What is the single most challenging Sarbanes-Oxley issue today?
Most IT departments have focused on the obvious business problem of creating full transparency for audit purposes. However, the focus on data accuracy and integrity that Sarbanes-Oxley mandates has limited compliance efforts to financial accounting process automation, and has failed to make changes to the information security landscape needed to protect the information in accounting and reporting systems.
For those in the thick of the compliance process, it has become clear that IT plays a significant role in internal control. Infrastructure, systems and data are critical to the financial reporting process formalized through the SEC and the Public Company Accounting Oversight Board (PCAOB). To this end, the challenge to the CIO is to become extremely well versed in what it takes to be in compliance. They need to enhance their knowledge of internal control, understand the overall corporate plan for Sarbanes-Oxley, develop specific IT controls in alignment with that plan and bridge the results to audit and corporate management.
Just like accounting processes, information security is a business process that has its own set of policies and controls. In order to ensure the reliability of financial reporting data and demonstrate the organizations security posture in the event of an audit, organizations must implement a security infrastructure that effectively manages the large number of events, pinpoints threats, and empowers the security team to take corrective action with a high level of process support before financial data integrity is compromised.
Fortunately, this does not mean reinventing the wheel. Most public company IT departments have had internal controls in place for years, albeit not necessarily formalized or documented. This is especially true for security. Many organizations therefore need to organize and document the collected control information gathered from logs generated by firewalls, intrusion protection and network access systems, for example - and tailor the existing processes to comply with the Act requirements.
To affect this is not difficult, but the technology hype assuring compliance solutions has proliferated to muddy the waters. Rather than piece together solutions based on vendors definitions of security and compliance, with a Security Information Management solution, companies can integrate information security control data across all existing point solutions, automate the process to evaluate that data, bridge the information to remediation resources and provide the repository to report and measure the effectiveness of the overall security infrastructure.
netForensics is the leader in Security Information Management (SIM). SIM strategies use real-time aggregation and correlation capabilities to sift through mountains of security activity data on a constant basiscorrelating data, flagging and rating the potential seriousness of all attacks, compromises and vulnerabilities. Further, through the embedded incident handling system and knowledge library, limited security and IT staff are given the ability to shorten dramatically the gap between incidents and an appropriate response and report assessments and conclusions to audit and management.
The key Sarbanes-Oxley challenge is to identify, assess report material weaknesses using sustainable processes. Extending security information management capabilities through all phases of the security lifecycle strengthens the enterprise security posture and connects security processes with business objectives. This end-to-end framework is the basis for netForensics nFX Open Security Platform and helps:
• Connect knowledge about events to containment and remediation efforts
• Connect SIM data to improvements in security policy, security architecture, and technology configurations
• Facilitate development of guidelines and processes for handling alerts and security incidents across the enterprise
• Establish repeatable processes so that results can be quantified, progress can be measured, and impact on overall business imperatives can be analyzed
Just as organizations require accounting systems that create transparency and auditability while eliminating error prone manual processes, they must create similar environments to automate information security.