Regulatory-compliance demands put IT on the spot

Automating compliance reports — from HIPAA to SOX — is best strategy

This is the fourth in a series of stories on key security issues that will be addressed at the Security Standard event scheduled for Sept. 10-11 in Chicago.

Regulatory compliance means getting your organization’s network security, data storage and content-protection practices to conform to relevant laws so that auditors are satisfied and liability is reduced. With so many state and federal regulations, not to mention international ones such as the European Union’s data-privacy rules, how does a security manager prepare for the day when the auditors knock on the door demanding evidence that all’s in order?

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

This is the fourth in a series of stories on key security issues that will be addressed at the Security Standard event scheduled for Sept. 10-11 in Chicago.

Regulatory compliance means getting your organization’s network security, data storage and content-protection practices to conform to relevant laws so that auditors are satisfied and liability is reduced. With so many state and federal regulations, not to mention international ones such as the European Union’s data-privacy rules, how does a security manager prepare for the day when the auditors knock on the door demanding evidence that all’s in order?

Click to see: The skinny on The Security Standard

Ask Darcy Soleil, a certified IS auditor (CISA) at Ft. Lauderdale, Fla.-based Parker Soleil Consulting, who says she’s usually called in to assist management in assessing the IT controls demanded by regulators under the Sarbanes-Oxley Act (aka SOX).

Her job is to help companies get ready for the external auditors from such firms as Deloitte Touche and Ernst & Young, who will perform the official SOX audits needed to satisfy the Public Company Accounting Oversight Board set up by the U.S. Securities and Exchange Commission (SEC) under SOX.

SOX was passed by Congress five years ago to tighten financial reporting in the wake of accounting scandals, such as the fraud uncovered at Enron that left investors and employees ruined. Section 404 is considered the IT-specific section of SOX, which governs publicly traded companies of a certain size, and will expand this December to include smaller firms, those with revenue of less than $75 million per year. Section 404 asks for evidence of “an internal control framework” related to a company’s process for financial reporting.

 “This could apply to the general ledger system, for instance,” Soleil says, noting that the framework regulators want refers to any well-accepted one, such as COSO or COBIT. (COSO stands for The Committee of Sponsoring Organizations of the Treadway Commission, and COBIT stands for Control Objectives for Information and Related Technology, so it’s easy to understand why these process frameworks are seldom mentioned other than by their acronyms.)

As a CISA, Soleil’s visit to a company will start with an examination of its IT processes ranging from change-control systems and in-house coding to how the organization handles identity management and security assessments. She may want to see IT or other department reports dating back three years. “I’ll look at their backup systems or logical access,” she says. “I’ll look for anything that eliminates lack of accountability, such as shared accounts. One of the biggest issues is segregation of duties.”

A process, not a project

Soleil points out that companies benefit when the security manager, the IT department and the business management tackle SOX compliance as “a process, not just a project.” She points out that automated controls — rather than simple, manual ones — can be a plus for a company.

“If I’m looking at a Unix system or an Oracle database, for example, if I know it has an automated process for provisioning, I’ll have to do less testing, and it’s less expensive,” says Soleil, whose customary fee is $100 an hour. She favors automated vulnerability-scanning and “continuous monitoring” because it lowers risk.