In Depth

How to Learn to Love Sarbanes-Oxley

Embracing new Sarbanes-Oxley requirements can provide benefits to your security program and your business.

By David Bowser, Information Systems Security Manager, Kennametal

December 01, 2005CSO

Like most of you, I approached Sarbanes-Oxley compliance last year with a certain trepidation. Within many companies, theres always resistance to change and fear of the unknown, and SOX fits those bills. Even in my own department, employees were a little apprehensive of what they perceived would be extra paperwork, more time required for approval, just more time to do everything. Outside the company, we worried about the auditors. Not because we worried wed done something wrong; we simply didnt know what they were looking for.

Despite our concerns, we survived year one of SOX compliance relatively unscathed. And heres the best news: Contrary to popular opinionthat the addition of controls will inevitably slow you downI see a strong correlation between efficiency and good controls. Thats right, for all the fretting over regulation, SOX compliance could be a good thing for information security.

Anyway, now its year two, and were applying what weve learned from the first go-round to make this year less stressful and more productive. Heres what weve learned.

1 Refine your documentation.

The biggest lesson we learned from year one was that documenting controls that are not crucial leads to an unnecessarily arduous audit process. To paraphrase a line from the movie Field of Dreams, If you document it, they will audit it. Dont try to impress the auditors with how many controls you have. They dont want to see that. They want to focus in depth on critical controls rather than in breadth on every single control. Dont get academic and try to match up point-for-point with one of the IT Control Reference frameworks. Youll kill yourself trying to document all those controls, and the auditors will be forced to consider all those controls as key to your business (and audit all of them).

Lets be clear: Im not saying you should arbitrarily reduce the number of controlsthats not smart. And Im not saying to discount those control frameworks. A lot of experience went into their development, and if you ignore the critical parts of those frameworks, the auditors will know. All Im saying is to focus your documentation on the controls that are critical to your business, and then the auditors will follow your lead and zero in on whats important.

Figuring out which controls are key, I admit, is a learning process. We went to independent third-party auditors for advice. I also happen to be an auditor, so I understand control environments. That helped. Tap people with experience from inside and outside your organization to determine the key controls.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors