Effective security administration, compliance need prudent approach

February 1, 2008

Since the passage of the Sarbanes-Oxley Act in 2002, corporate executives have spent substantial time and money addressing potential security risks and regulatory compliance requirements.

Since the passage of the Sarbanes-Oxley Act in 2002, corporate executives have spent substantial time and money addressing potential security risks and regulatory compliance requirements. The process is quite resource-intensive and involves precious staff time, increased paperwork, and consultants.

Yet the Sarbanes-Oxley legislation is not only publicly popular, it also complements other security and privacy regulatory initiatives that set industry standards, such as the Graham-Leech-Bliley Act (financial services), the Health Insurance Portability and Accountability Act (HIPAA), and the European Privacy Directives. Moreover, media coverage of identity theft has heightened the security concerns about industries that collect private and sensitive data from their customers.

Security demands and compliance costs are likely to increase because computers, laptops, and other electronic media devices can not only enhance productivity but also raise corporate risk. In this environment, true security may seem an ever-receding target that consumes increasing staff and consultants without contributing to an organization's core mission or its bottom line.

Not surprisingly, system tools, processes, and techniques to improve safeguards and compliance have fought for corporate attention in the past few years, promising users swift and accurate information for efficient, appropriate decision-making. As a result of Sarbanes-Oxley, financial controls tend to dominate many current security concerns. The successful, cost-effective approach to security, however, should encompass all areas of enterprise operations, including IT and finance, human resources, purchasing, marketing, operations, plant maintenance, and vendors.

Security software: a long-term approach

Management should consider five components to automated security programs when creating a long-term approach to effective security administration and compliance:

1. Routine, comprehensive security risk assessments: Requirements for risk assessments and other security evaluations are the first steps in meeting security regulations and determining remediation needs and setting priorities. Some software systems provide a structure for periodic risk assessments and may include algorithms that generate baseline risk measures automatically. Others are more labor-intensive and require organizational processes for setting risk levels, with the application documenting these determinations.

2. Due diligence documentation: Audit or oversight processes involve reviewing documented policies, procedures, and practices. The best security-management systems include document-management capabilities that bring together available written policies and procedures throughout an organization. Some companies may currently lack sufficient documentation, while for many others written materials may be ample. However, policies and procedures at larger companies, especially those with decentralized operations, can be inconsistent among business units and may be difficult to assemble and assess without an appropriate document-management tool.

3. Management level reporting: The government and public increasingly place responsibility for organizational failures with senior management. Sarbanes-Oxley explicitly provides for chief executive officer sign-off on the validity of financial reporting, including the security of that information. Therefore, any automated solution needs to provide sufficient reporting for auditors and to assure management that it has the necessary oversight information.

4. Multi-purpose applicability: The building blocks for security programs under the different regulatory structures are all fundamentally the same. Each set of regulations provides a more specific focus on some component of an overall security program. The ideal system provides a comprehensive management solution without the need to purchase new products or hire new consultants for each compliance need or assessment framework, or as new and additional regulations emerge.

5. Ease of implementation across organizational units, including outsourced operations: A firm's business processes can benefit from an application that can roll out to its business units and vendors, such as a Web-based application. In addition, the applications must be easy to use by managers who may have limited security and technology expertise but who are critical to implementing safeguards.

How it works

Much of security compliance is algorithmic. It follows a standard, repeatable pattern of identifying the use of risks within an organization, specifying additionally needed safeguards or the risks of not having those safeguards, validating key controls, and then documenting the whole process and findings. This approach is the same whether an organization is concerned with Sarbanes-Oxley, HIPAA, GLBA, or other standards. The major differences are those of focus (e.g., finance, customer information).

An effective software program that performs collation and documentation of security activities can provide a security control mechanism and a paper trail that demonstrates to clients the company's compliance with Sarbanes-Oxley and other regulatory requirements.