Sarbanes Oxley for IT security?
Comment Sarbanes Oxley seems wholly focused on the accuracy of a company's financial records and controls around these records, so where does IT security come into the picture, ask SecurityFocus columnist Mark Rasch.
At a recent computer security conference in Las Vegas, I was struck by the fact that every computer security vendor was advertising its product, software, service or consulting services as, "100% Sarbanes Oxley Compliant." It's sort of like the saying of being fat free and having reduced carbs. It got me wondering, does the Sarbanes Oxley law really have anything at all to do with computer security? The quick answer is, not as much as you might suspect, but more than the law did before.
A bit of history
To understand the Sarbanes Oxley Act of 2002, (SOX) you have to understand Enron. After reading Kurt Eichenwald's 742 page tome about the Enron scandal, I cannot claim to understand even what Enron did for a living. However, the Enron accounting scandal that led to SOX was a combination of corporate arrogance, director and officer inattention, CFO greed, pervasive conflict of interest, accountants who were captured by their client, and a failure to heed numerous warning signs, including those of inside whistleblowers like Sherron Watkins. At its core, the Enron debacle involved the United States Securities and Exchange Commission's approval of an aggressive (and likely inappropriate to its uses by Enron) form of accounting by Enron called "mark to market," coupled with a series of CFO-owned limited partnerships which were used to offload significant quantities of Enron debt while at the same time this debt was actually being reassumed by Enron itself.
The surest sign of accounting fraud is financial transactions that bear no true independent economic value (although such things are commonplace in the accounting world - think sale and leasebacks, offshore corporations and subsidiaries, etc.) Enron's accounting firm, Arthur Andersen, was beholden to its client for significant fees not only from accounting but from consulting services as well, creating additional conflicts of interest. Complaints of whistleblowers were dismissed by senior Enron management, because they felt as if they were, in the words of movie director Alex Gibney, "The Smartest Guys in the Room".
When SEC and DOJ investigations ensued, Andersen's counsel reminded everyone about the Andersen rule on not retaining accounting workpapers, leading to essentially a shredding party - although the US Supreme Court heard oral arguments during the last week of August on whether or not this activity was even criminal.
After Enron, Congress faced a series of other companies that have either been indicted for fraud or have had to significantly restate earnings because of a failure to accurately capture income and expenses. These include HeathSouth, Adelphia, Tyco, WorldCom, Qwest Communications, and Global Crossing. In each of these cases, it is alleged that senior management participated in events which led to the misstatement of earnings and the deception of investors. Indeed, each of these cases reflect equally corporate officials stealing from the company as well as stealing for the company.
What is important to note about each of these major financial frauds - the ones that essentially led Congress to act - is that none of them involved breakdowns in computer security. Indeed, had there been significant improvements on computer security and access control at each of these companies, there likely would have been no change in the result.
Congress gets involved
Otto Von Bismark once said that those who like sausage and have respect for the law should not watch either being made. The same could be said about the United States Congress. The Sarbanes Oxley Act imposes significant accounting and control requirements on U.S. publicly owned companies (and probably on foreign companies which are either traded on U.S. exchanges or which make up a significant part of a U.S. company's financial reporting). Thus, the new law, which was signed on July 30, 2002, directly addresses the Enron scandal by, for example: establishing records retention requirements for audit papers, creating a new oversight board for accounting firms auditing publicly traded companies (PCAOB), mandating auditor independence, mandating corporate responsibility and accountability at publicly traded companies, reducing conflicts of interests of financial analysts, providing protections for "whistleblowers," and imposing new criminal penalties relating to fraud, conspiracy, and interfering with investigations. You would be hard pressed in reading the text of SOX, its legislative history, or any of the voluminous testimony surrounding it, to find the words "computer security" or "computer crime."
