How To

Sarbox Redux

Back by popular demand, Fiona Williams, a partner in Deloitte Touche Tohmatsu Security Services, answers readers' questions about the Sarbanes-Oxley Act.

By CSO Contributor

August 01, 2004 — CSO — Q: I am a security executive with a security vendor. When I asked customers if they routinely perform vulnerability scans, they mentioned that the reports were too long and not effective. The ignorance is bliss attitude seems to pervade security management. I tell customers that Sarbanes-Oxley makes them liable for vulnerabilities, but they do not believe it, or do not seem to care. Can you offer me any advice?A: I would suggest that you work with your customers to understand their overall control approaches and which key controls they are relying on to mitigate their security risks. If a customer is required to comply with Sarbanes-Oxley, it should have started this process, and will have documented and tested its controls. The company's auditors will then review and test the adequacy of the controls. You may be able to help the company automate its controls, using your tools to assist with better risk mitigation.Q: What is the extent to which information security risk assessment (as opposed to compliance testing) needs to be incorporated into controls evaluation as a part of Sarbanes-Oxley certification? Is it sufficient if an organization identifies appropriate controls and frequency of testing, and conducts controls assessment in order to ensure their adequacy? Or, is an organization required to perform a risk assessment, taking into consideration impact due to adverse events and the likelihood of such events taking place? Are there any guidelines on the granularity of assessments and methodologies (qualitative versus quantitative), depending on factors such as inherent risk?A: The Sarbanes-Oxley Act requires that companies perform a risk assessment on their internal controls over financial reporting. To the extent that it is necessary to protect the integrity of financial information, a risk assessment on information security should be performed. Numerous factors such as inherent risk should be considered, and you should involve your auditor in these discussions to ensure that you are performing the appropriate amount of work.Q: Do you have to retain electronic records such as e-mail, voicemail and call detail records? If so, for how long?A: Record retention is a hot topic because of Sarbanes-Oxley, but there have always been laws and regulations regarding retention of e-mails and other communications. A recent study by Osterman Research indicated that fewer than 50 percent of companies kept critical e-mails. You should speak with your attorneys to understand how to apply the laws to your specific situation.Q: Are there