Defining adequate security controls

Since the U.S. government's adoption of the Sarbanes-Oxley Act, security practitioners have been asking themselves what it means to "establish and maintain adequate internal controls over financial reporting.*" The confusion lies in the IT interpretation of the word "adequate" and the resultant phase "adequate IT security controls." We have seen plenty of examples in the press of companies whose security controls have been no where near adequate. No one would argue that the loss of Social Security numbers, credit card numbers and other personal information indicates inadequate security controls. But what constitutes adequate?

Congressional lawyers and SEC regulators choose their words carefully. They chose 'adequate' over and above all other words, knowing the implications for the IT shops charged with implementing sufficient authentication and access controls that support effective internal control over financial reporting. Needless to say, what is possible to do with today's product suites will change tomorrow. Defining a particular technology as sufficient would have been unwise. This leads us to see the obvious value of the regulators' use of the term adequate controls or -- stated another way -- a requirement to provide controls that are equal to (or up to the challenge of) maintaining the internal access control policy for allowing end-user access, while at the same time preventing the internal or external hackers from finding their way in to IT resources.

SOX Security School Learn how to comply with the evolving demands of the Sarbanes-Oxley Act in our free and on-demand SOX Security School.

So what are adequate security controls? Adequate controls place full responsibility to an individual end-user for any entry to or change in a single data field impacting a financial statement or report at any level in the organization, from the store room to the board room. Having controls only sufficient to assign responsibility to "someone … I don't know who … in the accounting department" is not in any way adequate control. Adequate controls provide access only to specific, appropriate end-users and give the IT staff the ability to audit for wrongdoing, collusion and errors. If your controls are unable to do either of these, then they are not adequate and your organization is not SOX compliant.

Another reason for the regulators' use of a changeless term over ever-changing technology is that it allows for automatically raising the compliance requirements when advances in technology solutions become available. One thing that can be counted on -- even in the absence of technological advances -- is the proliferation of hacking tools, and the increase in the threat and capabilities of determined hackers over time. Yes, that is right, auditable compliance with externally imposed control requirements will become a moving target for every company. The same could be said for HIPAA or state-imposed criteria for privacy protection. Compliancy efforts need to be revisited often. The word maintain in the phase "establish and maintain*" is not a suggestion.

The only way to successfully meet the compliance criteria is to set the bar for authentication and access controls as high as the technologies and products available today allow. Once you have a control structure implemented, then have in place a scheme for constant vigilance for anything that will change the compliance landscape and to constantly test the success of your control structure long before any of the compliance auditors visit.

* terms and phrases taken from SEC regulatory documentation on sec.gov.

About the author Dennis C. Brewer is the author of Security Controls for Sarbanes-Oxley Section 404 IT Compliance: Authorization, Authentication and Access published by Wiley, released Oct. 10, 2005, and available from Amazon.com, BarnesandNoble.com or your local book store. His resume includes a BSBA degree from Michigan Technological University, Novell Network Engineer Certification, and over a dozen years as an information technology specialist with the State of Michigan. He retired from his position as an IT security solutions specialist in January of 2006 from the State of Michigan, Department of Information Technology, Office of Enterprise Security and is now operating his own IT consulting practice in Laurium, Michigan.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   Security Audit, Compliance and Standards,   Sarbanes-Oxley Act,   HIPAA,   ID and access management,   Compliance,   Process improvement,   Sarbanes-Oxley Act,   Infosec-Related Regs,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    << PREVIOUS | NEXT >>: CSO INTERVIEW: Regulatory pain is a two-way street VIEW ALL IN THIS CATEGORY RELATED CONTENT Compliance Counselor Identity lifecycle management for security and compliance Interpreting 'risk' in the Massachusetts data protection law FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders PCI DSS compliance requirements: Ensuring data integrity Understanding PCI DSS compliance requirements for log management Are 'strong authentication' methods strong enough for compliance? Strategies for using technology to enable automated compliance Common PCI questions: Web application firewalls or source code review? Sarbanes-Oxley Act SOX compliance burdens midmarket security teams Ex-SEC chief Pitt decries state of Sarbanes-Oxley, risk management Information security book excerpts and reviews Internal audits for Sarbanes Oxley and internal IT support Internal auditors and CISOs mitigate similar risks Implement security and compliance in a risk management context Does password sharing in international branches violate SOX? Consensus Controls project aims to set benchmarks for compliance Security visualization helps make log files work The Little Black Book of Computer Security, 2nd Edition Sarbanes-Oxley Act Research HIPAA Cost of security, IT management add up at healthcare facilities, study finds Healthcare security spending remains sluggish, report shows Creating a HIPAA employee training program FTC extends breach notification to Web-based health repositories Are there guidelines to create a HIPAA-compliant data center? HHS HIPAA guidance on encryption requirements and data destruction Writing a patient identifier policy to prevent common HIPAA violations HIPAA compliance: New regulations change the game HIPAA compliance manual: Training, audit and requirement checklist Key elements of a HIPAA compliance checklist HIPAA Research RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.