In Depth
How to Learn to Love Sarbanes-Oxley
Embracing new Sarbanes-Oxley requirements can provide benefits to your security program and your business.
By David Bowser, Information Systems Security Manager, Kennametal
By doing this, you not only keep your staff compliance-motivated but you'll avoid questions from the auditors, who would frown upon late or incomplete documentation. The first thing they'd say is, You committed to semiannual analysis, but we see no evidence to support that you did that.
5 Keep in touch with auditors and peers.
Yes, we're starting year two of SOX compliance, but in a way the process is ongoing. We've tried to keep the relationship with the auditors going. If they're in town, we'll go to lunch and tell them about our progress. We ask them what they're seeing out in the field and what are the trends to be aware of. I also like to pick the brains of other people. I'll ask peers about their experiences. It doesn't take long to do and you can learn really useful things by just asking.
6 Accept and absorb the up-front costs.
Looking at it now, I think the cost of SOX compliance is front-loaded. A huge amount had to happen in year one, and it required a significant investment. But the opinion here, especially within risk management, audit and security, is that if we discount any dollars spent, we really believe SOX has improved the way we handle important issues like change control, security and operations.
But what about the expense, right? Even if it improved the company, was it worth it? I think that over time we'll find it was well worth it. Some companies are trying to spend less up front, just making sure they're compliant; they try to spread the expense out over time. Others are willing to make the required commitments sooner rather than later. We were the latter. We really wanted to be outstanding, so we made the investment in year one. And I think, going into year two, the cost curve will be dramatically different for managing IT controls.
7 Enjoy the efficiencies you create.
In fact, I believe the efficiencies SOX helps us create will easily justify the cost we've put into SOX compliance. I see a strong correlation between efficiencies and SOX. It's helping us run lean. It's forcing us to review our processes and take out the waste. So, will we be SOX compliant? Yes, we believe so. We'll also be far more efficient and effective, and, while technically that's an ancillary benefit to SOX compliance, it's the kind of benefit that I want to put front and center with our management.
sarbanes oxley security
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
- Beyond PCI Checklists: Securing Cardholder Data with Enhanced File Integrity Monitoring
- Credit Issuers: Stop Application Fraud at the Source with Device Reputation
- CSO's Guide to Security and Compliance
- Understanding Data Location is Imperative for Data Loss Prevention
- FISMA and FDCC Compliance: Millennium Challenge Corporation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
