How to Learn to Love Sarbanes-Oxley
Embracing new Sarbanes-Oxley requirements can provide benefits to your security program and your business.
By David Bowser, Information Systems Security Manager, Kennametal
December 01, 2005 — CSO —
Like most of you, I approached Sarbanes-Oxley compliance last year with a certain trepidation. Within many companies, there's always resistance to change and fear of the unknown, and SOX fits those bills. Even in my own department, employees were a little apprehensive of what they perceived would be extra paperwork, more time required for approval, just more time to do everything. Outside the company, we worried about the auditors. Not because we worried we'd done something wrong; we simply didn't know what they were looking for.
Despite our concerns, we survived year one of SOX compliance relatively unscathed. And here's the best news: Contrary to popular opinion—that the addition of controls will inevitably slow you down—I see a strong correlation between efficiency and good controls. That's right, for all the fretting over regulation, SOX compliance could be a good thing for information security.
Anyway, now it's year two, and we're applying what we've learned from the first go-round to make this year less stressful and more productive. Here's what we've learned.
1 Refine your documentation.
The biggest lesson we learned from year one was that documenting controls that are not crucial leads to an unnecessarily arduous audit process. To paraphrase a line from the movie Field of Dreams, If you document it, they will audit it. Don't try to impress the auditors with how many controls you have. They don't want to see that. They want to focus in depth on critical controls rather than in breadth on every single control. Don't get academic and try to match up point-for-point with one of the IT Control Reference frameworks. You'll kill yourself trying to document all those controls, and the auditors will be forced to consider all those controls as key to your business (and audit all of them).
Let's be clear: I'm not saying you should arbitrarily reduce the number of controls—that's not smart. And I'm not saying to discount those control frameworks. A lot of experience went into their development, and if you ignore the critical parts of those frameworks, the auditors will know. All I'm saying is to focus your documentation on the controls that are critical to your business, and then the auditors will follow your lead and zero in on what's important.
Figuring out which controls are key, I admit, is a learning process. We went to independent third-party auditors for advice. I also happen to be an auditor, so I understand control environments. That helped. Tap people with experience from inside and outside your organization to determine the key controls.