Meta offers advice on Sarbanes-Oxley compliance

Margie Semilof

If you're still looking for guidance on how to buy products that create a secure Windows infrastructure that is compliant with new regulatory restrictions, you're probably losing valuable time.

As most experts will tell you, preparing for something like the Sarbanes-Oxley Act is just as much, if not more,

Requires Free Membership to View

These regulations are based on reasonably anticipated risks.

Paul Proctor, analyst,

Meta Group,
about changing your internal corporate processes as it is in buying a new intrusion-detection system or firewall.

For the rest of this year, and all of next year, enterprises will be working to meet compliance deadlines for Sarbanes-Oxley, the post-Enron legislation that is intended to improve the accuracy and reliability of corporate-accounting disclosures.

For many companies, it's hard to know exactly what to do to protect the enterprise in compliance with the law, but what many people don't realize is that regulators don't expect organizations to cover every possible contingency, said Paul Proctor, an analyst at Meta Group Inc., Stamford, Conn.

"These regulations are based on reasonably anticipated risks," he said.

No single blueprint for compliance

Since all companies are different, there's no one checklist to work from. It's really more important to build a defensible case of why you did what you did, Proctor said. He said that he meets a lot of IT executives who are looking for guidance on what to do, but the fact is that there is no easy answer. "The one sure bet is that you have to go with more process formality," he said.

But the regulations don't say what type of IT system you have to have. Documentation and formulization are not normally things built into the security culture. "It's really about working late at night and doing what it takes to keep viruses out," he said.

Companies that have a fiscal year ending on Dec. 31 must pass a Section 404 controls audit by their external auditor, Proctor said. The purpose of this audit is to identify control deficiencies, though it's not really clear to anyone what the auditors will be looking for. There is only speculation right now as to how harsh the penalty will be for a failure, but it's clear that if a company fails the audit, it will lose a lot of investor confidence.

Keep cool, Proctor advised. Compliance can be negotiated with your auditor.

Proctor offered some general advice for IT professionals on how much is enough compliance:

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: