The Securities and Exchange Commission may call the shots on SOX, but it can take the bullet like everyone else. Just ask CSO Chrisan Herrod. She's responsible for making sure the agency complies with many of the same standards it enforces. Like any security professional, she has her own war stories, like a recent Government Accountability Office (GAO) report that took SEC to task for not implementing effective electronic access controls.
It must be difficult when another agency scrutinizes your compliance controls. [GAO] published a scathing report citing SEC's lack of material controls, but it could never prove there was any financial control problem stemming from a lack of information security controls. In my view, if you have sound controls and sound record keeping, you're taking reasonable steps to comply even if a technological control hasn't been implemented.
What is SEC's overall security posture? SEC uses a combination of technology, process and management controls to ensure that we are in compliance with the Federal Information Security Management Act [FISMA]. We have a very good track record with respect to our perimeter security and defense-in-depth strategy. And, we're working to improve our internal technology controls, which are at the heart of [the GAO findings].
Do you think there needs to be a law that fuses together the common requirements of SOX, HIPAA, GLBA and others? We shouldn't expect one overreaching set of regulatory guidelines, but there could be a more centralized, simplified auditing approach. Instead of forcing people to work off several different auditing reports for several different regulations, one auditing report could account for the common requirements and work for everyone.
Whose responsibility is it to make that happen? The government and auditing industry could get together to work on this. The easiest, best solution would be for Tom Davis' [R-Va., chairman, House Committee on Government Reform] committee to take a hard look at these regulations, especially those for publicly traded companies that are already heavily regulated. The committee has the power to streamline the process, but it hasn't happened yet. It should, because the overhead is killing us.
For the full text of this interview, visit www.searchsecurity.com/ismag