There are several provisions of SOX which do, however, impact IT auditors and security professionals - even if only tangentially. For example, Section 302 requires the CEO and CFO to certify that the financial reports are true and accurate, and that there are in existence adequate controls over financial reporting and disclosure. Section 404 describes these controls, and requires that certification be both reasonable and that the outside auditors also certify the existence of such adequate controls over financial reporting. SOX Section 409 requires publicly traded companies to promptly report any changes in financial condition or reporting that might be material to investors, and Section 802 mandates that companies and their auditors maintain accounting documents and work papers for a minimum of seven years. Nary a mention of IT security. Indeed, SOX seems wholly focused on the accuracy of a company's financial records and controls around these records - income, expenses, accounting, liabilities, etc. Where does IT security come into the picture?
When the Public Company Accounting Oversight Board, created as a result of SOX, got to work it established auditing standards, including Standard 2, titled "An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements". This document recognized that senior management can't just certify controls ON the system, these controls also have to control the way financial information is generated, accessed, collected, stored, processed, transmitted, and used through the system.
COBIT, COSO, ITIL and OATBNL (And other acronyms to be named later)
Because of SOX's reliance on controls, the Committee of Sponsoring Organizations of the Treadway Commission (headed by former SEC member James Treadway) developed a series of controls for financial processes which are now known as the COSO guidelines. COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting. For IT auditors, the relevant guidelines are COBIT (Control Objectives for Information and Related Technologies) which is an open standard published by the IT Governance Institute and the Information Systems Audit and Control Association. (In the UK, there is the IT Infrastructure Library, published by the Office of Government Commerce in Great Britain which compliments COBIT.) These are a series of IT controls which should be in place in order to make such a SOX certification with respect to IT.
But here is the fundamental question - has there ever been a pervasive and material financial fraud which has resulted directly or indirectly from a failure of an IT security control? Would IT controls have prevented or detected the frauds at Enron, WorldCom, Tyco, and the like?
The answer to the former question is probably yes. If we look back historically to things like the Bearings Bank/Nick Leeson fraud of the late 1980s, or the Allied Irish Bank/Allfirst fraud of the beginning of this millennium - cases in which trusted employees generated and concealed tremendous losses for the company - IT security controls may have been able to prevent or detect such frauds, which certainly would have been material to investors. While such fraud perpetrated by insiders are difficult to detect because such insiders frequently have intimate knowledge of the controls themselves, processes that provide for things like access control, detection of unusual account or access activity, checks and balances for records relating to financial reporting may provide early warning for such fraudulent activity. At best you can make such systems fraud resistant -- not foolproof. Indeed, in many cases those committing significant frauds against a company must obtain unauthorized or superuser access to IT systems in order to either perpetuate the frauds or conceal them. IT security controls can also help companies certify compliance with other legal and regulatory requirements - a SOX mandate.
But for frauds like the next Enron and their ilk, IT security - even under COBIT guidelines - would likely provide no remedy. Where key decisions about how to account for profits, losses and liabilities are created by senior management and approved by independent accountants, all that the IT staff does is streamline the process for ensuring that these decisions are effectuated - not preventing fraudulent or erroneous assumptions.
One underemphasized provision of SOX is the requirement that companies disclose to investors both material events and contingent liabilities that might impact the bottom line. In this regard, IT security becomes more relevant. If you had a choice between investing in a financial institution (or a nuclear power plant) that had sound IT security practices, or one that had none, clearly you would find the IT security decisions to be important. Similarly, a significant attack on an infrastructure could yield losses to confidentiality, reliability or integrity of systems or data that would have to be disclosed to investors (just ask ChoicePoint about that).
The thing to remember about SOX is that it is primarily focused on the accuracy of financial reporting data. IT security is important under SOX only to the extent that it enhances the reliability and integrity of that reporting. To the extent that SOX provides an incentive to companies to do that which they reasonably should be doing anyway, by all means feel free to use it to convince with senior management. The better reason to have good controls over IT and IT security, however, is not because it will make you SOX compliant - but because it will make your business more efficient, enable you to better utilize your data, and allow you to trust ALL the data, not just financial reporting data. If it takes a few senior executives going to jail to achieve that, so be it.
Now ask yourself: are your security vendor's products "100% Sarbanes Oxley Compliant?" You can bet they probably are. And remember, their solutions meeting SOX compliance are also 100% cholesterol free!
Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.