Corporate investment to comply with the Sarbanes-Oxley
data security legislation has come at the expense of dealing with
other security threats, according to the Information Security Forum
(ISF).
The ISF has 260 corporate members worldwide, including half of the
Fortune 100 companies in the US, who make up a significant number
of firms that the Sarbanes-Oxley Act is aimed at.
The report said that even though most ISF members were spending
more than £5.7m ($10m) on complying with the US Sarbanes-Oxley
legislation, many faced problems in achieving full compliance and
were also struggling to protect other areas of their business.
According to the ISF, the business imperative to comply with the
data security legislation has also meant that in many cases the
true cost of compliance is unknown. Companies are struggling to
overcome problems of poor documentation, informal controls and use
of spreadsheets, lack of clarity when dealing with outsourcing
providers, and insufficient understanding of the internal workings
of large business applications.
ISF consultant Andy Jones said, “In the wake of financial scandals
like Enron and WorldCom, the Sarbanes-Oxley Act was designed to
improve corporate governance and accountability but has proved
difficult to interpret for information security professionals.
"The diversion of information security attention from other risk
areas to Sarbanes-Oxley compliance may lead to important business
risks being neglected."