< Back

What is the single most challenging Sarbanes-Oxley issue today?

Rajat Bhargava

I see two primary challenges. The first is extracting technical requirements from non-technical regulation and the second is synchronization of departments.

Some companies have tried to address the first challenge  extracting technical requirements from a broad, non-technical regulation  by mapping corporate policy to an industry standard such as BS7799/ISO17799. This is a good first step but it leaves open a huge gap between "soft" policy requirements and the procedures required to mitigate an organizations identified risk. Policies are not testable, but procedures and standards are. "Is it testable?" has quickly become the rally cry of auditors and Internal Audit teams (IA) who are responsible for tracking an organizations progress with regulatory compliance.

The second major challenge relates to organizational structure. There needs to be synchronization between the creator of the policy (HR or Legal), the creator of the standard (Information Security), the creator of the procedure (Engineering and Operations), and the IA team (who often undergoes reorganization during the compliance process). A decentralized network security group only adds another layer of communication challenges to the mix. The majority of organizations still maintain decentralized network security, as evidenced by a recent StillSecure survey which found that only 34 percent of respondents have a centralized, dedicated security group. 66 percent of respondents still have some form of decentralized security.

Both of these challenges address "gaps" in regulatory implementation  gaps between policy and procedure, and gaps in communication. The first step in addressing these gaps is to institute an executive project sponsor (VP-level or above) to prioritize/enforce policies and procedures, and ensure consistent communication across the enterprise. Sarbanes-Oxley is a unique case because the lack of details means each organization has the ability to customize policies and procedures before committing to them. Because of this, its best to appoint an executive with a security background who is armed to understand security limitations of disparate systems. The CEO/CFO should not be the project sponsor but he/she needs to keep in mind that ongoing regulatory compliance efforts are a significant drain on resources throughout the organization. The CEO/CFO needs to empower the sponsor, and step back during project implementation.

Rajat Bhargava is responsible for defining StillSecure�s vision and strategy as well as executing on that vision. He is also Chairman and co-founder of Quova, a provider of Internet infrastructure intelligence services.

Prior to Quova, Mr. Bhargava was co-founder of Interliant, a provider of managed application hosting, messaging, Web hosting, enhanced Internet and professional consulting services. Mr. Bhargava was also co-founder and a board member of Service Metrics, a provider of applications and services that accurately monitor and measure mission-critical Internet operations to empower customers to make informed Web-site decisions. Service Metrics was acquired by Exodus Communications in November 1999.

Mr. Bhargava was also co-founder, Chairman, President and CEO of NetGenesis (NASDAQ: SPSS), which provides enterprises the clearest possible picture of online customers, revealing behavior patterns critical to e-business success.

Mr. Bhargava is a graduate of MIT, with a degree in Electrical Engineering and Computer Science.

About Us Editorial

© 2019 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY