Defining adequate security controls

Since the U.S. government's adoption of the Sarbanes-Oxley Act, security practitioners have been asking themselves what it means to "establish and maintain adequate internal controls over financial reporting.*" The confusion lies in the IT interpretation of the word "adequate" and the resultant phase "adequate IT security controls." We have seen plenty of examples in the press of companies whose security controls have been no where near adequate. No one would argue that the loss of Social Security numbers, credit card numbers and other personal information indicates inadequate security controls. But what constitutes adequate?

Congressional lawyers and SEC regulators choose their words carefully. They chose 'adequate' over and above all other words, knowing the implications for the IT shops charged with implementing sufficient authentication and access controls that support effective internal control over financial reporting. Needless to say, what is possible to do with today's product suites will change tomorrow. Defining a particular technology as sufficient would have been unwise. This leads us to see the obvious value of the regulators' use of the term adequate controls or -- stated another way -- a requirement to provide controls that are equal to (or up to the challenge of) maintaining the internal access control policy for allowing end-user access, while at the same time preventing the internal or external hackers from finding their way in to IT resources.

SOX Security School Learn how to comply with the evolving demands of the Sarbanes-Oxley Act in our free and on-demand SOX Security School.

So what are adequate security controls? Adequate controls place full responsibility to an individual end-user for any entry to or change in a single data field impacting a financial statement or report at any level in the organization, from the store room to the board room. Having controls only sufficient to assign responsibility to "someone … I don't know who … in the accounting department" is not in any way adequate control. Adequate controls provide access only to specific, appropriate end-users and give the IT staff the ability to audit for wrongdoing, collusion and errors. If your controls are unable to do either of these, then they are not adequate and your organization is not SOX compliant.

Another reason for the regulators' use of a changeless term over ever-changing technology is that it allows for automatically raising the compliance requirements when advances in technology solutions become available. One thing that can be counted on -- even in the absence of technological advances -- is the proliferation of hacking tools, and the increase in the threat and capabilities of determined hackers over time. Yes, that is right, auditable compliance with externally imposed control requirements will become a moving target for every company. The same could be said for HIPAA or state-imposed criteria for privacy protection. Compliancy efforts need to be revisited often. The word maintain in the phase "establish and maintain*" is not a suggestion.

The only way to successfully meet the compliance criteria is to set the bar for authentication and access controls as high as the technologies and products available today allow. Once you have a control structure implemented, then have in place a scheme for constant vigilance for anything that will change the compliance landscape and to constantly test the success of your control structure long before any of the compliance auditors visit.

* terms and phrases taken from SEC regulatory documentation on sec.gov.

About the author Dennis C. Brewer is the author of Security Controls for Sarbanes-Oxley Section 404 IT Compliance: Authorization, Authentication and Access published by Wiley, released Oct. 10, 2005, and available from Amazon.com, BarnesandNoble.com or your local book store. His resume includes a BSBA degree from Michigan Technological University, Novell Network Engineer Certification, and over a dozen years as an information technology specialist with the State of Michigan. He retired from his position as an IT security solutions specialist in January of 2006 from the State of Michigan, Department of Information Technology, Office of Enterprise Security and is now operating his own IT consulting practice in Laurium, Michigan.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Compliance recycling: Combining compliance efforts to manage PCI DSS Web 2.0 and e-discovery: Risks and countermeasures Learn from NIST: Best practices in security program management Best practices for application-level firewall selection and deployment The 'security standards dilemma': Network segmentation and PCI Compliance Penetration testing: Helping your compliance efforts Worst practices: Recognizing the biggest compliance mistakes E-discovery management: How IT should interact with the legal team E-discovery management: How IT should interact with the legal team Incident response success in five quick steps Sarbanes-Oxley Act Information security book excerpts and reviews RSA attendees see data classification, rights management projects stumble Hannaford breach illustrates dangerous compliance mentality PCI compliance drives identity management spending, says IBM's GRC chief How to conduct an efficient and thorough employee access review. IBM to boost security spending, push PCI DSS program What types of software can help a company perform a security risk assessment? Industry group uses awareness month to lobby for data breach laws Code Green pitches data protection for SMBs Report: Companies still stumped by PCI DSS Sarbanes-Oxley Act Research HIPAA Walter Reed admits breach of patient information Companies still monitoring email manually, survey finds The road to compliance Hannaford breach illustrates dangerous compliance mentality Is it against HIPAA regulations to permanently store sensitive information? How to conduct an efficient and thorough employee access review. Is it against HIPAA regulations to display client names? Will an off-site employee exit procedure violate HIPAA regulations? Is it a violation of HIPAA to collect consumer Social Security numbers? IBM to boost security spending, push PCI DSS program HIPAA Research RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.