SOX Appeal
by Amy Rogers Nazarov
Sarbanes-Oxley Act helped put information security on the map.
The Sarbanes-Oxley Act of 2002 (SOX), enacted in the wake of the accounting fraud that made Enron, WorldCom and others synonyms for financial scandal, wrought a profound change in the way businesses secure their enterprises.
Specifically, section 404--which refers to the im-plementation of "controls that pertain to the preparation of financial statements for external purposes that are fairly presented in conformity with generally accepted accounting principles"--has pushed countless information security professionals at thousands of publicly traded companies to consider how to deploy security practices in the service of accurate financial data. It also gave them new clout.
"SOX was a major driver at putting IT security on the map," says Constantine Photopoulos, a partner in The SOX Group, a New York-based consulting firm.
"Business knew that IT was important, but the relationship between the controls in IT and business processes became more apparent," says Sean Ballington, systems and process assurance leader, PricewaterhouseCoopers.
MISSION: CONTROL
Consider one of those business/IT links--the requirement to archive relevant instant messages--and the steps one company is taking to demonstrate the "reasonable effort" SOX requires.
"We intend to reduce [IM] issues by using Micro-soft Live Communications Server 2005 and federating with MSN, Yahoo and AOL," says Jonathan Wynn, manager of advanced technology and collaborative services at Del Monte Foods' Pittsburgh site. "We're blocking clients so traffic is going through LCS."
SOX also requires that companies assess the effectiveness of their controls, then use an outside auditor to attest to the veracity of that assessment. That role is morphing, observers say.
|
