Finance and Accounting Laws Are Impacting Security
Ken Lay is dead.
In fact, he died on the same day this piece was written, leaving behind him the scandals that rocked — and destroyed — his once fortress-like firm. He also leaves a number of laws in his wake, all of which aim to prevent a second Enron and have, as a side-effect, profound impacts on how we secure networks, back office apps and even single PCs.
Take SOX, or Sarbanes-Oxley, named for the senators who authored it. It’s designed to ensure that financial statements are fair and honest, which means that companies must know if the systems they use to collect, store and transmit the data in those statements, not to mention the systems that store and publish the statements themselves, are secure.
But that’s just the start. With SOX, you not only need to secure your systems, but track your efforts with all precision of an archivist — or an auditor. Audits are a big part of SOX projects, as well they should be: The law calls for severe fines and even jail terms for managers who flout it, including the chairman.
So it’s no surprise that SOX is a tsunami in the business world, flooding not only the CFO’s suite but the CIO’s too, including IT experts who deals in security. That’s quite a feat for a law that never mentions the words server, network, desktop, notebook, CRM, or ERP, all of which fall under its purview.
SOX is the post-Enron kingpin of accounting laws, but it’s not alone. Other, older laws, such as GLB (Graham-Leach-Bliley) and HIPAA (the Healthcare Insurance Portability and Accountability Act), which deals largely with hospitals, clinics and insurance providers, also regulate data privacy and retention.
But SOX is in a league by itself, simply for the panic it promotes in some corporate circles. Among other provisions, it demands that public companies use extensive controls to ensure that a firm’s accounting systems are safe, and that financial reports are accurate. Yet it fails to define the controls themselves, much less how to use them. In fact, it fails to give much guidance on the subject at all.
(A tangent: “Fails” is a word that’s open to interpretation — and even critique. Those who wrote SOX might argue that defining controls has been left, expressly and with good reason, to the companies who must put the controls in place, and in fairness, that’s not an argument without merit.)
Opinions aside, the many enigmas of SOX leave everyone from the CFO to the help-desk technician — not to mention the security expert — in the lurch, searching for standards to implement and plans to follow. Two have made the most headway: The first is COSO, short for the Committee of Sponsoring Organizations of the Treadway Commission, which defines a framework for internal accounting controls; the second is COBIT, short for Control Objectives for Information Technology, an IT governance framework that impacts, among other topics, IT security. The two are often used together to ensure, or at least promote, compliance with accounting laws.
In fact, COSO and COBIT have become the de rigueur standards at many firms coping with SOX. But as extensive as COSO and COBIT may be (the COBIT specs alone are hundreds of pages), they won’t tell you which servers and software to assess, secure, monitor, audit and document. That varies from firm to firm, and what one firm views as sufficient may be seen as sorely lacking in another firm’s eyes.
Clearly any systems that provide the data for financial reports or spew out the reports themselves (at least in draft format, before they undergo the red pen of accountants and auditors) are fair game. But even the large, complex apps that provide the raw data to financial systems, such as CRM and ERP apps, may need to be secured. And there’s always e-mail, which in today’s enterprise acts like an information thoroughfare where contracts, financial reports, decisions and the discussions that led to them are stored.
The Brass Tacks
So how do you define “secure?” Ask a dozen people and you’ll get a dozen — or two dozen — answers. Lawyers, accountants, auditors and of course the IT staff in whose laps the real, day-to-day work often falls, have different views based on their roles.
at’s more, vital systems must be secured not only from external attacks, which at most firms is the primary focus, but from internal, unauthorized change. Hence, you’ll not only need the standard arsenal of security tools, including intrusion detection, perimeter testing, virus/malware control and network monitors to search for abnormal patterns, but you’ll also need new systems that may not be familiar to you. These can include large scale CMS (content management systems), which log each document on a network and build audit trails of any action that users take. Edits, additions, deletions and even any instance of sending, saving or printing a document can be stored for SOX auditors to review.
The quest to secure data under SOX can even touch tried-and-true systems, such as VPNs or backups. Your VPN logs, which record who logged in, when and what they did, may have to be saved for years longer than planned in pre-Enron days. And tape backups, which have become the de facto archive of a company’s evolution, may need to be stored far more carefully, or even encrypted to guard against erasures or unauthorized access.
Does it sound like a headache? Or even a migraine? In some firms it is, and the mere mention of SOX can make eyes roll and chests tighten. Large companies have spent millions to comply with this and other recent laws, and they will spend, without the shadow of a doubt, millions more.
But there’s an upside to all the fuss: the fear of SOX, GLB and HIPAA has led to a thirst for security pros, especially those with knowledge of the arcane demands of these laws. Analysts, consultants, engineers and admins who can deal with them are rarely without work, and their phones may be ringing for some time to come.
David Garrett is a Web designer and former IT director, as well as the author of “Herding Chickens: Innovative Techniques in Project Management.” He can be reached at firstname.lastname@example.org.