Sarbanes-Oxley. For months now it has been a menacing presence lurking in the shadows for CIOs everywhere. It has haunted their slumber and threatened their IT budgets with constant taunts of "Section 404!" But now, as the November deadline looms, denial is no longer an option. CIOs must face the demon and embrace the new compliance regulations that articulate how public companies must analyze and document the creation and management of financial information.
Sarbanes-Oxley will undoubtedly force CIOs to evolve the processes and protocols for managing financial data, and, as a news item, it has commanded the lion's share of the media spotlight. However, CIOs should also stay abreast of the other government compliance regulations that affect IT financial operations: HIPAA; the Patriot Act; Gramm-Leach Bliley; Basel II; and the SEC's rule 17a-4, to name a few. According to a recent META Group survey, more than one-third of companies have yet to allocate a specific budget for regulatory compliance. The remaining two-thirds plan to spend, on average, $7.2 million next year to comply with the government.
The key to success is "be prepared," and this rule applies across the board - from being knowledgeable about the scope and content of the various regulations to implementing efforts to capture and manage data, particularly financial data, more effectively and securely. In fact, security issues and data integrity continue to generate industry chatter as the prevalence and repercussions of external hacking also continue to escalate. Surprisingly, however, according to the Gartner, 68 percent of data loss or corruption is caused by internal human error. To keep track of data, companies are beginning to employ real-time monitoring to protect against unauthorized changes, even if they are unintentional.
In this age of accountability, companies need to keep a stronghold on the access employees have to confidential information. To do so, certain issues need to be addressed. Can user identification systems be violated? Are controls on access regularly maintained? Are there real-time auditing procedures to monitor legitimate and suspicious access to data?
According to Sumner Blount in "The Role of User Provisioning in SOX Compliance" (Compliance Pipeline), user provisioning "allows the company to create automated, repeatable and auditable processes for granting and revoking user resources." Blount explains the three areas that contribute to provisioning: automated removal of access rights, segregation of duties violations, and auditing of access and security events. In other words, if an employee leaves his or her position at a company, access to the company's data needs to be terminated immediately. Also, internal controls are needed to stop irregularities from inappropriate access, and "even if all suspicious activities cannot be prevented in advance, a rigorous auditing model allows detection and correction quickly enough to minimize the risk to acceptable levels," Blount states.
To help the IT community in its quest for compliance, AFCOM's Data Center Institute -- a think-tank comprised of data center managers and vendors for industry leadership -- will address regulatory compliance in the upcoming year. A seminar series also is being planned to support data center managers with the logistics of legislative accountability.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access