After Sarbanes-Oxley: IT Compliance Update2 |
The Sarbanes-Oxley Act changed the face of IT security for publicly traded companies. But subsequent security developments and an increased business focus have engaged IT pros in compliance at organizations of all size.
Social and governmental forces have pushed IT compliance to the forefront of business during the past five years. Banks, hospitals and employers are supposed to be trustworthy fortresses of information, but as many people have found out, they sometimes aren’t.
With the passage of the Sarbanes-Oxley Act of 2002, more and more organizations turned their attention to IT compliance to ensure the security of private information. The main catalyst for Sarbanes-Oxley was the financial improprieties of major companies, including Enron, WorldCom and Tyco International. But the act tackles a host of issues related to corporate governance, financial disclosures and accountability of publicly traded companies.
Section 404 specifically relates to IT practices, calling for managers and an external auditor of the company to report on the capabilities of the company’s internal control over financial reporting. By far, it’s the most costly aspect of the legislation for companies to put into operation, as testing and recording important manual and automated financial controls requires enormous effort.
The act provides a benchmark for a total paradigm shift in IT compliance. Before 2002, enforcement of compliance depended on a loose consortium of laws and protocols. After passage of Sarbanes-Oxley, one all-encompassing act enforced compliance rigidly. Sarbanes-Oxley was a rock thrown in the IT pond, and ripples can still be seen today.
Signing the bill into law changed many IT professionals’ worlds overnight, and it became clear society was demanding a more secure cyberspace. Starting with the aftermath of Sarbanes-Oxley, the past few years have been busy for IT compliance.
“The first year was pretty rough for everybody. A lot of hours and costs were put into it, but once a plan and a blueprint was laid out there, we felt better,” said Howard Schmidt, security specialist for (ICS)2. “We’ve managed to go from the first year, refine it for years two, three and four, and we’re already on to year five now. Things are a lot smoother, companies know what to expect, they know how to make sure they’re compliant and not trying to come back and fix something. Overall, it’s more honed to say, ‘OK, here’s the business need that is somewhat unique, and here’s a mitigating control that can ensure the integrity of it.’”
Bill Slater, an IT security expert with more than 30 years of experience, is a program manager at CSSS.NET. He also remembers the early days of IT life under the newly passed Sarbanes-Oxley Act.
“When you’re doing something like data center management and change management, you see the effects of Sarbanes-Oxley immediately if it’s a publicly traded company,” Slater said.
“Every time a change was submitted, we were under increased scrutiny, like if you were going to submit a change to the infrastructure, let’s say put a server on the network or take a server off the network. There was increased responsibility for the IT professional to have the documentation necessary to say how we would back this out if it was problematic on the infrastructure.”
In the immediate aftermath of the act passing, data protection to prevent a security breach became of utmost importance. Now, either through Sarbanes-Oxley or by increased scrutiny from management, organizations have aimed to integrate business practices with their IT protocols.
Schmidt, a longtime security specialist, former eBay chief security officer and special adviser to cyber security for the White House, said these practices have become much more familiar to IT professionals since the act was implemented.
“As we’ve seen over the years, some of the shift has moved away from hard security technology and become more business related,” Schmidt said.
“Accordingly, our product development folks then put more emphasis on the current environment we live in, which is more business-oriented, as opposed to five or six years ago when it was all about protecting something from outsiders. Now, it’s about how to provide something for outsiders, but do it securely.”
The compliance required by Sarbanes-Oxley is not as daunting now for IT professionals as it was when the bill was first passed. The tasks today are added into the other daily, weekly, monthly and yearly reports and processes the IT pro completes.
“It has been baked in to the day-to-day business process, as all of a sudden you don’t have to pull people from other work to go do this, which you had to do in 2003,” Schmidt said.
“Now it’s just part of the day-to-day thing. When someone does something, they look at it through the lens of how this complies with Sarbanes-Oxley.”
No matter how integrated security is into the overall IT process, breaches still happen, as demonstrated by the well-publicized case of the Department of Veterans Affairs (VA). A VA employee took home a laptop containing the names and Social Security numbers of every veteran discharged since 1975. The laptop was later stolen, a situation unavoidable from a technical standpoint, but not from an employee policy perspective.
The breach was a driving factor in the VA increasing its data security. It hired more security specialists, including Bill Slater. Slater said that the VA isn’t leaving anything to chance after the breach.
“What’s really amazing is, a year later, the VA battened down the hatches so well that we’ve become the gold standard of computer security,” he said. “They’ve really come a long way in educating their employees on computer security and putting stuff into place that will prevent data loss.
“They just recently said they’re not going to have any more floppies, USB drives or external hard drives without special written permission. They’re practically paranoid about data security over here, with good reason. They’re dealing with millions of veterans’ records and Social Security numbers that can’t be compromised again.”
Washington has introduced a host of legislation that broadens the scope of Sarbanes-Oxley and aims to prevent similar incidents. Congress currently is considering the Federal Agency Data Breach Protection Act, the Social Security Number Misuse Prevention Act and the Cyber-Security Enhancement Act, among others.
While none have been signed into law yet, the sheer volume of IT-security legislation demonstrates Washington’s attention to the issue. For Slater, however, his security work with the VA is personal.
“I’m also a veteran, so have a direct stake in doing my job well because I’m one of the veterans that benefits from me doing my job well,” he said.
“The entire organization was put on notice that [we] will be more vigilant about data, data security privacy protection, and all these education programs got put into place.”
While the VA breach grabbed Washington’s attention, the media coverage raised awareness of IT security that reaches beyond the proposed legislation and into the business world.
While Sarbanes-Oxley mostly affects large publicly traded companies, organizations of all sizes, public and private, are now more alert to situations like the VA breach. And IT professionals have a broader understanding of data protection concepts and are focused on fine-tuning the specific implementations.
“I think of it as different types of fuels in a car,” said Schmidt. “The basic engine and mechanism of the vehicle itself is the same; we’re just now using fuel in there that’s more efficient and causes less pollution.1 | 2 |