The real deal with Sarbanes-Oxley: Perspectives for the security manager
By Randy V. Sabett, CISSP
If you are a security manager or other security professional, you have more than likely heard about the Sarbanes-Oxley Act of 2002 (SOX). But many folks only know that SOX may have an implied security requirement, without really understanding the source of that requirement. In this discussion, we delve below the surface and examine how SOX applies to the work done by the security manager.
SOX was signed into law on July 30, 2002, in order to hold chief executives and chief financial officers of public companies accountable for certifications of the financial reports from their companies. Those individuals can face criminal penalties if those certifications are untrue. SOX also established the Public Company Accounting Oversight Board (PCAOB). The PCAOB, appointed and overseen by the Securities and Exchange Commission (SEC), can investigate audits of public companies, along with the auditors of those companies. As a result of their investigations, the PCAOB may impose sanctions on either firms or individuals for violations of securities laws and regulations.
Application to security managers
From the perspective of a security manager, SOX creates a potential need for additional information security and compliance planning. Specifically, Section 404 (Management Assessment of Internal Controls) calls for rules to be prescribed that require a company to provide an internal control report in its annual report. That internal control report must state the management responsibility for providing an adequate internal control structure and procedures for financial reporting. The internal control report must also contain an assessment of the effectiveness of the internal control structures and procedures.
MORE INFORMATION ON SOX:
- Learn more about SOX in the SearchSecurity article, Security and Sarbanes-Oxley.
- SearchSecurity expert Ben Wright offers more insight on Sarbanes-Oxley violations.
- SearchSecurity expert Kevin Beaver helps define "internal controls" under Sarbanes-Oxley.
While the nexus between information security and internal controls is fairly straightforward, the language of the law is somewhat ambiguous. Complicating the matter is the fact that the PCAOB has not yet issued standards for how the controls under Section 404 must be tested and according to what criteria. Notwithstanding the lack of guidance, some insight can be garnered from PCAOB Proposed Auditing Standard On Audit Documentation And Proposed Amendment To Interim Auditing Standards (PCAOB Release No. 2003-023) (the "Proposed Standard").
According to Section 4 of the Proposed Standard, audit documentation typically consists of any number of documents that may be in paper or electronic form. Furthermore, according to Section 5 of the Proposed Standard, the documentation must contain sufficient information to allow an auditor "to (a.) understand the nature, timing, extent, and results of the procedures performed, evidence obtained, and conclusions reached, and (b.) to determine who performed the work and the date such work was completed as well as the person who reviewed the work and the date of such review." Finally, Section 13 through Section 17 of the Proposed Standard address storage and subsequent changes to the documentation.
Since the Proposed Standard acknowledges that most business documentation is in electronic form, one adequate internal control to meet the requirements of Section 5 is information security. Without confidentiality, authentication, data integrity, availability, non-repudiation and other information security services, those requirements are difficult to meet.
Since no specific guidance exists (yet) regarding information security under SOX, security managers must use their professional judgment in determining how to implement a compliant information security deployment. However, a number of organizations have produced documents or checklists that give guidance on SOX compliance. Not all of these documents are security-related, but many offer generic guidance that would be useful to a security manager. A few of these include COSO, Cobit, ISO-17799, along with publications from ISACA and the AICPA.
- COSO (Committee of Sponsoring Organizations of the Treadway Commission) -- In 2003, COSO released an Enterprise Risk Management (ERM) Framework for public comment, which provides information on enterprise risk management for all organizations. Most importantly, COSO recognizes that enterprise risk management is a process. It is "not one event or circumstance, but a series of actions that permeate an entity's activities." The Framework also identifies the inter-relationships between enterprise risk management and internal control. A draft of the Framework can be accessed at www.erm.coso.org.
- CobiT (Control Objectives for Information and related Technology) -- The IT Governance Institute and the Information Systems Audit and Control Association (ISACA) jointly published a resource that would be useful to security managers seeking to comply with SOX. The guidelines, known as CobiT, provide a governance model for IT operations. Further information on CobiT can be found at www.isaca.org/cobit.htm.
- ISO-17799 -- A third source of good information on information security that would be useful for SOX compliance is the ISO-17799 standard. ISO-17799 provides a framework for implementing an information security program. The framework defines a variety of security controls and outlines a risk management approach, but it does not specify a particular means for implementation. A number of good resources exist detailing ISO-1799. The standard itself can be purchased from ISO at http://www.iso.ch/iso/en/prods-services/ISOstore/store.html.
- General SOX Guidance -- In addition to Cobit, ISACA provides a set of IT Control Objectives for SOX at http://www.isaca.org/. Similarly, the American Institute of Certified Public Accountants (AICPA) provides a set of links for guidance and tools for SOX implementation at: http://www.aicpa.org/sarbanes/index.asp. Finally, the AICPA Store has a publication entitled: Internal Control Reporting -- Implementing Sarbanes-Oxley Section 404, available at http://www.cpa2biz.com.
According to Section 3 of SOX, enforcement of SOX, or any rules or regulations promulgated under SOX, will be treated "in the same manner as a violation of the Securities Exchange Act of 1934." Consequently, an enforcement action related to information security would look much like any other SEC enforcement action. Specifically, the SEC would issue a complaint alleging a violation. This would then be adjudicated in federal court and a ruling would then be issued.
In the area of information security, such an allegation would likely result from an erroneous or fraudulent financial report, where the error or fraud occurred due to a lack of proper information security implementation. Such a situation could be characterized as a violation of Section 404's requirement that the internal control report contain "an assessment…of the effectiveness of the internal control structure and procedures of the issuer for financial reporting."
The bottom line
SOX may carry an implied information security requirement, which means security managers are at least partially responsible for helping their organizations come under compliance. The good news is, dates for SOX compliance have been recently extended -- to Nov. 15, 2004 for accelerated filers (originally June 15, 2004) and to July 15, 2005 for non-accelerated filers – and there are several resources at your disposal to assist in your compliance efforts.
About the author
Randy V. Sabett, J.D., CISSP, is an attorney in the Information Security and Cybercrime practice group at Cooley Godward LLP in Reston, VA and Co-Vice Chair of the ABA Information Security Committee. A frequent speaker and author, Randy teaches Information Policy at George Washington University. He is a patent attorney and also spent several years as a crypto engineer in the government and private industry.
23 Mar 2004
Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.