This article can also be found in the Premium Editorial Download "Information Security magazine: Closing the gap: How to decide when (and if) to patch vulnerabilities."
Download it now to read this article plus other related content.
It's widely held that the Sarbanes-Oxley Act will be the two-by-four that gets upper management to pay serious attention to infosecurity. It requires that chief executives of publicly traded companies personally attest to the validity of their financials. As a security manager, you will likely be charged with figuring out the details of how to assure compliance.
Although Sarbanes-Oxley doesn't specifically address security, SOX Section 404 of the law does imply the need for strong security. It requires companies to certify their internal controls of financial data in an annual report to the Securities and Exchange Commission.
"Now, C-level executives are certifying their internal controls, which in part relates to security," says Gary Saidman, an attorney specializing in infosecurity matters at Atlanta-based law firm Kilpatrick Stockton.
It would be hard for your CEO to say the books are accurate unless the systems holding the financial information are secure. In other words, your company needs security mechanisms to prevent an attacker from covertly breaking into a database containing sales figures and changing numbers.
A CEO who signs off on his company's internal controls can find himself in hot water, for example, if it's subsequently revealed that corporate systems were accessed by a former employee whose user account still works.
The goal of Sarbanes-Oxley is ensuring that companies' accounting is correct. Any security incidents will be viewed in the light of how they affect the integrity of the books.
"Executives would be wrong if they think Sarbanes-Oxley is like any other regulation," says Saidman. "The potential penalties range from a hand slap to a fine to jail time if criminal intent can be proved."
So, the CEO wants you to figure out what the company needs to protect its financial assets. Your best source of information is probably the accounting firm that does your audits, says Saidman. That's because those accountants, along with the CEO, are required to certify a company's filings.
In addition to working closely with your auditors, Saidman says, a thorough security review of all systems that house financial data is essential. Strong authentication, authorization and access controls are critical, he adds.
It's not enough to look at servers. You should also examine the security of the network connections going in and out of them, including measures like encrypting transmissions.
"There are times from a legal prospective, it's important to look like you are doing something but it's not the case here," Saidman says. "This is one situation you want to make sure there aren't any problems."
This was first published in February 2004