This is the fourth in a series of stories on key security issues that will be addressed at the Security Standard event scheduled for Sept. 10-11 in Chicago.

Regulatory compliance means getting your organization’s network security, data storage and content-protection practices to conform to relevant laws so that auditors are satisfied and liability is reduced. With so many state and federal regulations, not to mention international ones such as the European Union’s data-privacy rules, how does a security manager prepare for the day when the auditors knock on the door demanding evidence that all’s in order?

Click to see: The skinny on The Security Standard

Ask Darcy Soleil, a certified IS auditor (CISA) at Ft. Lauderdale, Fla.-based Parker Soleil Consulting, who says she’s usually called in to assist management in assessing the IT controls demanded by regulators under the Sarbanes-Oxley Act (aka SOX).

Her job is to help companies get ready for the external auditors from such firms as Deloitte Touche and Ernst & Young, who will perform the official SOX audits needed to satisfy the Public Company Accounting Oversight Board set up by the U.S. Securities and Exchange Commission (SEC) under SOX.

SOX was passed by Congress five years ago to tighten financial reporting in the wake of accounting scandals, such as the fraud uncovered at Enron that left investors and employees ruined. Section 404 is considered the IT-specific section of SOX, which governs publicly traded companies of a certain size, and will expand this December to include smaller firms, those with revenue of less than $75 million per year. Section 404 asks for evidence of “an internal control framework” related to a company’s process for financial reporting.

 “This could apply to the general ledger system, for instance,” Soleil says, noting that the framework regulators want refers to any well-accepted one, such as COSO or COBIT. (COSO stands for The Committee of Sponsoring Organizations of the Treadway Commission, and COBIT stands for Control Objectives for Information and Related Technology, so it’s easy to understand why these process frameworks are seldom mentioned other than by their acronyms.)

As a CISA, Soleil’s visit to a company will start with an examination of its IT processes ranging from change-control systems and in-house coding to how the organization handles identity management and security assessments. She may want to see IT or other department reports dating back three years. “I’ll look at their backup systems or logical access,” she says. “I’ll look for anything that eliminates lack of accountability, such as shared accounts. One of the biggest issues is segregation of duties.”

Whitepapers

• Boost Productivity While Cutting Costs with Next-generation Collaboration
• Deploying Virtualized NetWare on Linux Whitepaper
• Driving Business Success Through Workgroup Choice and Flexibility
• Toward More Flexible, Next-Generation Collaboration Solutions
• Collaboration Tools and Organizational Success Whitepaper
• The ROI and TCO Benefits of Data Deduplication for Data Protection in the Enterprise

View more SECURITY whitepapers

Webcasts

• Creating a high performance workplace with wireless networking
• Harnessing the power of communications to increase workplace performance
• Making data centers the IT strategic focus
• Protecting assets and employees with IP Video Surveillance
• Stay out of the headlines: Detecting and preventing network intrusions
• Transforming the Enterprise WAN Edge: Video from Cisco

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• IP address management in 2008 - six things to know
• The self-managed network

View more SECURITY special reports