Sarbanes-Oxley Act (SOA) sections 302 and 404 require CEOs and CFOs to ensure that business processes are under control, which in turn requires the IT systems supporting the processes to be in control. Without robust IT security processes and technology, complying with the mandates is impossible.
The Bottom Line: Companies concerned with SOA compliance should review existing security processes and upgrade internal security technologies to ensure that internal systems remain in control.
What It Means:
- Internal users pose risk--Internal users misusing company systems are still responsible for a number of security problems that can cause a loss of control. According to the latest Computer Security Institute (CSI) and FBI survey on IT security, 30% of companies report that internal systems were the point of attack during security breaches, and 77% say disgruntled employees were responsible for security breaches within their companies. The Takeaway: While most companies concentrate on preventing external, Internet-borne attacks, companies cannot ignore security threats from internal users and systems.
- Use SOA to improve security--CIOs should use the SOA requirement as a catalyst for upgrading internal security policies and the technologies used to enforce the policies. Companies must treat security as an ongoing process that comprises three tasks: setting security policies, enforcing policies, and auditing results. Companies also need to define roles and responsibilities for security and establish a formal security policy to guard against security breaches. Every employee must understand their role in maintaining security: The CEO must actively demonstrate commitment and provide the necessary financial support, IT management must staff and lead the security projects, and the rank and file must learn about the policies and commit themselves to enforcing them. Companies that base their security processes on the ISO 17799 specification have had success. The Takeaway: SOA compliance requires employee-wide commitment to enforcing updated security policies.
- Simplify IT--Companies should start by simplifying their IT environment, and then deploying security technology to guard against security breaches. Since simplified IT environments are easier to secure than complex environments, server and application consolidation are excellent starting points for upgrading internal security. The Takeaway: IT simplification results in an easier-to-secure environment.
- Put existing security technology to better use--No security product can produce a 100% secure infrastructure. However, companies should supplement existing application and database access control and auditing capabilities with vulnerability testing products and intrusion detection and prevention products from vendors such as Check Point, Cisco, Internet Security Systems, nCircle, Network Associates, and Symantec. Deploy the security products to monitor for and protect against anomalous behavior that could indicate security problems. The Takeaway: Companies must take advantage of their application’s built-in security and auditing capabilities as well as deploy security point products to ensure that systems remain in control.
- Audit for compliance with security policies--Security policies alone are insufficient. In order to be SOA-compliant, companies must demonstrate that the policies have been enforced. The National Institute of Standards and Technology (NIST) 800-publication series is a useful starting point for developing metrics to measure the effectiveness of a security policy. The Takeaway: Periodic security audits are necessary for companies to demonstrate that the systems that support their business processes are in control in accordance with the provisions of the SOA.
Unfortunately, no broad security strategy is completely impregnable, and determined and ingenious adversaries can defeat any security system. What SOA requires is that a company’s security policies be sufficient to ensure that systems are under control. A well-constructed policy coupled with a simplified IT environment and carefully managed security technology will help most companies satisfy these requirements.
AMR Research originally published this article on 20 October 2003.