problem areas include poor documentation, informal controls and use of spreadsheets, lack of clarity when dealing with outsource providers and insufficient understanding of the internal workings of large business applications.
What’s more the Act ignores important security areas that are extremely important when dealing with risks to information, such as business continuity and disaster recovery. This makes it important to integrate compliance into an overall IT security and corporate governance strategy.
“In the wake of financial scandals like Enron and WorldCom, the Sarbanes-Oxley Act was designed to improve corporate governance and accountability but has proved difficult to interpret for information security professionals,” says Andy Jones, ISF Consultant. “As neither the legislation nor the official guidance specifically mentions the words ‘information security’, the impact on security policy and the security controls that need to be put into place must be determined by each individual organisation in the context of their business.”
“Additionally, for organisations whose business is not primarily financial for example, manufacturing or product-service industries, the diversion of information security attention from other risk areas to Sarbanes-Oxley compliance may lead to important business risks being neglected.”
“It is important that Sarbanes-Oxley does not push organisations into following a compliance-based approach rather than a risk-based approach that may compromise information security. The ISF report helps companies to achieve compliance while also ensuring that they have the appropriate security controls in place.”
The full Sarbanes-Oxley report is one of the latest additions to the ISF library of over 200 research reports that are available free of charge to ISF Members.
The Information Security Forum (ISF) was founded in 1989 and is a not-for-profit international association of over 260 global leading organisations which fund and co-operate in the development of practical, business driven solutions to information security and risk management problems. The ISF undertakes a leading-edge research programme, and has invested more than US$75 million over the past sixteen years in providing best practice material for its members.