Sitemap    Contact Info
Tizor Systems, Inc. - Data Protection and Compliance Auditing Solutions
About Us Solutions Products Services Partners News & Events Resource Center
Resource Center View Mantra
Resource Center Overview
Data Sheets
Whitepapers
On-Demand Events
Compliance Resources
SOX Perspective
The SOX Challenge
Beyond SOX Compliance
SOX 404
IT Controls for SOX
Background: Sarbanes Oxley
PCI Requirements
Data Security Resources
Data Breach Resources
Podcast
Bylines
SOX Perspective

Inspired by Business Scandals: A Path to Better Business?

The historic business scandals of the millennium—including Enron and WorldCom—have had profound implications throughout the corporate world. One of the greatest of these was the passage in 2002 of the Sarbanes-Oxley Act (SOX), intended to enforce a new standard of accountability on business. But while it was corporate executives who made the mess, Information Technology (IT) professionals play a major role in helping to clean that mess up—and avoid a recurrence.  

In crafting SOX compliance, legislators’ primary goal was to restore trust in U.S. financial markets by requiring publicly traded companies to vouch for the reliability of financial data. Investors, of course, need reliable information on which to make their investment decisions. But what does it take to provide the assurances that will inspire that investor confidence? Because virtually all corporate information is now electronic, the regulations imposed by SOX are forcing companies to take a fresh look at how they handle all their data assets—not just their financial data. And that’s a good thing. Focusing on how data is used and treated is crucial to success in a world where those with the best data practices will have the edge.  

The impact of SOX on public companies cannot be minimized. However, SOX is really just a small part of a larger corporate imperative focused on governance of data. Data governance is critical because management’s attitude toward data directly impacts how successful the company will be when it comes to meeting the requirements of SOX, as well as other information compliance regulations and standards, including California SB 1386, Basil II and the Payment Card Industry Data Security Standard.  

Once the dust settled after the initial scrambling during SOX’s introductory phase, public companies fell into two categories regarding their approach to compliance. The first group took a “check box” approach, focusing on financial systems and processes in order to compartmentalize the work that needed to be done. The ultimate goal: to satisfy the auditors. The second group took a broader view. They saw SOX and other emerging regulations as a clarion call urging them to gain better control over their most valuable corporate asset: data. This forward-looking group saw SOX not just as a burden, but as an opportunity to improve their overall IT process and controls.  

 

Viewed in this way, SOX is the catalyst for a new way of looking at data for both corporate governance and IT practices, which will have an impact far beyond complying with just one regulation. Those who looked at the challenges of regulation through the right lens, a pattern began to emerge: While different regulations have varying operational or technical specifics, the underlying goals and processes are remarkably similar for all.  

Driven by this insight, forward-thinking companies are crafting data governance frameworks that form the basis for a rational compliance and data protection strategy that will accommodate a myriad of regulations in a changing information security environment. These same governance strategies not only provide improved control over valuable data assets; they can also provide critical insight into the use of those assets. This insight could ultimately translate into powerful competitive advantages for companies with the ability to leverage it.  

It is not surprising that the successful dot-com companies recognized before most the importance of data as their true unique corporate asset—and the importance of wringing every drop of value from that data. Today, many long-established companies recognize the “old” sources of their value (e.g. inventory, equipment, buildings) are now in electronic form. For them, SOX and other information compliance regulations are serving as a “kicks in the pants” that is waking them up to the new business reality. But how can they move from awareness of the need to protect and leverage data to operational solutions?  

SOX Compliance: Where to Start? 

As the saying goes, a journey of a thousand miles begins with a single step. And so it is with SOX; compliance is achieved one step at a time. But which step comes first? 

 

When it comes to IT controls, SOX section 404 is a good place to start. SOX section 404 demands that companies evaluate the adequacy of internal controls for financial reporting, institute new controls as needed, perform and report on an assessment of these controls each year, and be able to demonstrate that appropriate controls are in place. What SOX does not provide is precise guidance on what internal controls are needed or how those controls can be established. This gap between what SOX calls for and what it takes to deliver on the mandated controls has inspired some interesting interactions between the groups tasked with signing off on the controls: the auditors and the IT staff.  

Understanding the auditor’s perspective is helpful to IT. According to the US Securities and Exchange Commission (SEC), the Public Company Accounting Oversight Board (PCAOB) has defined the process in a document called Auditing Standard No. 2. This standard requires management to base its 404 assessment on “a suitable, recognized control framework established by a body of experts that followed due process procedures.” This same group recommends the framework created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO mandates that corporate management establish control objectives, identify events that can cause substantial negative consequences (and, therefore, impacts shareholder value) and assess risk associated with those events. But like SOX, COSO does not provide guidance for putting IT controls into place.  

To find that guidance, many organizations turn to CobIT (Control Objectives for Information and Related Technology) as a framework for implementing IT governance and audit control. CobIT was created by the IT Governance Institute in 1996, long before SOX hit the scene. In literature describing the latest version, 4.1, CobIT is described as “an IT Governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risk.” It goes on to say that “CobIT organizes IT activities into a generally accepted process model, identifies IT resources to be leveraged and defines the management objectives to be considered.”  

Note that CobIT is not a turnkey compliance answer (Indeed, there are some who believe CobIT may actually complicate the process of SOX 404 compliance). The truth is that there is no easy answer for SOX 404 compliance. CobIT should be viewed simply as one of several frameworks available to help companies get started. These frameworks—which also include ISO 27001, 17799:2005 and the work of industry groups like the IBM sponsored Data Governance Council—can form the basis for more global, economical and manageable data governance practices.  

More information on CobIT be found at  www.itgi.org  and at  www.isaca.org  .  

IT Controls for SOX 404: Key Challenges

As companies have leveraged these and other frameworks, tailoring them to the realities of their own organizations, some common challenges have emerged. One significant challenge shared by virtually all IT organizations is the “privileged user”—system administrators, database administrators (DBAs) and other users with special access privileges to critical data stores. Many companies have come to understand that solving the problem of privileged user access to data is one of the critical steps on the path not only to SOX compliance, but also to broader data governance objectives. Examining the resolution of this problem provides an object lesson in the benefits that can accompany SOX compliance.  

Unlike ordinary users who access data for limited and defined reasons, the nature of a privileged user’s data interaction is ad hoc, undefined and critical. From a regulator’s perspective, the risks associated with this privileged role are equally undefined and critical. Users with full-access credentials create a challenge because they not only have the ability to access information regulated by SOX and other regulations, but they also have the ability to alter it and then cover their tracks. This makes privileged users potentially high-risk. Of course, they are also highly valued and trusted. Privileged users are absolutely critical to a smooth-running data environment.  

The first letter in CobIT stands for “control”—but given their roles, can privileged users really be controlled? If you limit their access privileges, these valuable IT professionals cannot perform their mission-critical jobs. On the other hand, business as usual is not the answer. A privileged user’s stellar reputation alone does not suffice; auditors need proof of the integrity of regulated data. What’s an IT manager to do? 

As IT organizations have wrestled with the challenge of SOX compliance, many have found that restricting privileged users is counterproductive, but that monitoring their behavior is not. Auditors have now recognized this special class of high-value data users and have created new activity monitoring-based metrics to satisfy the requirements.  

In response, many organizations are evaluating and deploying data auditing tools that monitor the activities of privileged users, like DBAs and system administrators, providing audit trails and reports to auditors. In fact, privileged user monitoring has become a primary element of SOX compliance projects at many companies today.  

Monitoring privileged users is now a recognized alternative to controlling and/or limiting user privileges. It solves a nagging challenge posed by SOX—but that’s just the beginning. If the goal of data governance is to both protect and leverage data, then the prerequisite to any data governance initiative is to know what is actually happening to the data. Without this insight, it is impossible to identify risk and value; it is impossible to comply with regulation; and it is impossible to extract and build on the intrinsic value of the data. Deployed across enterprise—across all users and applications—data auditing thus provides an invaluable knowledge base for using data to extract its full value, while ensuring that data is protected.  

While SOX has been viewed by some as an expensive exercise with little measurable ROI, many others have woken up to a different reality. They have recognized that SOX is simply urging companies to take the critical first steps toward a new way of doing business. Organizations that understand this fully and incorporate it into their world views will be well positioned for success in a data-based economy. Those who don’t may find themselves left behind.