In Depth

How to Learn to Love Sarbanes-Oxley

Embracing new Sarbanes-Oxley requirements can provide benefits to your security program and your business.

By David Bowser, Information Systems Security Manager, Kennametal

December 01, 2005CSO

Like most of you, I approached Sarbanes-Oxley compliance last year with a certain trepidation. Within many companies, theres always resistance to change and fear of the unknown, and SOX fits those bills. Even in my own department, employees were a little apprehensive of what they perceived would be extra paperwork, more time required for approval, just more time to do everything. Outside the company, we worried about the auditors. Not because we worried wed done something wrong; we simply didnt know what they were looking for.

Despite our concerns, we survived year one of SOX compliance relatively unscathed. And heres the best news: Contrary to popular opinionthat the addition of controls will inevitably slow you downI see a strong correlation between efficiency and good controls. Thats right, for all the fretting over regulation, SOX compliance could be a good thing for information security.

Anyway, now its year two, and were applying what weve learned from the first go-round to make this year less stressful and more productive. Heres what weve learned.

1 Refine your documentation.

The biggest lesson we learned from year one was that documenting controls that are not crucial leads to an unnecessarily arduous audit process. To paraphrase a line from the movie Field of Dreams, If you document it, they will audit it. Dont try to impress the auditors with how many controls you have. They dont want to see that. They want to focus in depth on critical controls rather than in breadth on every single control. Dont get academic and try to match up point-for-point with one of the IT Control Reference frameworks. Youll kill yourself trying to document all those controls, and the auditors will be forced to consider all those controls as key to your business (and audit all of them).

Lets be clear: Im not saying you should arbitrarily reduce the number of controlsthats not smart. And Im not saying to discount those control frameworks. A lot of experience went into their development, and if you ignore the critical parts of those frameworks, the auditors will know. All Im saying is to focus your documentation on the controls that are critical to your business, and then the auditors will follow your lead and zero in on whats important.

Figuring out which controls are key, I admit, is a learning process. We went to independent third-party auditors for advice. I also happen to be an auditor, so I understand control environments. That helped. Tap people with experience from inside and outside your organization to determine the key controls.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
The Surest Path to Effective and Efficient Compliance

VeriSignIn this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.

» View the webcast

Featured Sponsors
Sponsored Links

Configuration Assessment: Choosing the Right Solution

Enabling Compliance with Converged Mainframe Security and Storage

Learn how the new Quad-Core AMD Opteron™ processor improves performance

Data Protection: Challenges for the Traveling User

Key strategies for C-level executives and security staff

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Envision Identity-Based Access Control for the Datacenter

The Case for Business Software Assurance ~ Securing Your Applications

IDC Defines an Identity and Access Management Submarket

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Using Likewise to Comply with PCI Data Security Standard

IS/IT Project Mgt. Credentials From Villanova - 100% Online

Revolutionizing Endpoint Security with a Single Agent

Envision Identity-Based Access Control for the Datacenter

Rolling the dice with your security? Take the Self-Assessment Test now

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

Digital Identity Protection and Data Security Get Personal

Think your data is safe? Think again. It's time to Outthink the Threat. Get eBook now

Welcome to the age of Service-Oriented Security (SOS)

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era