CIOs turn spotlight on Sarbanes security issue

Security group aims to clear up confusion over the impact of Sarbanes-Oxley on IT security and the role of the IT department in...

Security group aims to clear up confusion over the impact of Sarbanes-Oxley on ITsecurity and the role of the IT department in ensuring compliance

Chief information officers and chief technology officers from large corporations in the US and Europe are to meet in May to hammer out the implications of Sarbanes-Oxley compliance regulations for IT security.

Paul Kurtz, executive director of the Cyber Security Industry Alliance and former presidential adviser, will tell the RSA Security conference this week the meeting is needed to tackle "grey areas" in the effect of compliance regulations on IT systems.

Organisations that have US stock listings, including many UK companies with US branches, are grappling with section 404 of the Sarbanes-Oxley Act, which requires businesses to put in place independently audited internal financial controls.

But there is a great deal of confusion about how far these requirements extend into IT systems and what they will mean for businesses' IT security policies, said Kurtz.

"Sarbanes-Oxley has a direct impact on IT security, but it is not exactly clear what a company must do to comply. It is not clear what are adequate company controls," said Kurtz.

"There is a lot of grey area in what companies have to do to comply. Chief information officers and chief technology officers are grappling with these issues."

One of the Cyber Security Industry Alliance's concerns is that businesses, auditors and lawyers may have different views of what the regulations mean for IT, potentially placing them at loggerheads when it comes to assessing compliance.

The issue is critical because Sarbanes-Oxley imposes criminal, rather than civil, sanctions on firms that fail to have adequate financial controls in place.

"How do internal controls translate into a world where corporate books are kept on computer networks? We are beyond the old days of ledgers people tucked under their beds. Now the ledgers are on distributed computer systems and are outsourced many times," said Kurtz.

Compliance regulations will mean that companies will need to have much better control over who accesses their networks and will have to monitor electronic transactions.

But companies are struggling because there is no consensus on what constitutes adequate company controls.

"I hope we will learn more about the metrics companies are using to assess internal control systems and whether there is a common methodology," said Kurtz. "We hope to learn the same thing for auditors and discover what the stumbling blocks are for implementation."

The meeting will also assess the implications of criminal liability for failing to comply, and assess whether the government needs to issue clearer guidance to businesses, said Kurtz.

What is the RSA Conference?   

The 14th annual RSA Conference  for information security professionals runs all this week in San Francisco.  

This year's event is expected to attract 10,000 delegates examining the ideas and offerings of more than 250 exhibitors covering the range of interests from large enterprise operations through SME concerns to public sector organisations. 

Conference sessions cover the gamut of information security issues including outsourcing, identity and authentication, perimeter security, standards and interoperability, mobile systems security and open source approaches. 

For details and full conference agenda click here >> 

Read more on IT legislation and regulation

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.