Sarbanes-Oxley: compliance meets technology.If the 1990s were the age of the dot-com, then the 2000s can easily be considered the age of compliance. Government legislations like HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, , Gramm-Leach-Bliley and the Sarbanes-Oxley Act See SOX. (SOX (1) (Schema for Object-oriented XML) An XML schema developed by Veo Systems and Muzino Communications, which was submitted to the W3C. SOX is based on DTD, but adds data typing and reuse mechanisms. ) require businesses to adhere to adhere to verb 1. follow, keep, maintain, respect, observe, be true, fulfil, obey, heed, keep to, abide by, be loyal, mind, be constant, be faithful 2. strict regulations at the cost of millions of dollars in investment. The Sarbanes-Oxley Act was a reaction to scandals at Enron and Worldcom and addresses timely and honest financial reporting of public companies. And while it is focused on accounting practices and business processes, various technologies play a crucial role in complying with the Act. Since the establishment of SOX, many solution providers, system integrators, VARs and consultants are leveraging the compliance issues surrounding it as a selling tool to their various solution and service offerings. Consequently, companies are investing in "gotta have" technologies similar to the spending spree Noun 1. spending spree - a brief period of extravagant spending spree, fling - a brief indulgence of your impulses associated with Y2K See Y2K problem and Y2K compliant. Y2K - Year 2000 . Companies and executives need to realize there is no single solution or "killer app A software application that is exceptionally useful or exciting. Killer apps are innovative and often represent the first of a new breed, and they are extremely successful. For example, in the late 1970s, the VisiCalc spreadsheet was the killer app for the Apple II, providing reason " to solving their SOX compliance issues. While many IT executives have used SOX's implications as a blank check Blank check A check that is duly signed, but the amount of the check is left blank to be supplied by the drawee. to purchase untold amounts of technology solutions, they need to guard against this "irrational exuberance Irrational Exuberance An infamous phrase uttered by Alan Greenspan in 1996 to describe the overvalued market at the time. Notes: Although every word spoken by Mr. ". An informed understanding of the Act is vital in avoiding excessive purchasing of technologies and solutions that "solve" SOX compliance concerns. "The first thing an IT executive has got to do is figure out how to get the most out of what they already have spent," said Lesley Taufer, president of Boulder Corporation, a Colorado system integrator and business consultant. "Then he's got to start building a framework around an existing infrastructure that can accommodate change in the future." What You Have, Want and Need Technology is a vital component to any organization in assisting it to comply with the Sarbanes-Oxley Act of 2002. "IT is part of the solution but it's not driving the solution by itself," said Anders Lofgren, Computer Associates' vice-president of product management for BrightStor. "It's a combination of IT and the business. Within the business you've got people from the financial department, you've got people from the legal department. They need to get together with the people from IT to come up with the right solution for that particular company. Technology just happens to be the best tool to solve some particular aspects of SOX." The IT Governance Institute addressed this by developing Control Objectives for Information and related Technology (COBIT (Control OBjectives for Information and related Technology) A business-oriented set of standards for guiding management in the sound use of information technology from the Information Systems Audit and Control Association (ISACA) (www.isaca.org). ), the purpose being to set IT control baselines in developing a control objective template. COBIT essentially provides a best practices recommendation for the management of IT processes in a manageable and logical structure. It strives to meet the multiple needs of enterprise management and bridges the gap between business risks, technical issues, control needs and performance measurement requirements. Regarding an organization's internal framework, COBIT focuses on the SEC's mandated COSO COSO Committee of Sponsoring Organizations of the Treadway Commission COSO Church of Spiral Oak COSO Corporate South COSO Class of Service Override COSO Combat Oriented Supply Operations (USAF) internal control framework, established in 1985 by the National Commission on Fraudulent Financial Reporting. Rather than focusing on any particular technology, COSO addresses business process. "You need a framework like COBIT COSO and then apply the control objectives that are included in those frameworks," said Louis Carpenito, vice president for InfoSecurity Business Strategy for Symantec. "Organizations need to look at their overall process that's involved in generating their financial statements. You start from the finance side all the way through to all of the things that impact the final outcome of that report. And you identify the applications and the technologies that are involved in that process." The COSO framework consists of 5 central components. First is a control environment that establishes the "tone at the top" of the organization. Second