Manage Learn to apply best practices and optimize your operations.

A decade later: SOX program management best practices

After 11 years of Sarbanes-Oxley and other mandates, enterprises have finally embraced holistic compliance program management as a best practice.

To begin, let's first take a brief look back: In 2002, a country shocked by the financial scandals involving Enron...

and Arthur Andersen reacted by passing sweeping legislation designed to prevent the recurrence of widespread financial reporting fraud that distorts information investors rely upon.

Sure, there will be gaps to fill in any compliance program, but this holistic, programmatic approach allows us to think about risk and security first, and make compliance a secondary objective.

This legislation, which became law as the Sarbanes-Oxley Act of 2002 (SOX), outlined strict controls that publicly traded companies must follow to ensure the accuracy of their financial reports, and made chief executive officers and chief financial officers personally responsible for the accuracy of those statements.

Many information security professionals paid little attention to Sarbanes-Oxley at first, thinking that it was purely a problem for accountants. Their minds were quickly changed, however, when auditors pointed out the provisions of SOX Section 404, which required that independent auditors perform an assessment of the company's internal controls designed to ensure the integrity of the data used to generate financial reports. They quickly realized that these provisions meant that auditors would, sometimes for the first time, be carefully evaluating the appropriateness and correctness of information security controls. SOX became a significant burden for companies of all sizes, but disproportionally affected smaller businesses, which were suddenly expected to meet the same level of scrutiny as Fortune 500 companies.

Over the past decade, much change has taken place in both the IT and the regulatory compliance worlds. On the technology front, enterprises have embraced cloud computing, virtualization and BYOD strategies. From a regulatory perspective, SOX has been joined by HIPAA, the PCI Data Security Standard and the rest of the compliance alphabet soup. We've learned a lot over the past decade, and these changes have altered how information security teams think about not only SOX compliance, but also their entire spate of compliance responsibilities.

SOX program management: A holistic view

Perhaps the biggest change to those who manage SOX compliance is that most organizations have moved from a fire-fighting IT compliance approach to a more holistic view of compliance that embraces a risk-based approach to all of our compliance obligations. Instead of figuring out how we're going to pass that next audit or meet the next disclosure deadline, enterprises can now take a step back and identify how their security controls reduce risk to the organization. Upon identifying the set of controls appropriate for our business needs, an organization can then turn to the various compliance regimes affecting its industry and map those controls to its compliance obligations. Sure, there will be gaps to fill in any compliance program, but this holistic, programmatic approach allows us to think about risk and security first, and make compliance a secondary objective.

This holistic view of compliance has proven especially helpful when firms face new technology trends. When virtualization, BYOD and the cloud came on the scene, nobody modified the SOX rules to specifically address these technologies. However, firms that approach compliance from a holistic, risk-based perspective were able to adapt their existing control philosophy to accommodate (or restrict) the use of these new technologies while remaining compliant. In other words, it makes the compliance program a business enabler, not an inhibitor, when new technology opportunities emerge.

Smaller companies also saw welcome relief over the past few years when the SEC released guidelines that slowly loosened the SOX burden on smaller firms. The most widely applauded announcement came in 2010, when the Dodd-Frank Act amended Section 404 of SOX to specifically exclude companies that don't fit into the categories of "accelerated filers" or "large accelerated filers." While the technical definition of these terms is complex, they essentially mean that companies with market capitalizations below $75 million are exempt

Systems to the rescue

Governance Risk and Compliance (GRC) systems represent another transformational element in the world of SOX compliance. These systems assist firms in maintaining their compliance with a wide variety of regulations and include capabilities to document and monitor controls, perform asset management, remediate compliance gaps, perform periodic assessments and generate reporting and dashboards for management. The GRC product market continues to evolve, but many larger firms now embrace GRC as a way to successfully manage a wide variety of compliance obligations.

The second technological advancement related to SOX that has come to the aid of information security professionals is the ability to perform automated policy enforcement. System configuration management tools have grown significantly in capability over the past decade and most IT shops now take advantage of consistent baseline images and automated policy enforcement mechanisms, such as those offered by Active Directory, to maintain a "continuous compliance" approach that ensures devices connected to the network remain compliant with the organization's security policy at all times.

Overall, the past decade has brought significant relief to organizations required to comply with SOX. Some smaller businesses have seen the need to comply completely eliminated, while others have benefitted from the evolution of enterprise compliance toward a holistic, risk-based approach. Finally, the evolution of GRC and automated policy-enforcement technologies has made the challenge of remaining compliant a little less burdensome.

About the author:
Mike Chapple , Ph. D., CISA, CISSP, is an IT security manager with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to and serves as its resident expert on network security for its Ask the Experts panel. He is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

This was last published in September 2013

Dig Deeper on Security audit, compliance and standards