Like it or not, compliance has become a key concern for IT managers, not only because it influences business processes as a whole, but also because of added pressure from the executive board. After all, it’s at board level where the imperative is felt most strongly. Increasingly, regulations are being established that require companies to provide evidence that they can protect the privacy, and ensure the secure access and integrity, of their confidential information resources.
Compliance is not just about process management and documentation of financial operations but also about demanding action in terms of implementing solutions. IT security has become an important part of meeting these new demands placed on businesses, and significant time and money is being spent on security technology, tools, and resources to ensure compliance.
But how do companies find an IT security solution that offers the most proven, unified security architecture, both for protecting information and complying with these increasing regulations?
Unravelling SOX
The regulation that has caught the most attention in current years is the Sarbanes-Oxley Act of 2002 (SOX). SOX was enacted to protect shareholders and the public in the face of several high-profile financial scandals. The act mandated a number of reforms to enhance corporate responsibility, improve the integrity of financial disclosures, and combat corporate and accounting fraud.
SOX consists of several sections designed to improve the quality and integrity of financial reporting. The section that most closely affects IT functions is section 404 of the act, “Management Assessment of Internal Controls.” This requires that a corporation annually report the following:
- Management’s responsibility to establish and maintain adequate internal control over financial reporting
- The framework used as criteria for evaluating the effectiveness of the company’s internal control over financial reporting
- Management’s assessment of the effectiveness of internal company control over financial reporting and disclosure of any material weaknesses
Section 404 also requires that external auditors certify the accuracy of these statements, which have been signed by the CEO and CFO of the company.
About internal controls
An internal control for SOX is a process that provides reasonable assurance that financial reporting, and preparation of financial statements for external processes are in accordance with Generally Accepted Accounting Principles (GAAP). Controls include recording of transactions, maintenance of transaction records, and acquisition, use, or disposition of assets that could be considered “material” to reporting.
Specific controls directly affect these actions. General or “pervasive” controls impose generic rules applicable to all actions. Pervasive controls include controls over IT security—general functions and controls that are not specific to financial reporting but act as a control to ensure the integrity of information.
COSO framework
The United States Securities and Exchange Commission (SEC) states that a suitable and recognized framework, having been established through public due process, must be used to evaluate internal controls. It points out that COSO Internal Control—Integrated Framework is one framework that meets the criteria.
COSO, a voluntary private sector organization that aims to improve quality of financial reporting through effective corporate governance, identifies five essential components of effective internal control. It has been argued that an organization should have IT control competency in all COSO components.
- Control Environment creates the foundation for effective internal control, establishes the “tone at the top,” and represents the apex of the corporate governance structure. The issues raised in the control environment component apply throughout an organization.
- Risk Assessment involves the identification and analysis by management of relevant risks to achieving predetermined objectives, which form the basis for determining control activities.
- Control Activities are the policies, procedures, and practices that ensure business objectives are achieved and risk mitigation strategies are carried out. Control activities are developed to specifically address each control objective to mitigate the risks identified.
- Information and Communication is needed at all levels of an organization to run the business and achieve its control objectives.
- Monitoring assesses the quality of the internal control performance over time. It covers the oversight of internal control by management through continuous and point-in-time assessment.
IT and IT Security play a vital part in establishing internal controls to meet SOX requirements. However, neither SOX nor COSO provide any insight into how a company should establish internal controls with IT security.
The Control Objectives for IT (COBIT) is one framework that is used in conjunction with COSO. COBIT is an IT governance model that provides both company and activity-level objectives along with associated controls. Using COBIT, an organization can design a system of IT controls to comply with SOX. But, as none of the frameworks or documents discussed offer guaranteed methodologies toward SOX compliance, how can you be sure you’re working toward the right goal?
Here is a how-to guide companies can use to interpret demands and ensure they meet regulatory compliance using the COBIT Objectives. This can be achieved by deploying the right security solutions in the right areas.
