Sarbanes-Oxley: a threat to security?

Increasing concerns regarding Sarbanes-Oxley compliance could divert spending away from addressing other security threats, a new report said.

  • E-Mail
By  Caroline Denslow Published  July 17, 2005

Increasing concerns regarding Sarbanes-Oxley compliance could divert spending away from addressing other security threats, a new report said. According to Information Security Forum (ISF), the Sarbanes-Oxley Act 2002 is focused on addressing problematic areas in the compliance process, including poor documentation, informal controls and use of spreadsheets, lack of clarity when dealing with outsource providers, and insufficient understanding of the internal workings of large business applications. However, ISF claims that it fails to put more emphasis on important security areas that are extremely crucial when dealing with risks to information, such as business continuity and disaster recovery. “In the wake of financial scandals like Enron and WorldCom, the Sarbanes-Oxley Act was designed to improve corporate governance and accountability but has proved difficult to interpret for information security professionals,” said Andy Jones, an ISF consultant. “As neither the legislation nor the official guidance specifically mentions the words ‘information security’, the impact on security policy and the security controls that need to be put into place must be determined by each individual organisation in the context of their business.” Ignoring security issues could deflect attention from more-pressing security risks, Jones said. “For organisations whose business is not primarily financial, for example, manufacturing or product-service industries, the diversion of information security attention from other risk areas to Sarbanes-Oxley compliance may lead to important business risks being neglected,” elaborated Jones, who stressed on the importance of integrating compliance into a wider IT security and corporate governance strategy. “It is important that Sarbanes-Oxley does not push organisations into following a compliance-based approach rather than a risk-based approach that may compromise information security. The ISF report helps companies to achieve compliance while also ensuring that they have the appropriate security controls in place,” he said. ISF is a global non-profit organisation whose members include half of the Fortune 100. It said that many of its members are expected to spend more than US$10 million on information security controls to comply with regulations laid down by Sarbanes-Oxley.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code