanes-Oxley compliance as a major marketing angle, much like they have done with HIPAA (the Health Insurance Portability and Accountability Act).
A company, however, can't buy a specific product that will guarantee compliance with the act. In fact, compliance goes much deeper. An important factor in creating internal controls is making sure homegrown applications are secure, said Mark Doll, director of Ernst & Young's security and technology solutions practice for the Americas. Most companies have perimeter defenses, intrusion-detection systems and antivirus protection, "but they don't have proper controls in their Web-based applications," he said.
Teaching developers to code more securely and then properly testing their creations for security is a relatively low-cost project, but one that would pay dividends for Sarbanes-Oxley compliance, Doll said. Yet instituting such controls can't be done overnight -- it must be phased in. "Given the long life-cycle times, IT has to be way ahead of the curve on this," he said.
Education doesn't need to take place just at the developer level. Sarbanes-Oxley will likely accelerate upper management's understanding of security matters as well, Doll said. A company may lose $50,000 on an instance of fraud. "The world is not going to stop, but what it does show is a break down of control structures," he said. "It could have been $500 million."
FOR MORE INFORMATION:
FEEDBACK: Has Sarbanes-Oxley opened a channel of communication between the CSO and upper management at your enterprise?
Send your feedback to the SearchSecurity.com news team.