Sox And Security

EXECUTIVE SUMMARY

The Sarbanes-Oxley Act of 2002 and other recent privacy legislation have created a number of unique and sometimes ambiguous control and protection requirements which companies must address. Each of these organizations is saddled with the issue of how to interpret and address the distinct requirements of each applicable piece of legislation while also addressing other regulatory or governing body requirements imposed.

To address the issue, organizations should consider implementing a comprehensive information security program to manage the controls, security and privacy of their information. By implementing a single program, the control environment will be more easily managed and provide a single source for identification and detail regarding specific controls.

The development and implementation of an information security program can be broken into five phases as defined below:

1. Define Requirements - This phase involves researching applicable legislation and governance for specific requirements for control activities and privacy / security considerations.

2. Design the Program - This phase involves designing a program framework that address the control activities and considerations identified in the first phase.

3. Build the Program - The documentation of all policies, standards and procedures occurs during this phase.

4. Implement the Program - This phase involves the actual implementation of components of the program in a prioritized manner.

5. Manage the Program - This phase involves the ongoing management, direction, and sustainability of the program.

If appropriately planned, and implemented correctly, the organization will be able to efficiently and effectively protect their information and resources. In addition, they will be in a position to manage and maintain one set of controls for demonstrating legislative and/or regulatory compliance which will reduce cycle time and management overhead exponentially.

INTRODUCTION

The Sarbanes-Oxley Act of 2002 (SOX) is legislation passed in 2002 by President Bush to protect investors by improving the accuracy and reliability of financial reporting by publicly traded companies. The legislation has multiple sections addressing different areas and processes from the board of directors to SEC authority. The most widely debated components of the act are sections 302 and 404. Section 302 requires the Chief Executive Officer and Chief Financial Officer to certify the appropriateness of the financial statements and disclosures by preparing and signing a statement to this fact.

Section 404 of SOX requires that each annual report of an entity is to contain an internal control report which shall state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting and contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.[AICPA] Likewise, legislation such as the Gramm-Leach-Bliley Act of 1999 (GLBA), the Health Information Portability and Accountability Act of 1996 (HIPAA), and California Senate Bill 1386 of 2002 (SB1386) have introduced an array of privacy and control requirements that organizations must first determine if they are applicable and then demonstrate they have appropriate controls in place to address.

The issue with SOX 404, GLBA, HIPAA, etc is that they address one facet of a business and only one area of compliance that may be required. This shortcoming of separate pieces of legislation has caused great confusion and an exorbitant amount of work to identify and implement processes and technologies to appropriately protect and control information. Companies are spending time and money designing and implementing stop gap solutions to address "the flavor of the month" security or privacy regulation, and doing so almost annually. In turn, the workload and confusion has caused a large number of companies to seek external guidance and assistance in designing and implementing appropriate controls over systems and data relative to the legislation; all the while neglecting highly confidential, proprietary or sensitive systems which may constitute the livelihood of their business.

To address this burdensome issue companies should consider implementing a comprehensive information security program. By implementing an information security program aimed at ensuring confidentiality, integrity and availability of information, organizations can protect their critical information resources and focus efforts on applying security and controls in the appropriate places. Further, an information security program will greatly reduce the management overhead and cycle time required to demonstrate compliance with control and security requirements set forth through legislation and/or governing bodies by establishing a central repository of management, control and documentation.

This paper will demonstrate how an organization can properly research, design, build, implement, and manage an information security program that meets their operational and business needs as well as addresses legislative/regulatory compliance in an efficient and effective manner.

The Information Security Program

The development of an information security program is not a task to be taken lightly. It involves a great deal of resources and time to be designed and implemented appropriately. With attention to detail, during the planning and implementation phases, the ongoing management of the program will reap the rewards of efficiency and effectiveness. [Tudor]

The development of an information security program can be broken into five phases as defined below:

1. Define Requirements - This phase involves researching applicable legislation and governance for specific requirements for control activities and privacy / security considerations.

2. Design the Program - This phase involves designing a program framework that address the control activities and considerations identified in the first phase.

3. Build the Program - The documentation of all policies, standards and procedures occurs during this phase.

4. Implement the Program - This phase involves the actual implementation of components