
	Home > Ask the Security Experts > Questions & Answers > Examples of Sarbanes-Oxley violations

Ask The Security Expert: Questions & Answers

EMAIL THIS

Examples of Sarbanes-Oxley violations

EXPERT RESPONSE FROM: Ben Wright

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 23 February 2004
The Sarbanes-Oxley legislation is difficult to understand since the language is so vague. In your opinion, what would a typical violation look like? How are companies going to be prosecuted for violations and lack of security?

Digg This!

StumbleUpon

Del.icio.us

RELATED RESOURCES

	2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
	Search Bitpipe.com for the latest white papers and business webcasts
	Whatis.com, the online computer dictionary

Sarbanes-Oxley contains many features, but there are two that stand out from an IT security perspective.

First, Sections 302(a)(4) and 404 require a public company and its top officers to make disclosures and certifications to the Securities and Exchange Commission regarding the company's system of internal controls. Internal controls cover an enormous range of methods and procedures that an organization employs to ensure it is using resources as intended, preventing fraud, protecting assets from damage and waste and so on. Among those methods and procedures are IT security techniques to thwart hackers, viruses, criminals and other pests that might abuse the organization's IT infrastructure (degrade its performance, use it to steal money, transform it into a clandestine spam mill, etc.). One way a violation might occur would be for the company, the CEO and the CFO to disclose to the SEC essentially "we have been diligent and thorough in pursing control and security over our IT resources," when in fact the company was handling IT security and control in a slipshod way. Evidence of slipshoddiness would typically not be any single problem or event, but rather be a series of shortcomings that add up to indicate poor performance. For example, such a series of shortcomings might include

A history of Trojan break-ins that caused leakage of high-profile company trade secrets.
A spate of incidents in which hackers hijacked company servers to launch distributed denial of service attacks.
Lack of documentation showing that upper management had regularly reviewed and supported the company's IT security apparatus.
Failure to hire competent IT security staff or to provide resources commensurate with the challenges of safeguarding the company's infrastructure.

For Ben's complete response, click here.

None of Mr. Wright's statements on SearchSecurity.com are legal advice for any particular situation. If you need legal advice, you should consult a lawyer.

For more resources on this topic, visit these SearchSecurity.com resources:

Information Security magazine: Security at the CEO's doorstep

Best Web Links: Law, public policy and standards

Ask the Expert: Defining "internal controls" under Sarbanes-Oxley

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy