In Depth
How to Learn to Love Sarbanes-Oxley
Embracing new Sarbanes-Oxley requirements can provide benefits to your security program and your business.
By David Bowser, Information Systems Security Manager, Kennametal
2 Centralization is simplification.
A smart thing we did was to centralize security administration. Say you have six business systems in six places, and a control on each of those business systems is user ID and password administration. If you haven't centralized security administration, then that's six different controls for the auditors to check. Centralize administration, document the control once, and it applies everywhere, as long as it's processed in a single way by a single set of people (we found that this was especially important to the auditors). Suddenly, you've made your audit less painful and you've drastically reduced your total number of controls, thereby creating business efficiency. In year two, we'll extend this by simply applying centralized administration to any new business systems that enter our scope.
3 To deal with acquisitions, bring down the hammer.
Audits take a snapshot, but your business is a motion picture. It continues to change even after the auditors give you the thumbs up. So just when you thought you had everything in place, you realize that the scope of compliance has changed. Like many companies, we have grown by acquisition during the past year. And in our case the acquired companies had been privately held in the past. They had no previous experience with SOX. To deal with this, our approach is to extend our SOX model to the acquired company.
Be firm and consistent, and it will work. They've got very little reason to dislike it and we've got plenty of reasons to do it, number one being keeping our controls centralized and streamlined so audits go more smoothly. For example, one company had a business system that supported complex passwords—one of our controls—but in their system it wasn't turned on. We persisted in having it turned on, and in the end we have a better overall control because of it.
4 Tie SOX success to paychecks.
We use a performance planning and management process here, wherein we set performance objectives for each employee and meet throughout the year to check progress on them. How employees are doing can contribute to their paychecks. So it was relatively easy for me to include SOX-related activities in performance objectives. For example, I have an analyst in my department, and one of her duties is to perform certain periodic SOX analyses as documented in our IT general controls. Now those duties are part of her performance plan. So if those analyses don't happen, or they're late, incomplete or inaccurate, she knows it's part of her job evaluation throughout the year.
sarbanes oxley security
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
- Beyond PCI Checklists: Securing Cardholder Data with Enhanced File Integrity Monitoring
- Credit Issuers: Stop Application Fraud at the Source with Device Reputation
- CSO's Guide to Security and Compliance
- Understanding Data Location is Imperative for Data Loss Prevention
- FISMA and FDCC Compliance: Millennium Challenge Corporation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