is a risk assessment process where you look at things like your software development lifecycle process, you look at your change management process, and most importantly Adv. 1. most importantly - above and beyond all other consideration; "above all, you must be independent" above all, most especially you look at your infrastructure operations. The next component is a controlling activity where you set your policies, procedures and processes to achieve your business objectives and to achieve your risk mitigation objectives. The fourth category involves information and communications that is basically the messaging systems Software that provides an electronic mail delivery system. It is made up of the following functional components, which may be packaged together or independently. Mail User Agent and the movement of information around your network. This can be referred to as monitoring. Basically, it's the oversight of the internal controls. And, finally, monitoring is required to detect unauthorized access, processing of unauthorized transactions, generation of inaccurate reports, the compromise of IT infrastructure components and system applications. I've Got My Framework, Now What? Since we are talking about a framework and architecture, you need to be leery of assertions by solution providers or system integrators claiming they have a SOX-compliant solution. "There is no solution to Sarbanes-Oxley. What I mean by that is the solution has to cover the end-to-end business problem that you're trying to solve," said Kevin Coleman, a Sarbanes-Oxley strategic advisor for Technolytics. "Storage is one component of it. Document management could be a component of it. Secure identity management could be a component of it, messaging, business process workflow--those are all components that have to be there." Regardless of what technologies you are looking at to address your organization's compliance issues, you need to take a big picture approach to purchasing any products. "It is important for customers to think about what their goals are in the future, making sure they're selecting vendors on the basis that they're not going to 10 different vendors to buy 10 different products that don't talk to each other," said Boulder Corporation's Taufer. "At some level, maybe you wouldn't want one single product to meet all those needs, but you would like to cut down the number of vendors or look for vendors that meet a number of needs in the area of data protection." Where is Your Data? Based on section 802 of SOX, a company's records relevant to audit and review are required to be maintained for a period of seven years. This puts a tremendous burden on storage. Thus storage of data, documents, schedules and even e-mails is an essential component needed within your framework. Data Life Cycle Management is a key in this process. "One of the things we're talking about with the DLCM DLCM Destiny Life Christian Ministries DLCM Digital Level Control Module DLCM Deputy for Life Cycle Management (US Army TACOM) DLCM Dynamic Line-Code Management DLCM Daniel Laurent Christian Ministries is having a multi-level pool of storage which is critical to this," said Hu Yoshida, vice president chief technologist at storage vendor Hitachi Data Systems See HDS. . "In the first three months you have a high-end, high-availability system. For the next three months, you have a lower class modular storage. And then after that, it can be on a very longtime, low-cost retention-type media where you can go to tape." This pool of storage needs to be centrally managed and have common functionality across the pool. In order to move data from one pool to another, best practice would be to do it off host. You do not want to use host cycles to do this and you want a common management view so that you have control over this movement and have the ability to audit this movement of data. A second piece to storage is the need for indexing capabilities to pull up records that you need, when you need them, and present it. This can be accomplished through Hierarchical Storage Management See HSM. . HSM (1) (Hierarchical Storage Management) The automatic movement of files from hard disk to slower, less-expensive storage media. The typical hierarchy is from magnetic disk to optical disc to tape. software constantly monitors hard disk capacity and moves data from one storage level to the next based on age, category and other criteria, as specified by the network or system administrator. HSM often includes a system for routine backup as well. Finally, you need an auditing function so you can go back and do forensics See computer forensics. . If things have been changed, you can tell who changed them. You will need a layer of security included as well. "In the storage area, up until now, most people have relied on that fact that storage was in a closed environment--but that is no longer true," said Hitachi's Yoshida. "We can no longer depend on it being in that closed environment. You need the authorization, authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. , auditing capability, and you need protection through encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. or hashing Creating hash totals or hash tables. See hash total and hash table. hashing - hash coding and then the immutability im·mu·ta·ble adj. Not subject or susceptible to change. im·mu  ta·bil . Those are things storage people need to worry about." Another area of storage