Today, most enterprises and service providers alike are beginning to evaluate and transform their IT infrastructures and supporting processes to comply with legislation such as the Sarbanes-Oxley Act. Designed to address corporate accounting problems and enforce the speed and accuracy of financial information and reporting, Sarbanes-Oxley sets requirements for new standards with regard to corporate accountability.
Sarbanes-Oxley not only places responsibility on CEOs and CFOs to validate and assure the accuracy of the financial data provided to the SEC, it also significantly impacts organisations in terms of internal controls and processes, which may prompt an evaluation of information technology and IT security policies.
Although Sarbanes-Oxley is not enforced locally, its guidelines provide the foundation for good corporate governance in the South African market.
For many IT executives, the most important section of Sarbanes-Oxley compliance is Section 404, titled "Management Assessment of Internal Controls". This section essentially requires companies to assess any risk associated with information technology or internal processes that may impact the accurate and timely reporting of financial information. Under section 404, organisations are required to institute and maintain controls and procedures that will support the accuracy and validity of the organisation`s financial reports. Many CIOs and CISOs are focused on Section 404 because all underlying security infrastructure and information technology resources must be evaluated to support the new processes and controls required for Sarbanes-Oxley compliance.
The Sarbanes-Oxley Act highlights the higher demands for improved IT security policies and integrity and CIOs are now challenged with re-evaluating the means by which they manage and secure their networks and business systems. In addition, IP networks are becoming increasingly vulnerable through the accommodation of new technologies such as IP telephony and a growing mobile workforce. For many international IT organisations, compliance with Sarbanes-Oxley will depend upon their ability to enforce internal controls and ensure the security of IT systems, which helps in turn to protect the validity and integrity of financial information.
To help meet these demands, many of these international organisations have implemented the International Security Standard ISO 17799 framework as a template for defining controls and policies across information systems and network infrastructure security. The ISO 17799 framework essentially offers best practices for the implementation of security policies and provides organisations with a defined set of controls for information security. Comprised of two parts, the ISO 17799 serves as a reference point to help organisations understand the range of controls required to implement effective IT security.
However, regardless of which blueprint or standard an organisation puts in place, all enterprises and service providers will rely upon an array of distributed networks, systems and applications that work in concert to store, report and transfer highly sensitive and confidential financial information. It is increasingly critical for IT organisations to ensure the systems and databases storing this information are completely secure. They are typically protected by a wide range of IT security tools, from firewalls and intrusion detection systems to authentication and physical surveillance systems - all of which play a critical role in the security of the data. An understanding of the assets that store critical financial information and the vulnerabilities associated with each technology is pivotal to ensuring the requirements of Sarbanes-Oxley are met.
Many organisations have deployed a wide range of security tools to protect their networks, including firewalls, intrusion detection and authentication controls together with encryption, identity management and IP-enabled physical surveillance systems. However, the introduction and deployment of these security systems can introduce a new set of challenges to the IT organisation. Often following the deployment of security tools, IT operations teams find themselves grappling with large volumes of heterogeneous network and security data. Each product collects security data in a different way and has its own means of sending alerts for potential breaches, resulting in a massive number of daily events that must be addressed.
Consolidation of these event flows is at the heart of assessing abnormal behaviour. Some organisations seek to manage their network and security operations separately and some want to consolidate the information into a single management point. However, all organisations need to understand the relationship between business assets, events, threats, network interruptions and service or SLA disruption, quickly identifying and implementing any remedial activities. How can companies get ahead of the curve and proactively manage their corporate security risk? The validity and integrity of information is the cornerstone of Sarbanes-Oxley compliance and organisations must ensure their networks and critical systems are adequately protected.
Many enterprises and service providers are turning to security information management (SIM) as a means to simplify security operations and help staff effectively identify security threats. By monitoring and correlating disparate IT security data from multiple security tools, SIM solutions can reduce large event volumes and help IT staff prioritise their response to events.
These IT and security domains span resources like firewalls, intrusion detection systems (IDS) and access control systems but also operating system logs, application and operating system monitoring solutions, network devices monitoring and a wealth of SNMP data. By consolidating data to a single management point, organisations can more effectively identify abnormal behaviour and isolate real problems.
An effective security management solution provides a solid foundation for organisations to help ensure accurate reporting of financial information required by Sarbanes-Oxley. A security management solution should offer a natural complement to an organisation`s security framework, providing real-time monitoring and management for increased protection of critical business systems. It will ensure IT organisations are well equipped to prevent or negate the impact of viruses, hackers and other threats that can cause corruption of networks and systems, thus resulting in the high network and data integrity required.
Share