'Typical' SOX violations

By Ben Wright, independent computer security attorney 06 Oct 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Sarbanes-Oxley contains many features, but there are two that stand out from an IT security perspective.

First, Sections 302(a)(4) and 404 require a public company and its top officers to make disclosures and certifications to the Securities and Exchange Commission regarding the company's system of internal controls.

Internal controls cover an enormous range of methods and procedures that an organization employs to ensure it is using resources as intended, preventing fraud, protecting assets from damage and waste and so on. Among those methods and procedures are IT security techniques to thwart hackers, viruses, criminals and other pests that might abuse the organization's IT infrastructure (degrade its performance, use it to steal money, transform it into a clandestine spam mill, etc.).

One way a violation might occur would be for the company, the CEO and the CFO to disclose to the SEC essentially "we have been diligent and thorough in pursing control and security over our IT resources," when in fact the company was handling IT security and control in a slipshod way. Evidence of slipshoddiness would typically not be any single problem or event, but rather be a series of shortcomings that add up to indicate poor performance. For example, such a series of shortcomings might include:

• A history of Trojan break-ins that caused leakage of high-profile company trade secrets.
A spate of incidents in which hackers hijacked company servers to launch distributed denial of service attacks.
• Lack of documentation showing that upper management had regularly reviewed and supported the company's IT security apparatus.
• Failure to hire competent IT security staff or to provide resources commensurate with the challenges of safeguarding the company's infrastructure.

Note: None of Mr. Wright's statements on SearchSecurity.com are legal advice for any particular situation. If you need legal advice, you should consult a lawyer.

Tags: Sarbanes-Oxley Act,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Sarbanes-Oxley Act SOX compliance burdens midmarket security teams Ex-SEC chief Pitt decries state of Sarbanes-Oxley, risk management Information security book excerpts and reviews Internal audits for Sarbanes Oxley and internal IT support Internal auditors and CISOs mitigate similar risks Implement security and compliance in a risk management context Does password sharing in international branches violate SOX? Consensus Controls project aims to set benchmarks for compliance Security visualization helps make log files work The Little Black Book of Computer Security, 2nd Edition Sarbanes-Oxley Act Research

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary