Five years and counting: A SOX data security reality check
But the real question five years later is whether SOX has really made IT infrastructures and sensitive corporate data more secure? One look at recent press coverage and market studies indicates that more work needs to be done, especially to secure the SOX-centric internal data networks, as identity theft, insider abuse/fraud, credit card fraud and compromising sensitive financial records appear to be on the rise.
True, SOX has generated a flurry of activity toward meeting the “letter of the law” and spawned a new cottage industry for consultants, but has done little so far about truly enhancing corporate security practices over the long term. In fact, under the watchful eye of internal SOX Compliance Committees, many already overloaded IT staffs have spent more time asking for deadline extensions or been forced to wait until the last minute to meet internal deadlines for implementing SOX security measures. And, possibly worse than doing nothing, others have opted to implement minimal SOX security requirements without considering the overall security picture.
At the end of the day, part of the problem may be that few corporate execs and even fewer boards of directors are considering the full impact of a major security breach. And, this lack of understanding often all but removes the urgency to implement SOX security measures.
I believe it's time for security professionals to step-up and take responsibility for changing the attitudes of upper management – and the corporate rank-and-file – to make IT security a top enterprise IT priority. You and your staff may be doing the best job possible ensuring that security systems are in place and rigorous electronic policies are being enforced. But all of that work becomes meaningless if any employee or on-site contractor can easily expose sensitive data by Wi-Fi or USB drive, or download it onto a laptop and leave it in a restaurant, or when a hacker exploits a “webified” application.
Here are five suggestions to help you improve your organization's security mindset, eliminate implementation inertia and quickly deploy iron-clad IT security measures that simultaneously meet SOX regulations and long-term enterprise security requirements.
Data Security Education. It is critical that all employees understand the dangers of security breaches and the risks of or poor or unimplemented security, both on an individual and corporate level. The impact on company reputation and financial performance or liabilities, as well as the resulting irreversible damage to stock prices and pension plans, are compelling reasons for each employee to make company security part of his or her personal responsibility.
In addition, while not everyone in the organization needs to be an expert in security, they should understand the many ways data can be compromised, how data security underlies SOX compliance, and why certain countermeasures should be implemented. Keep in mind that what appears obvious to IT personnel may not be as obvious to the average employee. For example, all employees should know to avoid using easy-to-guess passwords and realize that sensitive information may be lurking in their Web browser cache. They also need to be aware that browser-based applications may not be as secure as they think. In addition, it is a good idea for all employees to have some familiarity with common security methods, including authentication and encryption, and know under which circumstances each should be used.
Holding basic employee training courses, setting and enforcing strong user authentication methods, sending out regular security email newsletters, and making security education a mandatory component of new employee orientation are effective ways of getting the word out. Also, securing commitment from senior management on the importance of company-wide security education can go a long way towards raising employee awareness of this issue.
Just Encrypt It. One of the best ways to minimize the compromise of sensitive information is to encrypt all data at all times — including data stored anywhere on the network, but more importantly, data in transit, especially inside the corporate network. The best approach is to encrypt and authenticate all data from start to finish, regardless of the nature of the data, who is accessing it and which applications and computing platforms are being used. Data encryption makes it much more difficult for would-be hackers to exploit sensitive company data if they manage to get their hands on it.
Get Physical. Electronic security is only part of the challenge. The reality is that whenever data leaves the server it can be vulnerable. If the data is downloaded to a laptop, or copied onto a CD, PDA or USB flash drive, it can easily leave the building undetected in someone's briefcase, pocket or purse. Printed documents are also a potential problem. Likewise, throwing documents with sensitive information in the trash or leaving printouts on desks for others to see must be eliminated.
One solution is for companies to create cross-disciplined teams that include experts in physical, as well as electronic, security. These teams need to focus on controlling access to sensitive data, while also identifying devices and media that might contain sensitive information. Also, as the recent T.J. Maxx security breach demonstrated, it's wise to be on the lookout for suspicious individuals who may be loitering in parking lots with sophisticated snooping devices. Highly visible physical security devices, such as security cameras and other monitoring devices, as well as the regular presence of security personnel, can also serve as a strong deterrent.
Watch Out for “Webified” Applications. Today it is common for users to be given access to sensitive organizational information via browser-based applications. The problem is that these applications are far less secure than most people realize. For example, SSL is useful for securing some internet traffic, but it is far less robust than other data encryption technologies. In addition, securing browser-based applications tends to be more labor-intensive, and it can be difficult to easily authenticate server certificates.
Also, all browsers incorporate caching technology, providing a rich resource of sensitive data for hackers to exploit. Therefore, it is best to avoid web-enabling applications that involve sensitive data. However, for those that must be created, utilizing more robust security technologies is ideal, such as two-factor authentication and stronger encryption.
Keep Friends-of-Friends Closer. You may be doing a good job sensitizing your local employees to the need for security awareness, but what about your remote users? And, what about your partners and suppliers? Do they have access to sensitive data within your system and do they maintain the same level of security you do? Even if you feel confident about your partners and suppliers, you may not know who, in turn, they may use as contractors, and to what extent they have access to your organization's files. Therefore, it is important to determine every individual or organization with possible access to your organization's data, and take the necessary measures to ensure that all lines of electronic communication are secure.
As a security professional, SOX will continue to complicate your life. When you're pressured to meet these deadlines, it is often easy to forget your primary mission of making your organization's environment more secure for the long term, and only adhere to the immediate requirements. However, losing sight of the basic long-term goal could have a profound impact on many aspects of the organization.
If, on the other hand, you continue to strive to enhance your overall security and work to convince management and your fellow employees to join in that endeavor, you will naturally meet your SOX deadlines as a matter of course.