If you're still looking for guidance on how to buy products that create a secure Windows infrastructure that is compliant with new regulatory restrictions, you're probably losing valuable time.
As most experts will tell you, preparing for something like the Sarbanes-Oxley Act is just as much, if not more,
For the rest of this year, and all of next year, enterprises will be working to meet compliance deadlines for Sarbanes-Oxley, the post-Enron legislation that is intended to improve the accuracy and reliability of corporate-accounting disclosures.
For many companies, it's hard to know exactly what to do to protect the enterprise in compliance with the law, but what many people don't realize is that regulators don't expect organizations to cover every possible contingency, said Paul Proctor, an analyst at Meta Group Inc., Stamford, Conn.
"These regulations are based on reasonably anticipated risks," he said.
No single blueprint for compliance
Since all companies are different, there's no one checklist to work from. It's really more important to build a defensible case of why you did what you did, Proctor said. He said that he meets a lot of IT executives who are looking for guidance on what to do, but the fact is that there is no easy answer. "The one sure bet is that you have to go with more process formality," he said.
But the regulations don't say what type of IT system you have to have. Documentation and formulization are not normally things built into the security culture. "It's really about working late at night and doing what it takes to keep viruses out," he said.
Companies that have a fiscal year ending on Dec. 31 must pass a Section 404 controls audit by their external auditor, Proctor said. The purpose of this audit is to identify control deficiencies, though it's not really clear to anyone what the auditors will be looking for. There is only speculation right now as to how harsh the penalty will be for a failure, but it's clear that if a company fails the audit, it will lose a lot of investor confidence.
Keep cool, Proctor advised. Compliance can be negotiated with your auditor.
Proctor offered some general advice for IT professionals on how much is enough compliance:
- A security control can be a process, a procedure or a tool -- or a combination of all three. That begs the question: Do you need all three? How much security is enough? Proctor said organizations need to strike a balance between meeting the letter of the regulation and developing controls that address risk in the enterprise.
- To select proper controls, develop a defensible case for reasonable and appropriate controls that address reasonably anticipated risks. Organize them into a well-documented, proactive and process-oriented program.
- Perform a risk assessment and establish a baseline of protection that will guide the selection of appropriate controls. Meta Group recommends that corporations target accomplishing this task annually on the 20% of systems that are mission critical.
- All decisions need to be justified and documented. Show a track record of improvement that also adds strength to the defensibility of the state of the enterprises controls.
- Organize and manage your security controls collectively. Assign an individual responsibility for system security.