Identity Management—COBIT suggests that all users should be uniquely identifiable. User identities and access rights should be maintained in a central repository.
Cost-effective technical and procedural measures should be deployed and kept current to establish user identification, to implement authentication, and to enforce access rights.
Therefore, it is important that an IT solution includes access control. It should also allow for the creation of granular access and authorization rules, and enforce access policies at the perimeter and on the internal network. This also ensures that companies make security-related technology resistant to tampering.
User Account Management—A set of user account management procedures are advised to address requesting, establishing, issuing, suspending, modifying, and closing user accounts and related user privileges, as well as performing regular management reviews of all accounts and related privileges.
Certain management tools allow administrators to create policies, including the mapping and assignment of groups (of users and endpoints) to resources. Solutions can also be configured to provide inline, real-time password policy validations for password length or alphanumeric requirements.
Security Testing, Surveillance and Monitoring—Proactively testing and monitoring the IT security implementation is considered to be very important according to COBIT. A logging and monitoring function will enable the early prevention or detection and subsequent timely reporting of unusual or abnormal activities that may need to be addressed.
Any solution should update, monitor, and report system events and activity, enabling enterprises to gain a holistic view of their security and network activity trends. The consistent presentation of data across the enterprise enables more effective data collection, analysis, and response.
Security Incident Definition—It is advised that companies should clearly define and communicate the characteristics of potential security incidents so that they can be properly classified and treated by the incident and problem management process.
It is important to choose a solution that provides comprehensive support for the identification, handling, and reporting of security incidents. It is possible to analyze log data in real time to identify significant threats across the network, as well as preset software to generate alerts to take appropriate action to mitigate the detected threat.
Malicious Software Prevention, Detection, and Correction—COBIT argues that putting preventive, detection, and corrective measures in place (especially up-to-date security patches and virus control) across the organization protects information systems and technology from malware.
Finding a solution that includes integrated, high-performance anti-virus technology to detect and eliminate viruses and other related malware from endpoint PCs will help to combat this. Virus detection is based on a combination of signatures, behaviour blockers, and heuristic analysis that together enable your network environment to attain one of the industry’s highest detection rates.
Network Security—Security techniques and related management procedures are suggested, e.g. firewalls, security appliances, network segmentation or intrusion detection, to authorize access and control information flow to and from networks.
Companies should attempt to find a solution that administrators can centrally manage, approve, view network topology, and verify all external network connections and changes to the firewall configuration.
Exchange of Sensitive Data—It is vital to only exchange sensitive data over a trusted path or medium with controls to provide authenticity of context, proof of submission, proof of receipt, and non-repudiation of origin.
Solutions that deliver a high level of data security by providing strong, full-disk encryption for PCs and laptops as well as access control are certainly the best for this objective. They are able to ensure the secure exchange of sensitive data by ensuring the integrity and authenticity of data.
Certain sensors also offer inline detection and alerting on defined data structures such as personal identification numbers, personal health information or files marked as confidential.
Performance Assessment—It is advised by COBIT to periodically review performance against targets, to analyze the cause of any deviations, and initiate remedial action to address the underlying causes. COBIT also suggests that companies should develop senior management reports on IT’s contribution to the business and solicit feedback from management reviews. Following these steps, organizations can identify and initiate remedial actions based on performance monitoring, assessment, and reporting.
It is wise to find a solution to help with this so the company can get a holistic view of their security and network-activity trends. The consistent presentation of data across the enterprise enables more effective data collection, analysis, and response.
Time to comply
SOX section 404 provides a turning point for most IT organizations in their efforts to develop and document the IT security controls and processes needed to support financial reporting. Protecting the integrity of information and controlling access to resources are not only essential elements for the preservation of a company but are also requirements for compliance.
The right security solutions can be leveraged to help fulfil many specific COBIT Control Objectives that will form the foundation for compliance with requirements set forth in SOX Section 404. And with these solutions in place, you and your executive board can rest a little easier, assured that you have a compliant, robust infrastructure, from the perimeter to the endpoint.