SOX reality check: Policy tools

This article provides an overview of policy sets and audit tools, and teaches you how to use standards as a guide for developing policies.

by Richard Mackey

About Compliance School

In Compliance School, guest instructor Richard Mackey shows you exactly what you need to do to meet regulations' ongoing demands and arms you with actionable items to ensure your business remains continuously compliant. Best of all you can attend any of the following on-demand lessons when it's most convenient for you:

Ensuring compliance across the extended enterprise

Compliance improvement: Get better as you go forward  

Gauging your SOX progress  

SOX compliance basics: Taking Action   

compliance-related technology

By now most organizations are past the mad rush to understand Sarbanes-Oxley requirements and establish critical security policies. However, over time, SOX requirements are becoming more demanding. Auditors are looking for more maturity in the policies and practices they evaluate. Companies need to take the initiative and look critically at their own policies to determine their effectiveness. Policy sets and self assessment/audit tools can help organizations improve their policies and continuously understand how their practices measure up.

Using standards to build and assess policies
COBIT is a good place to start for IT-related SOX policies. ISACA's introduction to COBIT provides the following description of its Control Objectives: "COBIT's Control Objectives provides the critical insight needed to delineate a clear policy and good practice for IT controls." These control objectives serve as the basis of many organizations' SOX goals, so it is a good idea to periodically look at the standard to determine whether your original mapping of goals to policies is still valid. If, on the other hand, your policies came from another source, using COBIT as a cross check can be a valuable exercise.

ISACA provides access to the full COBIT standard including the Control Objectives, Audit Guidelines and materials to help implement COBIT in the enterprise. While useful, COBIT's Control Objectives aren't directly and universally applicable to SOX, so you'll have to look closely at each control objective in the SOX context, but many will be appropriate. Rather than specify policies directly, COBIT control objectives refer somewhat broadly to policies that the standard requires. By assembling the list of policies referred to by COBIT and understanding why the policy must exist, policy authors can determine if their policies achieve the stated goals.

A clearer mapping of security requirements to policies can be found in ISO17799. This standard describes what topics need to be included in an overall security policy and describes their implications. Section 5 of ISO17799, entitled Security Policy, describes the structure of the policy document, its relationship to other policies, the need for its periodic review and the need for it to be a living document.

One of the strengths of the ISO standard is that it provides a wealth of information about the need for and content of a security policy. Consequently, it's a great resource for organizations drafting or checking on the completeness and appropriateness of their policies for SOX compliance.

Policies in business context
One of the key aspects of policy writing is crafting policies that are not only technically correct but applicable to your business. In other words, all your policies must be appropriate to an organization of your size, in your market, with your employees and your technology. When drafting policy, or even determining whether your organization complies with a given policy, you need to consider whether the policies recommended by COBIT and ISO17799 make sense in your context. For example, in larger organizations, a long chain of approvals across multiple departments may be appropriate for account creation and changes to access controls. In smaller organizations, there may be adequate transparency in the account creation process due to the close knit nature of the company to simply require notification.

The secret to effective policy writing is to go back to first principles and consider why the policy exists. Policy authors should remind themselves of two rules: remember that policies need to appropriate to the business and that they are living documents. The most effective policy documents are those that capture not only the statement but the intent. Furthermore, to stay effective, policies must be reviewed regularly and changed to reflect changes in the business and organization.

Policy enforcement: The real deal

By Diana Kelley, Burton Group Analyst

Advertisements for policy compliance reporting tools can look pretty tempting. Vendors claim that with a click of a button security policy adherence can be displayed in a variety of color coded graphs. And there is little doubt that automating policy reporting and enforcement increases efficiency. But the reality is, audit and policy reporting isn't simple. Policy tools only report on what they have been configured and have the capacity to check.

Let's say a corporation has a policy that passwords must be longer than eight characters. The staff runs a policy reporting tool that works on Unix and Windows systems. No passwords related to any accounts on these systems are found out of scope, and the internal compliance managers believe the correct policies are being enforced. When the external auditors show up at the end of the year, however, a material weakness is found with account passwords on a critical custom-coded Windows-based application and legacy applications on AS/400s. D'oh!

Policy validation and enforcement tools can lead to a dangerous false sense of security if the systems and targets they are reporting on are not well defined and understood. A tool that can't report on password settings on the AS/400 is still useful as long as the enterprise understands that an alternate reporting method needs to be employed for out-of-scope systems.

So before you get enticed by those pretty graphs, make sure you understand what is going on underneath the rainbow of colors.

Policy toolkits
If even ISO17799 seems like it's too indirect a route to a security policy, there are policy templates that you can buy. The ISO17799 Toolkit includes such a template. The policy documents included in the template state the policy and provide background information that supports the policy. If your organization needs to build policies from the ground up or wants to restructure its policies, a toolkit like this might be helpful.

If your policies are written and largely complete, but not organized effectively enough to support a SOX audit, PolicyTechnologies International builds software that helps organize documents according to the sections of Sarbanes-Oxley. PolicyTechnologies' Policy & Procedure Manager is designed to help assign and sort documents by the relevant Sarbanes-Oxley regulation. The idea behind this kind of product is that it can speed audits and ensure that the organization has the policy and procedure coverage it needs to pass an audit. Self assessment tools

Another critical part of SOX compliance is measuring your own compliance. Self assessment is a time consuming process, and when added to the compliance effort and the external audit, it can seem daunting. Unfortunately, without periodic self assessments, you increase the risk that you will fail an audit. Since assessments should be performed multiple times per year, finding tools that help to make the process more efficient and consistent can be a real boon.

SecureInfo's ComplianceAuthority product allows organizations to perform comprehensive self-assessments for demonstrating compliance with multiple regulations. It's designed to help companies map regulatory requirements to accepted industry standards and practices, create a sustainable test, validation and management process, and maintain sustainable preparation for information security audits. The product includes a library of example policies, recommendations, tests and validation scenarios that are organized according the regulations to which they apply. ComplianceAuthority supports not only SOX but others like HIPAA and Gramm-Leach Bliley, as well.

As a self-assessment product with built-in business processes and guidance, ComplianceAuthority ensures consistent results that can be measured over time. ComplianceAuthority certifiably meets all Common Criteria standards and is used extensively within financial services, manufacturing and other entities to lower the costs of compliance.

Protiviti's Self-Assessor™ is a tool that allows organizations to conveniently and consistently assess their own compliance while documenting and tracking their results. Protiviti's Discoveri™ supports risk intelligence management and data analysis. Audit Partner, also part of the suite, helps to automate internal SOX audits and includes workflow for communication and signoff.

The existence of a complete, up to date and effective security policy is an important part of any SOX audit. It is only prudent to incorporate reliable sources of policy guidance, automated policy tools and policy based assessment mechanisms into your SOX compliance methodology.

>> Next: SOX reality check: Provisioning systems

This was last published in February 2006

Dig Deeper on Security audit, compliance and standards