SOX reality check: Compliance management products

by Richard Mackey

About Compliance School In Compliance School, guest instructor Richard Mackey shows you exactly what you need to do to meet regulations' ongoing demands and arms you with actionable items to ensure your business remains continuously compliant. Best of all you can attend any of the following on-demand lessons when it's most convenient for you: Ensuring compliance across the extended enterprise Compliance improvement: Get better as you go forward   Gauging your SOX progress   SOX compliance basics: Taking Action    Understanding compliance-related technology

Sarbanes-Oxley compliance is a major undertaking. It requires the understanding of requirements by people across departments, the coordination of employees and auditors from a variety of technical and business departments, and painstaking tracking of compliance status. SOX compliance also requires accurate documentation and tracking of a wide array of technical, business and legal aspects of the enterprise. Despite the all-encompassing nature of SOX, some vendors claim their single tool can do it all. Let's take a look at what these products can and can't do for you.

What they can't do
While SOX compliance tools can do a lot, they simply can't make your company compliant. Most of the "compliance tools" are aimed at organizing information, communicating, and helping you assess and visualize your state. While important to the effort, no one would confuse this with compliance itself. SOX compliance is about the effectiveness (and proof of effectiveness) of your business and technical controls that relate to finance. Clearly this goes far beyond security and encompasses more than IT.

What they can do
That said, there are useful tools that can help you through the compliance process. There are tools to help assess compliance state, document audit results, communicate goals and status, and coordinate compliance efforts. That's just the start. In the compliance management space, there are two classes of products, those specifically designed to help companies meet SOX goals and those that provide more generic communication and project management functions that can be, and often are, applied to SOX management efforts.

Compliance tools range from portals, like the SOX Portal in Protiviti's SOX suite, that aid in communications, to document management tools like Certus' 404 and 302 products, to Hyperion's Compliance Management Dashboard that present a graphical display.

Compliance tools: The real deal By Diana Kelley, Burton Group Analyst Compliance tools purport to present a snapshot of a company's current state of compliance with a variety of different regulations. Keep in mind, however, that much of the legislation pertains to appropriate risk management and business controls; not to prescriptive security settings on systems. The lack of prescription means that companies must perform risk analysis and create their own prescriptive guidance. Reading through the actual requirements is a great place to start. Commonly-accepted control frameworks, such as COSO, CobiT, ISO 17799 and ITIL, can also be referenced as a starting point from which the key stakeholders -- executives, auditors, IT administrative staff and any other employees involved in the compliance process -- can obtain guidance and insight. If your enterprise is planning to use a vendor-supplied template for compliance reporting, ask the vendor how the compliance policies were created and how easy it is to customize them. Because regulations aren't prescriptive, most vendors use one of the control frameworks mentioned above as a baseline for the compliance templates. They may even augment the template with information from lawyers, auditors and customers. These templates can be a great guide, but don't rely on them out of the box, even if the template is quite detailed and based on an accepted framework. It will need additional tuning from your IT and security staff. Bottom line: proceed with caution. If the tuning work isn't done upfront, dashboards can quickly become "garbage in/garbage out."

All these products can help organizations prepare for external audits and can integrate with audit products to facilitate self-assessment. For example, Certus' suite provides a framework that works with Microsoft's Office Suite for easy integration with existing enterprise tools. In addition, Certus provides role-based security to help to ensure only appropriate people get access to the sensitive data collected and managed in the SOX compliance effort.

Many companies, Microsoft among them, turn to more generic portal and office automation products like Microsoft Sharepoint, Microsoft Office and Microsoft Project to be the centerpieces of their SOX communications and documentation efforts. SharePoint is often used to communicate project goals, meeting schedules, status and documentation across a widely dispersed project group. While not structured specifically with SOX in mind, these generic tools help many organizations achieve compliance.

The rest is up to you
While all these tools can play an important role in helping to organize your compliance effort, the heavy lifting is still left to you. You still need to measure your risk, configure your systems, document your policies, educate your users and administrators, and measure your compliance.

Compliance is a multifaceted problem that simply can't be addressed by one or even a whole set of tools. After all, compliance is about maintaining the integrity of your financials. This is accomplished by applying business and technical controls where they are needed for your business. Technical checks and balances, like change control, provisioning workflow and access control, log review, and vulnerability management, need to be applied alongside business controls to provide assurance that no one can attempt to perpetrate fraud without one or more of these controls detecting or preventing it.

>>Return to Compliance School

BROWSE BY TAG Security Audit, Compliance and Standards,   Sarbanes-Oxley Act,   Compliance School,   Understanding SOX compliance-related technology,   SOX compliance,   Information Security Policies, Procedures and Guidelines,   Information Security Management,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

<< PREVIOUS | NEXT >>

VIEW ALL IN THIS CATEGORY

RELATED CONTENT Sarbanes-Oxley Act SOX compliance burdens midmarket security teams Ex-SEC chief Pitt decries state of Sarbanes-Oxley, risk management Information security book excerpts and reviews Internal audits for Sarbanes Oxley and internal IT support Internal auditors and CISOs mitigate similar risks Implement security and compliance in a risk management context Does password sharing in international branches violate SOX? Consensus Controls project aims to set benchmarks for compliance Security visualization helps make log files work The Little Black Book of Computer Security, 2nd Edition Sarbanes-Oxley Act Research Understanding SOX compliance-related technology Security visualization helps make log files work SOX reality check: Provisioning systems SOX reality check: Policy tools Information Security Policies, Procedures and Guidelines Health Net breach failure of security policy, technology How to protect distributed information flows Essential guide: Pandemic planning for H1N1 Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary