< Back

What is the single most challenging Sarbanes-Oxley issue today?

Rajeev Khanolkar

Sarbanes-Oxley has fundamentally changed the business and regulatory environment. Its focus is on strengthening internal checks and balances and, ultimately, assigning corporate accountability. The key area of focus for IT practitioners, section 404, is two-part. First, establishing and maintaining an adequate internal control structure; second, assessing and reporting its ongoing effectiveness. This distinction is significant and bridging the two has created the biggest challenge for business and IT managers alike.

Most IT departments have focused on the obvious business problem of creating full transparency for audit purposes. However, the focus on data accuracy and integrity that Sarbanes-Oxley mandates has limited compliance efforts to financial accounting process automation, and has failed to make changes to the information security landscape needed to protect the information in accounting and reporting systems.

For those in the thick of the compliance process, it has become clear that IT plays a significant role in internal control. Infrastructure, systems and data are critical to the financial reporting process formalized through the SEC and the Public Company Accounting Oversight Board (PCAOB). To this end, the challenge to the CIO is to become extremely well versed in what it takes to be in compliance. They need to enhance their knowledge of internal control, understand the overall corporate plan for Sarbanes-Oxley, develop specific IT controls in alignment with that plan and bridge the results to audit and corporate management.

Just like accounting processes, information security is a business process that has its own set of policies and controls. In order to ensure the reliability of financial reporting data and demonstrate the organizations security posture in the event of an audit, organizations must implement a security infrastructure that effectively manages the large number of events, pinpoints threats, and empowers the security team to take corrective action with a high level of process support before financial data integrity is compromised.

Fortunately, this does not mean reinventing the wheel. Most public company IT departments have had internal controls in place for years, albeit not necessarily formalized or documented. This is especially true for security. Many organizations therefore need to organize and document the collected control information  gathered from logs generated by firewalls, intrusion protection and network access systems, for example - and tailor the existing processes to comply with the Act requirements.

To affect this is not difficult, but the technology hype assuring compliance solutions has proliferated to muddy the waters. Rather than piece together solutions based on vendors definitions of security and compliance, with a Security Information Management solution, companies can integrate information security control data across all existing point solutions, automate the process to evaluate that data, bridge the information to remediation resources and provide the repository to report and measure the effectiveness of the overall security infrastructure.

netForensics is the leader in Security Information Management (SIM). SIM strategies use real-time aggregation and correlation capabilities to sift through mountains of security activity data on a constant basiscorrelating data, flagging and rating the potential seriousness of all attacks, compromises and vulnerabilities. Further, through the embedded incident handling system and knowledge library, limited security and IT staff are given the ability to shorten dramatically the gap between incidents and an appropriate response and report assessments and conclusions to audit and management.

The key Sarbanes-Oxley challenge is to identify, assess report material weaknesses using sustainable processes. Extending security information management capabilities through all phases of the security lifecycle strengthens the enterprise security posture and connects security processes with business objectives. This end-to-end framework is the basis for netForensics nFX Open Security Platform and helps:

• Connect knowledge about events to containment and remediation efforts

• Connect SIM data to improvements in security policy, security architecture, and technology configurations

• Facilitate development of guidelines and processes for handling alerts and security incidents across the enterprise

• Establish repeatable processes so that results can be quantified, progress can be measured, and impact on overall business imperatives can be analyzed

Just as organizations require accounting systems that create transparency and auditability while eliminating error prone manual processes, they must create similar environments to automate information security.

Rajeev Khanolkar launched netForensics after developing the concept of security data correlation, normalization and reporting. While his strong background in management, engineering and mathematics have been used to provide strategic direction to the company, his entrepreneurial spirit has positioned netForensics as one of the premier security management providers in the industry.

He brings over 20 years of experience in technology and IT management to his role as netForensics Chief Executive Officer and co-founder.

Born in Bombay, Mr. Khanolkar left India in 1978 to pursue higher education in Great Britain. Raised in a family of successful civil engineers that had designed hospitals, government buildings and Cricket stadiums, Mr. Khanolkar spent his early career developing his business acumen and engineering skills at several large UK based organizations. In 1988, he and netForensics co-founder Niten Ved, evolved NetCom Systems, a 100-person professional services company. Focused on the expert integration of enterprise system and network management software from Computer Associates and Hewlett Packard, NetCom Systems achieved major recognition from the top tier Wall Street firms, including developing award-winning software that provided the basis for its spin-off, netForensics.

Prior to NetCom Systems, Mr. Khanolkar held a number of senior management and IT and consulting position at Xecute Information Systems, Teachers Insurance and Annuity Association and General Electric Corporation Turbine Generators. He holds a Master of Science in Thermodynamics from the University of Birmingham, Great Britain and a Bachelor of Science degree in Mechanical Engineering from the Indian Institute of Technology, Bombay, India. Khanolkar is also a Charter Engineer Member of Institute of Engineering, UK.

About Us Editorial

© 2019 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY