This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."
Download it now to read this article plus other related content.
by Amy Rogers Nazarov
Sarbanes-Oxley Act helped put information security on the map.
Specifically, section 404--which refers to the im-plementation of "controls that pertain to the preparation of financial statements for external purposes that are fairly presented in conformity with generally accepted accounting principles"--has pushed countless information security professionals at thousands of publicly traded companies to consider how to deploy security practices in the service of accurate financial data. It also gave them new clout.
"SOX was a major driver at putting IT security on the map," says Constantine Photopoulos, a partner in The SOX Group, a New York-based consulting firm.
"Business knew that IT was important, but the relationship between the controls in IT and business processes became more apparent," says Sean Ballington, systems and process assurance leader, PricewaterhouseCoopers.
| instant messages--and the steps one company is taking to demonstrate the "reasonable effort" SOX requires.
"We intend to reduce [IM] issues by using Micro-soft Live Communications Server 2005 and federating with MSN, Yahoo and AOL," says Jonathan Wynn, manager of advanced technology and collaborative services at Del Monte Foods' Pittsburgh site. "We're blocking clients so traffic is going through LCS."
SOX also requires that companies assess the effectiveness of their controls, then use an outside auditor to attest to the veracity of that assessment. That role is morphing, observers say.
This was first published in January 2008