Companies’ required investments to attain compliance
with the Sarbanes-Oxley data security legislation has come at the
expense of dealing with other security threats, according to the
Information Security Forum (ISF).
The ISF has 260 corporate members worldwide, including half of the
Fortune 100 companies in the US, who make up a significant number
of firms that the Sarbanes-Oxley Act is aimed at.
The report states that even though most ISF members are spending
more than £5.7m ($10m) on complying with the US Sarbanes-Oxley
legislation, many are facing problems in achieving full compliance
and are also struggling to protect other areas of their
business.
According to the ISF, the business imperative to comply with the
data security legislation has also meant that in many cases the
true cost of compliance was unknown.
Problem areas that companies are struggling to overcome include
poor documentation; informal controls and use of spreadsheets; lack
of clarity when dealing with outsourcing providers; and
insufficient understanding of the internal workings of large
business applications.
Comments ISF consultant Andy Jones: “In the wake of financial
scandals like Enron and WorldCom, the Sarbanes-Oxley Act was
designed to improve corporate governance and accountability but has
proved difficult to interpret for information security
professionals.
"The diversion of information security attention from other risk
areas to Sarbanes-Oxley compliance may lead to important business
risks being neglected."