Ping: Chrisan Herrod

Chrisan Herrod

This article can also be found in the Premium Editorial Download: Information Security magazine: Betting the house on network anomaly detection systems:

The Securities and Exchange Commission may call the shots on SOX, but it can take the bullet like everyone else. Just ask CSO Chrisan Herrod. She's responsible for making sure the agency complies with many of the same standards it enforces. Like any security professional, she has her own war stories, like a recent Government Accountability Office (GAO) report that took SEC to task for not implementing effective electronic access co...

ntrols.

It must be difficult when another agency scrutinizes your compliance controls. [GAO] published a scathing report citing SEC's lack of material controls, but it could never prove there was any financial control problem stemming from a lack of information security controls. In my view, if you have sound controls and sound record keeping, you're taking reasonable steps to comply even if a technological control hasn't been implemented.

What is SEC's overall security posture? SEC uses a combination of technology, process and management controls to ensure that we are in compliance with the Federal Information Security Management Act [FISMA]. We have a very good track record with respect to our perimeter security and defense-in-depth strategy. And, we're working to improve our internal technology controls, which are at the heart of [the GAO findings].

Do you think there needs to be a law that fuses together the common requirements of SOX, HIPAA, GLBA and others? We shouldn't expect one overreaching set of regulatory guidelines, but there could be a more centralized, simplified auditing approach. Instead of forcing people to work off several different auditing reports for several different regulations, one auditing report could account for the common requirements and work for everyone.

Whose responsibility is it to make that happen? The government and auditing industry could get together to work on this. The easiest, best solution would be for Tom Davis' [R-Va., chairman, House Committee on Government Reform] committee to take a hard look at these regulations, especially those for publicly traded companies that are already heavily regulated. The committee has the power to streamline the process, but it hasn't happened yet. It should, because the overhead is killing us.

For the full text of this interview, visit www.searchsecurity.com/ismag

This was first published in July 2005
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close