just as vital to compliance issues is e-mail. Organizations need an archive engine that manages its document stores. Archiving and retrieval capabilities are necessary in assisting organizations in their efforts to be compliant with SOX retention laws by enabling companies to fully manage the life cycle of their e-mail and to efficiently separate important historical information from junk mail See spam and junk faxes. . You have to have that management facility to ensure that e-mail records are properly disposed of once they expire from set retention by deleting corporate records not only from the archive, but also from the entire organization to maximize server efficiency. Who's Got Access to the Numbers? The next piece to the technology puzzle that builds compliance for SOX is secure identity management (SIM). All of the people that have needs for information and access to information necessitate a security point through which they travel to get them to the right information at the right time. A key solution in addressing this rests in directory services. "I think directory-enabled applications are going to allow for not only the security piece which is essential, but for the cost reduction element," said Randy Favero, vice president and general manager for Novell. "Being able to write applications to directories will reduce the cost in developing applications. More significantly, it will accelerate time to market and ease of change. It can dramatically reduce the cost associated with bringing somebody on to a system or getting someone off a system." Much of the cost, time and exposure that goes into access systems and access to financial information relates to who has access. How do you know when you have access? How do you get someone up so they have access to the information they need as fast as possible? Finally, how do you get them off the system to remove that access as fast as possible? Directories can expedite the process while decreasing the cost of accomplishing this. The other portion that is vital regarding SIM is the ambiguous section 409 relating to relating to relate prep → concernant relating to relate prep → bezüglich +gen, mit Bezug auf +acc real time reporting. Real time reporting becomes an aggregation of disparate sets of financial numbers that have to be brought together in a specific view. The information has to be aggregated in such a fashion that those who have responsibility to look and assess that the reporting is accurate can get the right information at the right time. There's got to be a security point through which they travel to get them to the right information at the right time and SIM, delivered via directory services, can solve that dilemma. Keeping it All Secure In order to keep all of your financial reporting from being compromised, there must be stringent security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security to protect the integrity of all of your organization's pecuniary Monetary; relating to money; financial; consisting of money or that which can be valued in money. pecuniary adj. relating to money, as in "pecuniary loss. numbers. You need to have a security plan based on your assessment of your infrastructure. Make sure security requirements for systems are configured appropriately for the level of security or level of risk that you want to eliminate or assume. Make sure people have the appropriate rights and make sure they don't have more rights than they need. Do you have the appropriate level of authentication? Have you implemented appropriate access controls? Passwords need to be changed regularly. In monitoring and managing the account life cycle, which can access certain accounts, what access do they get, what level of authorization do they possess and when they leave or change jobs are their rights taken away? Make sure you're monitoring security activities and significant transaction activities. Watch for security violations, whether they are malicious or accidental, and make sure these things "These Things" is an EP by She Wants Revenge, released in 2005 by Perfect Kiss, a subsidiary of Geffen Records. Music Video The music video stars Shirley Manson, lead singer of the band Garbage. Track Listing 1. "These Things [Radio Edit]" - 3:17 2. are reported to management. To augment your security it's advisable to install an appliance within your systems--and not just on the perimeter. "[A security appliance Security appliances protect computer networks from unwanted data traffic, intruders, email spam, enforce policies, and may also be used to create and manage VPNs. There are a number of types of security appliances. ] has a number of protection mechanisms I can ratchet and move that protection up a level that I might not be able to do at the perimeters because I might not be able to do business," said Symantec's Carpenito. By leveraging your organization's current system architecture, planning for future growth, addressing your business process and evading FUD proponents you will be able to solve your organization's ability to comply with the Sarbanes-Oxley Act. Scott Wyban is vice president of Corporate Communications Corporate communications is the process of facilitating information and knowledge exchanges with internal and key external groups and individuals that have a direct relationship with an enterprise. for Boulder Corporation (Boulder, CO) www.boulder.com |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion