Application 3 – Annotated Bibliography
S E C U R I T Y M A N A G E M E N T P R A C T I C E S
N O V E M B E R / D E C E M B E R 2 0 0 5
15
Sarbanes–Oxley and Enterprise Security: IT Governance — What It Takes to Get the Job Done
William Brown and Frank Nasuti
everal sections of the Sarbanes–
Oxley Act of 2002 (SOX) directly
affect the governance of the informa-
tion technology (IT) organization, including
potential SOX certification by the chief
information officer, Section 404 internal
control assessments, “rapid and current”
d i s c l o s u r e s t o t h e p u b l i c o f m a t e r i a l
changes, and authentic and immutable
r e c o r d r e t e n t i o n . T h e S e c u r i t i e s a n d
Exchange Commission (SEC) requires pub-
licly traded companies to comply with the
Treadway Commission’s Committee of
Sponsoring Organizations (COSO) that
defines enterprise risk and places security as
a critical variable in enterprise risk assess-
ment. Effective IT and security governance
are examined in terms of SOX compliance.
Motorola IT security governance demon-
strates effective structures, processes, and
communications; centralized security lead-
ers participate with Motorola’s Manage-
ment Board to create an enabling security
organization to sustain long-term change.
INTRODUCTION
In response to the series of business failures
and corporate scandals that began with
S
S E C U R I T Y M A N A G E M E N T P R A C T I C E S
WILLIAM C. BROWN, Ph.D., CPA, is an assistant professor at Minnesota State University–Mankato,
College of Business. His professional experience includes teaching management information systems at
both the undergraduate and graduate levels and serving for more than 25 years as a financial officer.
He served as a chief financial officer in three companies that were Securities and Exchange Commission
registrants. His education includes an MBA, a CPA, an MS in software engineering, and a Ph.D. in
management information systems.
FRANK NASUTI, Ph.D., CPA, CICA, CFE, has served as a visiting and adjunct professor at Nova
Southeastern University, Widener University, Temple University, and Rutgers University, teaching
research methods, computer science, and accounting at both the doctoral and master’s levels. His pro-
fessional experience includes law enforcement as a special agent/criminal investigator, IT audit man-
ager for a Big 4 accounting firm, internal audit director for a financial services company, and senior
managing director for a major consulting firm. He founded The Institute for Internal Controls, a pro-
fessional certification and research organization. His education includes a BS in accounting, an MBA
in management, an MS in information science, and a Ph.D. in information systems. He is a CPA and
holds the designations of certified internal controls auditor and certified fraud examiner.
16 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
Enron in 2001, the U.S. Congress enacted
the Sarbanes–Oxley Act of 2002. The stated
purpose of SOX (2002) is to protect inves-
tors by improving the accuracy and reliabil-
ity of corporate disclosures made pursuant
to the securities laws. SOX outlines the
duties of the chief executive officer (CEO),
the chief financial officer (CFO), and the
auditor, including making each personally
responsible for ensuring the credibility of
the financial reporting provided to stake-
holders. Eleven sections of SOX (2002)
define auditor and corporate responsibilities,
including expectations for financial disclo-
sures, strong penalties for white-collar
crimes, and protection for “whistleblowers.”
Other regulatory measures, including the
Health Insurance Portability and Account-
a b i l i t y A c t o f 1 9 9 6 ( H I P A A ) , t h e
G r a m m – L e a c h – B l i l e y A c t o f 1 9 9 9
(GLBA), the Fair Credit Reporting Act
(FCRA), the Notification of Risk to Per-
sonal Data Act (NORPDA), and the Per-
sonal Information Protection and Electronic
Documents Act (PIPEDA), may create
financial and operational liabilities for the
enterprise. The steps recommended in secu-
rity governance may help align the enter-
prise to meet these specific regulatory
measures but are not specifically addressed
in this article.
The SEC offers little specific guidance
on IT security, leaving the door open to
interpretation as to the scope and nature of
security initiatives for SOX compliance.
The National Cyber Security Task Force
recommended that the SEC define specific
security requirements in future regulatory
guidance. Although the SEC has not defined
security requirements per se, the SEC is a
very effective change agent and will assert
itself if additional compliance measures are
required (Mead & McGraw, 2004).
In connection with SOX compliance, the
SEC does require the implementation of
Enterprise Risk Management – Integrated
Framework (ERM) authored by the Tread-
way Commission’s Committee of Sponsor-
ing Organizations (COSO). The ERM
framework divides IT controls into two
types (Ramos, 2004): (a) general computer
controls and (b) application-specific
controls, which will be described in more
detail later in this article. The purpose of
this article is to examine effective security
governance for SOX in the IT organization.
Christopher Alberts, a senior member of the
Networked Systems Survivability Program
at the Software Engineering Institute at Car-
negie Mellon, described the broader issue of
security as being primarily perceived as a
technology problem, when in fact it is an
organizational problem with a technology
component (Zorz, 2003). COSO described
internal control as a process that is affected
by people (COSO, 2005; Damianides,
2005). Organizational design, behavior, and
IT governance play very significant roles in
whether the enterprise can successfully
implement the ERM framework as defined
by the Treadway Commission.
IT governance describes the selection
and use of organizational processes to make
decisions about how to obtain and deploy IT
resources and competencies (Luftman, Bul-
len, Liao, Nash, & Neumann, 2004). IT
governance is about who makes these deci-
sions (power), why they make them (align-
ment), and how they make them (decision
process). Forrester Research (Symons,
2005) offers a similar definition for IT gov-
ernance: how decisions are made, who
makes the decisions, who is held account-
able, and how the results of decisions are
measured and monitored. Specific to secu-
rity governance for the IT organization, the
National Cyber Security Task Force (2005)
describes people, process, and technology
as the key elements of IT security gover-
nance. The integration of people, processes,
and technology requires the following:
CEO participation in accountability,
authority, and oversight of compliance
Executive management of security com-
mensurate with risk and integration poli-
cies within the operations
Senior managers involved with risk
assessment and the implementation of
security policies and operations security
S E C U R I T Y M A N A G E M E N T P R A C T I C E S
N O V E M B E R / D E C E M B E R 2 0 0 5
17
A security program that integrates frame-
works, methods, policies, procedures,
technology, and business continuity
plans
Ongoing reporting to the management
and Board of Directors
Control Objectives for Information and
Related Technology (COBIT), a generally
accepted framework for IT auditors that
maps to SOX requirements (Chan, 2004;
Ramos, 2004), categorizes IT processes into
four domains. COBIT originally was
released as an IT process and control frame-
work linking IT to business requirements
(IT Governance Institute, 2005a). Begin-
ning with the addition of Management
Guidelines in 1998, COBIT is now being
used increasingly as a framework for IT
governance (Ramos, 2004). Recent research
suggests that certain characteristics of IT gov-
ernance contribute to more effective align-
ment and execution of IT programs, including
security governance (Weill & Ross, 2004).
That research will be explored to complete
the COBIT governance framework and to
describe effective security governance to
meet SOX compliance.
RECENT SECURITY SURVEYS AND SOX
Two recent surveys (CERT® Coordination
Center, 2005; Computer Crime Research
Center, 2005) suggest that security practi-
tioners may have difficulty complying with
SOX and other security frameworks. The
2004 CSI/FBI Computer Crime Survey
reported that 20 percent of the 494 respon-
dents representing a cross-section of indus-
tries said that they do not use IT security
audits as a tool to assess their organizations’
security vulnerabilities (Computer Crime
Research Center, 2005). In the same survey,
the percentage of respondents who experi-
enced unauthorized use of computer systems
in 2004 declined to 53 percent from 58 per-
cent a year previously. Although this repre-
sented a significant improvement, it is still
evident of an alarmingly high rate of unautho-
rized use. Four years earlier, the rate of unau-
thorized use reached a peak of 70 percent of
survey respondents in the 2000 CSI/FBI
Computer Crime and Security Survey and
has declined in each consecutive year
(Computer Crime Research Center, 2005).
According to the survey results, 2004 finan-
cial losses resulted from, in descending
order, virus attacks, denial of service, and
theft of proprietary information, which cost
the companies of the respondents $55.0 mil-
lion, $26.0 million, and $11.4 million,
respectively. The 2004 CSI/FBI Computer
Crime and Security Survey also reported an
increasing reluctance by companies to
belong to information-sharing organiza-
tions. Over 50 percent of the survey respon-
dents cited the perception that negative
publicity would hurt their company’s stock
or image. The survey respondents in the
financial, utility, and telecommunications
sectors reported that SOX is having an
impact on the organization’s security. With
the full implementation of SOX, it may be
more difficult to assess the scope of com-
puter crimes as companies comply with
SOX and become more reluctant to share
information. However, the survey revealed
that security practitioners understand that
security breaches have very serious conse-
quences.
A second survey, the 2004 E-Crime
Watch Survey conducted by the U.S. Secret
Service and Carnegie Mellon University
Software Engineering Institute, reported an
increase in E-crimes as well as network,
system, and data intrusions (CERT® Coor-
dination Center, 2005). Leading causes of
security breaches reported in this survey
were similar to those reported in the 2004
CSI/FBI Computer Crime and Security
(Computer Crime Research Center, 2005).
Respondents reported the following secu-
rity breaches: viruses (77 percent of respon-
dents), denial of service (44 percent),
generation of SPAM or junk e-mail (38 per-
cent), unauthorized access by an insider (36
percent), phishing or sending fraudulent e-
mails seeking secure information (31 per-
cent), and unauthorized access by an out-
sider (27 percent). Significant to SOX
compliance, 7 percent of the respondents
18 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
reported critical system disruption affecting
customers and loss of current or future rev-
enue from insider intrusion. Also significant
to SOX and potentially material to financial
statements (depending on the size of the
company), 3 percent of the respondents
reported monetary losses that exceeded
$10.0 million in connection with security
breaches.
Lack of protection from once-proven
technologies, new threats, and an onslaught
of new legislation have changed the per-
spective of corporate management and
Board of Directors toward IT security and
governance. Concurrent with the high pro-
file prosecution of Enron and WorldCom
officers, the 2004 E-Crime Watch survey
(CERT® Coordination Center, 2005) reaf-
firmed that current employees remain a very
serious security threat. Threats ranging from
terrorist attacks to phishing continue to dem-
onstrate the need for robust security gover-
nance. Regulatory measures including
HIPAA, GLBA, FCRA, NORPDA, and
PIPEDA and the legal liabilities associated
with those laws have led to the boardroom
realization that security is no longer just an IT
issue. Effective IT and security governance is
essential for SOX compliance and ERM.
SARBANES–OXLEY AND IT GOVERNANCE
Key sections of SOX compliance that
directly involve IT include Sections 302,
404, 409, and 802 (SOX, 2002).
Section 302 requires corporate officers to
make representations related to the dis-
closure of internals controls, procedures,
and assurance from fraud.
Section 404 requires an annual assess-
ment of the effectiveness of internal con-
trols.
Section 409 requires disclosures to the
public on a “rapid and current basis” of
material changes to the firm’s financial
condition.
Section 802 requires authentic and
immutable record retention.
The scope of SOX is not limited to the
CEO, CFO, and auditor, nor is it limited to
SEC registrants (i.e., public companies).
Increasingly, SOX’s provisions are becom-
ing applicable to private companies as well
(Heffes, 2005). In turn, lenders and states
increasingly are asking private companies
about the status of their internal control
environments.
Section 302
While the CEO and the Board of Directors
are accountable for overall corporate man-
agement, SOX also impacts IT administra-
tion, including organization governance, the
responsibilities of chief information officers
(CIOs), budgets, vendors, outsourcers, and
business continuity plans. CEOs and CFOs
may require their IT organizations to pro-
vide proof that automated portions of finan-
cial processes have appropriate controls,
that computer-generated financial reports
are accurate and complete, and that any
exceptions are captured and reported in a
timely manner (Kaarst-Brown & Kelly,
2005).
Recent surveys of CIOs reported that 44
percent of the companies required the CIO
to certify financial results under SOX com-
pliance (CIO Insight/Gartner, 2004). Gart-
n e r a n d v a r i o u s C I O j o u r n a l s h a v e
suggested the SEC eventually may require
the CIO to sign a statement in the annual
report attesting to the effectiveness of con-
trols and the accuracy of the financial
r e p o r t s ( C I O I n s i g h t / G a r t n e r , 2 0 0 4 ) .
Because of the significance of information
prepared by others, it is becoming common
for the CEO and CFO to request informa-
tion and certification from those individuals
who are directly responsible. This process is
known as sub-certification, and it usually
requires the individuals to provide a written
affidavit to the CEO and CFO that will
allow them to sign their certifications in
good faith (Ramos, 2004). Items that may be
the subject of sub-certification affidavits
include a statement of accuracy of specific
account balances, compliance with company
policies and procedures, the company’s code
of conduct, and the adequacy of the design or
operating effectiveness of internal controls.
S E C U R I T Y M A N A G E M E N T P R A C T I C E S
N O V E M B E R / D E C E M B E R 2 0 0 5
19
Whether the reported 44 percent (CIO
Insight/Gartner, 2004) will increase or
decrease over time remains to be seen. In-
depth interviews with over 50 CIOs in the
United States and Canada showed that rapid
strategic business change and E-business
and technology complexity will be signifi-
cant drivers in the near future (Reich & Nel-
son, 2003). As organizations transition into
more E-business and more architectural
complexity, it is reasonable to assume that
the 44 percent may increase to meet SOX
compliance.
Section 404
Section 404, in conjunction with the related
SEC rules and Auditing Standard No. 2
e s t a b l i s h e d b y t h e P u b l i c C o m p a n y
Accounting Oversight Board (2005), is
driving pervasive change in the internal
controls of the enterprise. Section 404
requires the management of a public com-
pany and for the company’s independent
auditor to issue two new reports at the end
of every fiscal year (SOX, 2002). These
reports must be included in the company’s
annual report filed with the SEC. Under
Section 404, management also must dis-
close any material weaknesses in internal
control. If a material weakness exists, man-
agement may not be able to conclude that
the company’s internal control over finan-
cial reporting is effective (SOX, 2002).
These management statements are not
enough, however; the company’s auditor
also must attest to the truthfulness of these
management internal control assertions.
COSO (2005) of the Treadway Commis-
sion recommended the ERM integrated
framework to manage and reduce risks, to
be applicable to all industries, and to
encompass all types of risk. Moreover, the
ERM framework recognizes that an effec-
tive ERM process must be applied within
the context of strategy setting. ERM is fun-
damentally different from most risk models
used, in that it starts with the top of the orga-
nization and supports the organization’s
major mission (COSO, 2005; Louwers,
Ramsey, Sinason, & Strawser, 2005).
The COSO ERM framework describes
five interrelated components of internal
control in Section 404. The CEO and the
CFO in concert with the CIO are responsi-
ble for the following (Ramos, 2004):
1. “Tone at the top” that positively influ-
ences the attitude of the personnel
2. Identification of risks, objectives, and
the methods to manage the risks
3. Activities and procedures that are estab-
lished and executed to address risks
4. Information systems to capture and
exchange the information needed to
conduct, manage, and control its opera-
tions
5. The monitoring of and responses to
changing conditions as warranted
COSO created a framework that divides
IT controls into two types (Ramos, 2004):
(a) general computer controls and (b) appli-
cation-specific controls. General controls
include the following:
Data center operations (e.g., job schedul-
ing, backup and recovery)
Systems software controls (e.g., acquisi-
tion and implementation of systems)
Access security
Application system development and
maintenance controls
Application controls are designed to per-
form the following:
Control data processing
Ensure the integrity of transactions,
authorization, and validity
Encompass how different applications
interface and exchange data
The ERM framework, a cornerstone of
Section 404 and COSO, requires ongoing
f e e d b a c k f r o m t h r o u g h o u t t h e
company. This feedback information must
be current, accurate, and sufficiently robust
to support the analysis of different risk
responses (COSO, 2005). Many firms are
implementing risk management applications
to assist with internal control and assess-
ment processes (Decker & Lepeak, 2003).
20 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
A main objective of these tools is to lower
external audit verification costs.
Section 409
Section 409 requires that organizations dis-
close to the public, on a rapid and current
basis, material changes to a firm’s financial
condition (SOX, 2002). For example, a Sec-
tion 409 compliance consideration for IT
would be a situation where a computer virus
knocked out the supply chain and materially
affected the financial performance on a
quarterly financial report (Proctor, 2004).
This would be a disclosable event for finan-
cial reporting purposes under SOX.
Section 802
The IT organization must have policies in
place to ensure appropriate record retention
and security. SOX (2002) has a direct
impact on data management, data and sys-
tem security, and business recovery prac-
t i c e s . T h e C I O m u s t u n d e r s t a n d t h e
requirements and ensure that the appropri-
ate policies are in place, including ongoing
compliance.
GOVERNANCE AND THE MATURITY
MODEL
The IT Governance Institute (2005a, 2005b)
issued a governance model that provides the
structure and practices for four IT domains:
1. Plan and organize the strategic plan,
architecture, IT organization, human
resources, and compliance with exter-
nal requirements (including SOX);
assess risks; manage projects; and man-
age quality.
2. Acquire and implement software, hard-
ware, infrastructure, and procedures;
install and accredit systems; and man-
age changes.
3. Deliver and support service, perfor-
mance and capacity, systems security,
and user training; assist and advise cus-
tomers; and manage problems and inci-
dents, data, facilities, and operations.
4. Monitor processes, assess internal con-
trols, obtain independent assurance, and
provide for the independent audit.
The organizational design challenge is to
ensure that the four domains of IT gover-
nance can sustain the necessary activities to
meet SOX compliance.
A useful assessment is to compare the
four domains of IT governance with the
internal control reliability model. Internal
controls or Section 404 compliance is a
major provision of SOX. The internal con-
trol reliability model maps documentation,
awareness and understanding, perceived
value, control procedures, and monitoring
of internal controls to five levels of maturity
(Ramos, 2004). At the systematic level of
the internal control reliability model, docu-
mentation is comprehensive, controls are
integral to operations, and control proce-
dures are formal and consistent, but compli-
ance is not being monitored (see Table 1).
Compliance with Section 404 is attained
when the four domains of IT governance are
aligned with the internal controls maturity
model. The underlying premise of the inter-
nal controls maturity model (see Table 1) is
that if an organization does not have defined
and standardized processes, it is unable to
provide consistent and reliable services.
Standardized processes to provide consis-
tent and reliable IT services are critical to
SOX compliance. Maturity in all four
domains of the IT governance model is
required to sustain SOX compliance.
The IT Governance Institute (2005a,
2005b) and Forrester Research (Symons,
2005) have described the maturity levels of
IT governance. Mapping the maturity levels
of an organization to the internal control
reliability model can provide some insight
into whether a particular IT organization
can meet SOX compliance. The four levels
of Forrester Research’s IT governance
maturity are (a) ad hoc, (b) fragmented, (c)
consistent, and (d) best practices (Symons,
2005). An ad hoc IT organization in matu-
rity produces an initial level of reliability in
internal controls and would be unacceptable
S E C U R I T Y M A N A G E M E N T P R A C T I C E S
N O V E M B E R / D E C E M B E R 2 0 0 5
21
for SOX compliance. In contrast, an organi-
zation at the best practice maturity level has
been using best practices for a period of
time and has an optimized IT portfolio. A
best practice maturity level would meet
SOX compliance. The IT organization must
evolve though internal development to inte-
grate best practices into its IT governance
model.
Before a best practice is adopted and
integrated into the governance model, a
practice approach should be developed and
implemented (Kola, 2004). The practice
approach formalizes and sets into motion
(a) a standard operating procedure, (b) con-
sistent behaviors, and (c) routine monitor-
ing. The practice approach is repeatable and
necessary for auditor testing. Best practices
are characterized by (a) common structures
for Sections 302, 404, 409, and 802; (b)
optimized management responsiveness; and
(c) defined business benefits such as
reduced liabilities. Creating value is (a) cre-
ating business processes that resolve Sec-
tion 302, 404, 409, and 802 issues before
they happen; (b) using the company’s
resources more effectively; and (c) estab-
lishing the capability of the company to exe-
cute to a defined and standardized process
(Cobb, 2004). The best practice approach
aligns the standards of adequacy for disclo-
sure controls with those for internal controls
and enables management to meet acceler-
ated disclosure deadlines.
Several formal and informal frameworks,
including COBIT, ISO 17799, and IT Infra-
s t r u c t u r e L i b r a r y ( I T I L ) , w h i c h a r e
explained in the following section, can help
move the IT organization to high levels of
maturity. Each framework offers particular
features that can contribute to the overall
security governance framework adopted by
the enterprise. Security governance for an
enterprise should include some part of each
framework to build a comprehensive IT
security governance strategy.
COBIT, ITIL, AND ISO 17799
FRAMEWORKS
COBIT is a generally accepted framework
that maps well to SOX requirements (Chan,
2004; Ramos, 2004). COBIT and related
sources are produced by the Information
Systems Audit and Control Association
(ISACA, 2005) and the IT Governance
Institute (2005b). The COBIT framework
provides “good practices” developed by a
consensus of experts in the field and defines
a process framework against a set of high-
level control objectives, one for each of the
IT processes, grouped into four domains
(see Table 2).
According to the “Board Briefing on IT
Governance” (IT Governance Institute,
TABLE 1 Internal Control Reliability Model
Characteristics of Reliability
Reliability
Level Documentation
Awareness and
Understanding
Perceived
Value
Control
Procedures Monitoring
Initial Very limited Basic awareness Unformed Ad hoc,
unlinked
Informal Sporadic,
inconsistent
Understanding not
communicated
Controls separate from
business operations
Intuitive,
repeatable
Systematic Comprehensive
and consistent
Formal communication
and some training
Controls integral to
operations
Formal,
standardized
Integrated Comprehensive
and consistent
Comprehensive
training
Control process part of
strategy
Formal,
standardized
Periodic monitoring
begins
Optimized Comprehensive
and consistent
Comprehensive
training on control-
related matters
Commitment to
continuous improvement
Formal and
standardized
Real-time
monitoring
Adapted from How to Comply with Sarbanes–Oxley Section 404: Assessing the Effectiveness of Internal Control, by Michael
Ramos, John Wiley & Sons, Hoboken, NJ, 2004.
22 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
2005a), the overall objectives of IT gover-
nance activities are (a) to understand the
issues and strategic importance of IT, (b) to
ensure that the enterprise can sustain its
operations, and (c) to ascertain that it can
implement the strategies required to extend
its activities into the future. The IT Gover-
nance Institute (2005a) has provided an
extensive compilation of leadership, value
creation, performance management, gover-
nance frameworks, governance officers,
and enterprise architecture implementation.
The IT Governance Institute integrates
numerous recognized best practices, frame-
works, and processes, including the bal-
anced scorecard, “Board Briefing on IT
Governance,” Capability Maturity Model,
COSO ERM Integrated Framework, Euro-
pean Framework for Quality Management,
Enterprise Architecture, ISO 9001–2000,
Malcolm Baldridge Quality Criteria Frame-
work, OECD Principles of Corporate
Governance, and the Technical Reference
Model.
ISO 17799 is a detailed “what to do”
security standard that is organized into 10
major sections, each covering a different
topic or area (“What is: ISO 17799,” 2001):
(a) business continuity planning, (b) system
access control, (c) system development and
maintenance, (d) physical and environmen-
tal security, (e) compliance, (f) personnel
security, (g) security organization, (h) com-
puter and network management, (i) asset
classification and control, and (j) security
policy. ISO 17799 has a narrow focus on
security management and cannot stand
alone as a security governance standard
(Stolovitch, 2004; Symons, 2005). ISO
17799 can play a meaningful role in risk
management assessment and therefore a
role in security governance.
ITIL, initially developed in the U.K. by
the Office of Government Commerce,
TABLE 2 COBIT IT Processes
Domain Key Processes
Planning and organization Define a strategic plan
Define the information architecture
Define the IT organization and relationships
Communicate management aims and direction
Manage human resources
Ensure compliance with external requirements
Assess risks
Manage quality
Acquisition and implementation Acquire and maintain application software
Acquire and maintain technology infrastructure
Develop and maintain procedures
Install and accredit systems
Manage changes
Delivery and support Define and manage service levels
Manage third-party service levels
Manage performance and capacity
Ensure continuous service
Ensure systems security
Educate and train users
Manage the configuration
Manage problems and incidents
Manage data
Manage facilities
Manage operations
Monitoring Monitor the processes
Assess internal control adequacy
Obtain independent assurance
Adapted from How to Comply with Sarbanes–Oxley Section 404: Assessing the Effectiveness of Internal
Control, by Michael Ramos, John Wiley & Sons, Hoboken, NJ, 2004.
S E C U R I T Y M A N A G E M E N T P R A C T I C E S
N O V E M B E R / D E C E M B E R 2 0 0 5
23
defines a broad range of processes that are
considered best practices and are docu-
mented in a series of books. Processes
include (a) incident management, (b)
change management, (c) problem manage-
ment, (d) service-level management, (e)
continuity management (disaster recovery),
(f) configuration management, (g) release
management, (h) capacity management, (i)
financial management, (j) availability man-
agement, (k) security management, and (l)
help desk management. ITIL is extremely
useful in improving the infrastructure to
provide ongoing services through service
management. ITIL should be applied as a
tool within the context of a broader organiza-
tional strategy but should not be considered a
comprehensive solution (Meyer, 2005).
The ITIL security management frame-
work examines security from the service
provider perspective, identifying the rela-
tionship between security management and
the IT security officer as well as outlining
how it provides the level of security neces-
sary for the entire organization. COBIT and
ITIL are complementary; COBIT takes on the
role of audit and control, and ITIL takes on
the role of best practices for services
(Symons, 2005).
TRENDS IN SECURITY AND BUSINESS
CONTINUITY PLANNING
Central information security groups are
assuming greater seniority, with 40 percent
or more of the security groups reporting
directly to the CIO (Corporate Executive
Board, 2003b). The central security is
assuming responsibility for governing and
coordinating policy and standards formula-
tion, architecture, vendor selection, compli-
ance auditing, vulnerability assessment, and
intelligence gathering. Three emerging
roles for the central information security
organization are (a) awareness campaigns,
(b) central password management, and (c)
supply-chain security programs. Consistent
with the research by Weill and Ross (2004),
a direct reporting relationship by a central-
ized security organization creates the oppor-
t u n i t y f o r m o r e e f f e c t i v e s e c u r i t y
governance through more collaborative
opportunities between the business profes-
sionals and IT security management and
through defined decision rights that involve
technical decisions.
The 10 barriers to security and business
continuity planning defined by the Corporate
Executive Board Working Council (2003a)
include (a) subjective risk prioritization, (b)
poor risk communication, (c) security
requirements mismatch, (d) siloed business
protection, (e) unclear business continuity
ownership, (f) insufficient user awareness,
(g) inconsistent password policies, (h)
incomplete business continuity prepared-
ness, (i) poor crisis communication, and (j)
external partner vulnerabilities. SOX
requires compliance with the Treadway
Commission’s COSO ERM framework and
therefore requires security risk prioritiza-
tion and communication to be consistent
with those standards. SOX (2002) Sections
302, 404, 409, and 802 are affected by all of
these items, with the exception of subjective
risk prioritization and poor risk communi-
cation.
RECENT RESEARCH IDENTIFYING
EFFECTIVE IT AND SECURITY
GOVERNANCE
In a survey of 256 IT organizations, the best
predictor of effective IT governance perfor-
mance was the percentage of managers in
leadership positions who could accurately
describe their IT governance processes
(Weill & Ross, 2004). In above-average
governance-performing enterprises, 45 per-
cent or more of managers could describe
accurately their IT governance, whereas in
below-average performing enterprises, only
a few managers in leadership positions
could describe their governance process.
Other factors associated with effective IT
governance include (a) a higher percentage
of senior managers who engage more often
and more effectively in IT governance
(committees, announcements, etc.), (b)
more direct involvement of the senior busi-
ness leaders in IT governance, (c) clearer
business objectives for IT applications, (d)
24 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
more differentiated business strategies, (e)
fewer approved exceptions, and (f) fewer
changes in governance from year to year
(Weill & Ross, 2004).
Of the 256 companies in Weill and Ross’
(2004) survey, in those organizations with
the most effective IT governance decisions,
decisions were led by management, busi-
ness unit leaders, and IT specialists in each
of the respective areas:
IT principles (clarification of the busi-
ness role of IT): IT and top management
or business unit leaders
IT architecture (integration and stan-
dardization of IT requirements): IT spe-
cialists
IT infrastructure (sharing and enabling
of IT services): IT specialists
Business application need (evaluation of
business needs for purchased or devel-
oped applications): corporate and busi-
ness units, with or without IT
IT investment (funding for IT initiatives):
IT and top management or business unit
leaders
For those organizations with the least
effective IT governance decisions, decisions
were led by management, business unit
leaders, and IT specialists in each of the
respective areas:
IT principles: top management or busi-
ness unit leaders
IT architecture: top management or busi-
ness unit leaders
IT infrastructure: top management or
business unit leaders
Business application need: corporate and
business units, with or without IT
IT investment: top management or busi-
ness unit leaders
Perhaps it is no coincidence that a Gartner
survey of 75 senior compliance executives
found that 37 percent of companies had no
IT representation on SOX compliance
teams (Leskeia & Logan, 2003).
Weill and Ross (2004) reported that the
most effective decision-making structures
are
Executive management committees
IT leadership committees
Business/IT relationship managers
The least effective IT decision-making
structures are
Capital approval committees
Architectural committees
The most effective alignment processes are
tracking IT projects and resources con-
sumed. The least effective are charge-back
mechanisms and tracking the business value
of IT investments.
The methods of engagement include (a)
senior management announcements that
reinforce and alert governance changes; (b)
formal committees to add weight and cross-
functional influence; (c) a recognized advo-
cate, owner, and organizational home; (d) a
dialogue to educate and address concerns;
and (d) a single place for governance infor-
mation such as an intranet (Weill & Ross,
2004).
SECURITY GOVERNANCE AT MOTOROLA
Many enterprises are concerned with secu-
rity, but Motorola has made it a strategic
priority (Weill & Ross, 2004). Security gov-
ernance secures the support of executive
management through a Management Board
for IT Principles and IT Investment, but the
security leaders maintain the final decision
authority over the security architecture and
infrastructure. The decision-making process
at Motorola security includes the following:
IT principles: Management Board and
security leaders
IT architecture: security leaders
IT infrastructure: security leaders
Business application need: business
leaders
IT investment: Management Board and
security leaders
S E C U R I T Y M A N A G E M E N T P R A C T I C E S
N O V E M B E R / D E C E M B E R 2 0 0 5
25
Motorola’s Corporate Information Secu-
rity Officer participates at quarterly Man-
a g e m e n t B o a r d m e e t i n g s w i t h t h e
following:
An identification of Motorola’s security
risks and the alternatives for addressing
them
An education about the likelihood of var-
ious security breaches and the potential
impacts of each threat
Recommended security principles and
priorities in certain areas of the business
A budget that is approved separately
from the rest of the IT budget.
Using a monarchy decision-making
style, Motorola’s Corporate Information
Security Officer
Implements security plans at both a cor-
porate and business unit level
Designs and builds appropriate technol-
ogy with his support staff
Works with IT architects at both the cor-
porate and the sector levels to ensure that
security measures are built seamlessly
into the IT infrastructure and applications
As an example of how Motorola security
integrates itself into the IT architecture and
infrastructure, Motorola created a single,
global department tasked with centrally
rolling out standard configurations across
the enterprise (Microsoft Executive Circle,
2004). Motorola’s security organization is
ultimately responsible for 65,000 desktop
and portable computers plus embedded
devices and other computers spread across
the Americas, Europe, Africa, and Asia.
Before centralizing the upgrades, updates
using third-party software programs or
complete security updates to protect Motor-
ola’s enterprise from viruses, hackers, and
other security threats would take weeks.
The company consolidated 600 domains
into a single environment with nine child
domains. Software updates that formerly
took months are now completed in less than
a week.
As another example of how Motorola
security integrates itself into the IT architec-
ture and infrastructure, Motorola developed
the Extended Enterprise Protection Plan to
evaluate risks in the supply chain, provide
incentives for suppliers to improve their
security, and identify areas where Motorola
should take action internally to mitigate
risks (Corporate Executive Board, 2003a).
The plan includes six steps: (a) the identifica-
tion of mission-critical partners, (b) a partner
self-assessment using an ISO 17799 check-
list, (c) a partner perimeter scan by a trusted
third party to scan partner networks for vul-
nerabilities, (d) an offer of discounts to part-
ners to access Motorola’s vendors, (e) offers
of cyber-insurance discounts, and (f) internal
steps to mitigate any weakness that partners
fail to address.
In the development of centralized secu-
rity protection for 65,000 desktop and por-
table computers and supply chain security
programs, Motorola’s security governance
identified and prioritized risks, communi-
cated the risks to the business units and
external partners, matched the security
requirements to the needs, avoided siloed
business protection, and managed external
partner vulnerabilities. Motorola completed
the business protection life cycle through
three major security processes: (a) risk
assessment, (b) policy setting and oversight,
and (c) effective execution.
A strategic approach to information secu-
rity transforms the IT security function from
a set of ad hoc activities with an emphasis
on technology to a coordinated approach of
principles, behaviors, and adaptive solu-
tions that map to business requirements
(Proctor, 2004). A centralized security gov-
ernance within Motorola works closely with
a Management Board to define policies and
priorities, to educate stakeholders, and to set
budgets apart from IT operations. Motorola
security leaders take sole possession and
leadership of the IT security architecture
and infrastructure. Motorola security has
transformed itself from a loosely distributed
set of domains across the world into a cen-
trally coordinated approach to secure
26 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
65,000 computers and to administer a sup-
ply-chain security program. Effective deci-
s i o n - m a k i n g s t r u c t u r e s , a l i g n m e n t
processes, and methods of engagement are
integral to effective security governance
and ultimately to SOX compliance. There-
fore, senior security leadership in gover-
nance structures such as Motorola likely can
fully explain their governance process.
Additionally, Motorola is likely to imple-
ment successfully a SOX compliance pro-
gram that can change and evolve as the
security environment changes and evolves.
The security governance framework
includes (a) structures, (b) processes, and
(c) communications (Symons, 2005). The
Motorola governance framework includes
(a) security managers within the security
organization who report to the Management
Board, (b) processes that include the man-
agement of security-related architecture and
infrastructure for the enterprise, and (c)
communications that directly involve the
Management Board and include ongoing
education and budget direction. Executive
management committees (such as the Man-
agement Board at Motorola), IT leadership
committees, and business/IT relationship
managers are among the most effective gov-
ernance structures for the IT organization and
are likely to have a positive influence on secu-
rity governance. The governance framework
at Motorola has created an enabling organi-
zation rather than a support organization.
TO SUSTAINABLE CHANGE
A project characterized by a one-time
change agent, created for first-time imple-
mentation, may develop an unsustainable
and potentially untestable approach to Sec-
tion 404 compliance (Kola, 2004). Such a
short-term project concentrates responsibil-
ity for compliance in the hands of a few and
is often typified by retention of outside con-
sultants who take the process knowledge
with them when they leave companies.
Most change initiatives, including the
installation of new technology, downsiz-
ing, restructuring, or trying to change cor-
porate culture, have had success rates of
approximately 30 percent (Beer & Nohria,
2 0 0 0 ) . M a n a g e m e n t t h a t e m p h a s i z e s
change from the top down to yield quick
results often uses outside consulting firms.
In contrast to a quick-change environment
initiated by an outside consulting firm,
ongoing change must be sustained by an
organization in which employees are emo-
tionally committed to solving the new chal-
lenges that continually arise. The most
successful long-term approach is to inte-
grate both a top–down and a bottom–up
approach to change management. A suc-
cessful integration of a top–down and bot-
tom–up approach emphasizes several
dimensions of change:
Leadership both sets direction from the
top and engages the staff below.
Focus is simultaneously on the hard
(structures and systems for SOX compli-
ance) and on the soft (corporate culture to
sustain ongoing responsiveness).
Process involves planning for spontane-
ity.
Reward system uses incentives to rein-
force change but not to drive it.
Consultants use expert resources who
empower employees.
Several specific approaches can be used
to maintain the momentum to integrate Sec-
tion 404 into operational practices, includ-
ing expanded use of the internal audit
function, risk identification and manage-
ment programs, integrated information sys-
tems to support Section 404 compliance,
and active change management to design
and implement Section 404 compliance as
the business evolves (Dittmar, 2004).
Application-level controls and general com-
puter controls have been major focuses of
attention in first-year projects. Many com-
panies have used technology to help man-
age their Section 404 efforts and to provide
control repositories and audit trails.
CONCLUSION
In organizations with the least effective IT
governance, decisions were led by man-
agement and business unit leaders in IT
S E C U R I T Y M A N A G E M E N T P R A C T I C E S
N O V E M B E R / D E C E M B E R 2 0 0 5
27
principles, IT architecture, IT infrastructure,
business application need, and IT investment.
In organizations with the most effective IT
governance, IT decisions were shared by
management, business unit leaders, and IT
specialists, with IT specialists leading the
decision making in IT architecture and IT
infrastructure. Motorola security gover-
nance demonstrates the role of effective
structures, processes, and communications
and how centralized security leaders partic-
ipate with the Management Board. At
Motorola, security specialists led the deci-
sion making for the IT architecture and IT
infrastructure. The security governance
framework must integrate the (a) structures,
(b) processes, and (c) communications to
create an enabling security organization for
the security life cycle of (a) risk assessment,
(b) policy setting and oversight, and (c) exe-
cution. The one-time consulting engage-
ment by an outside consulting firm must be
replaced by change management strategy
that sustains long-term change.
References
Beer, M., & Nohria, N. (2000, May–June). Cracking the code of change. Harvard Business Review, HBR OnPoint.
Chan, S. (2004). Sarbanes–Oxley: The IT dimension. The Internal Auditor, 61(1), 31–33.
CERT® Coordination Center. (2005). 2004 E-Crime Watch Survey shows significant increase in elec-
tronic crimes. Available at http://www.cert.org/ about/ecrime.html
CIO Insight/Gartner. (2004, May). EXP Research: Sar- banes–Oxley 2004: Are you ready to comply? Available at http://www.cioinsight.com
Cobb, C. G. (2004, November). Sarbanes–Oxley: Pain or gain? Quality Progress, 37(11), 48–52.
Committee of Sponsoring Organizations. (2005). FAQs for COSO’s Enterprise Risk Management—
Integrated Framework. Available at http://www. coso.org/Publications/ERM/erm_faq.htm
Computer Crime Research Center. (2005). 2004 CSI/FBI Computer Crime and Security Survey. Available at http://www. crime-research.org/ news/11.06.2004/423/
Corporate Executive Board. (2003a). Securing extended enterprise partners. Motorola, Inc., Working Council Research. Available at http:// www.cio.executiveboard.com/
Corporate Executive Board. (2003b). Trends in infor- mation security and business continuity planning
from infrastructure protection to business enable-
ment. Available at http://www.cio. executiveboard.com/
Damianides, M. (2005, Winter). Sarbanes–Oxley and IT governance: New guidance and IT control and compliance. Information Systems Management.
Decker, S., & Lepeak, S. (2003). Connecting to ERP for SOX 404 Assessments. Available at the META Group Web site: http:// www.metagroup. com
Dittmar, L. (2004, November). What will you do in Sarbanes– Oxley’s second year?” Financial Executive, 20(8), 17–18.
Heffes, E. (2005, January–February). FEI CEO’s 2005 top 10 financial reporting issues. Financial Executive, 21(1). Available at http://www.fei.org
Information Systems Audit and Control Association. (2005). About ISACA. Available at http://www. isaca.org
IT Governance Institute. (2005a). Board briefing on IT governance. Available at http://www.itgi.org/
IT Governance Institute. (2005b). Governance of the extended enterprise, bridging business and IT strategies. Hoboken, NJ: John Wiley & Sons.
Kaarst-Brown, M., & Kelly, S. (2005). IT governance and Sarbanes–Oxley: The latest sales pitch or real challenges for the IT function? In Proceedings of the 38th Hawaii International Conference on System Sciences – 2005, IEEE.
Kola, V. (2004, January–February). Sarbanes–Oxley Section 404: From practice to best practice. Financial Executive, 20.
Leskeia, L., & Logan, D. (2003). Sarbanes–Oxley compliance demands IS involvement. Available at the Gartner, Inc., Web site: http://www.gartner. com/
Louwers, T., Ramsey, R., Sinason, D., & Strawser, J. (2005). Auditing and assurance services. New York: McGraw-Irwin.
Luftman, J., Bullen, C., Liao, D., Nash, E., & Neu- mann, C. (2004). Managing the information tech- nology resource. Upper Saddle River, NJ: Pearson Prentice Hall.
Microsoft Executive Circle. (2004). Motorola case study. Available at the Microsoft Corporation Web site: http://www.microsoft. com
Mead, N. R., & McGraw, G. (2004). Regulation and information security: Can Y2K lessons help us? In IEEE Security and Privacy, IEEE.
Meyer, D. (2005). Beneath the buzz: ITIL is a power- ful tool, but holds pitfalls in store for those who get obsessed with it. Available at the CIO.com Web site: http://www.cio.com/leadership/buzz/ column.html?ID=4186
National Cyber Security Partnership. (2005). Gover- nance. Available at http://www.cyberpartnership. org/init-governance.html
Proctor, P. (2004). Sarbanes–Oxley security and risk controls: When is enough enough? In Infusion: Security & Risk Strategies. Available at the META Group Web site: http://www.metagroup. com
Public Company Accounting Oversight Board. (2005). PCAOB center for enforcement tips, com- plaints and other information. Available at http://www.pcaobus.org/Enforcement/Tips/ index.asp
Ramos, M. (2004). How to comply with Sarbanes– Oxley Section 404. Hoboken, NJ: John Wiley & Sons.
28 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
Reich, B. H., & Nelson, K. (2003). In their own
words: CIO visions about the future of in-house
IT organizations. The Database for Advances in
Information Systems, 34(4). Sarbanes–Oxley Act of 2002, Public Law 107–204
(2002). Available at http://www.pcaobus.org Stolovitch, D. A. (2004, January 30). Canadian ISO
17799 User Conference, Sun Life’s experience
with security governance and ISO 17799. Avail-
able at http://www.scienton.com/7799ug/ Papers.
html Symons, C. (2005, March 29). IT governance frame-
work, structure, processes, and communication.
Available at the Forrester Research Web site: http://www.forrester.com/
Weill, P., & Ross, J. (2004). IT governance: How top performers manage IT decision rights for supe- rior results. Boston: Harvard Business School Press.
What is: ISO 17799? (2001). Available at the Risk Associates Web site: http://www.securityauditor. net/ISO17799/what.htm
Zorz, M. (2003, March 12). Interview with Christo- pher Alberts, a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute. Available at http://www.net-security.org
- The (ISC)2 Journal Information Systems Security
- Diminishing Perimeter
- LEGALLY SPEAKING
- Click Fraud: Google v. Auctions Expert International
- CLICK FRAUD
- GOOGLE V. AUCTIONS EXPERT INTERNATIONAL
- HOW TO DEAL WITH CLICK FRAUD
- CONCLUSION
- Notes
- ON MALICIOUS CODE
- Source Code Implications for Malcode
- KOURNIKOVA WORM: ONTHEFLY CREATES A WORM
- MYDOOM MISERIES
- BOFRA: 50 PERCENT MYDOOM AND 50 PERCENT NEW CODE
- MYTOB: MYDOOM AND RBOT CODE
- PHATBOT
- CABIR
- CONCLUDING COMMENTS
- SECURITY MANAGEMENT PRACTICES
- Sarbanes–Oxley and Enterprise Security: IT Governance — What It Takes to Get the Job Done
- INTRODUCTION
- RECENT SECURITY SURVEYS AND SOX
- SARBANES–OXLEY AND IT GOVERNANCE
- Section 302
- Section 404
- Section 409
- Section 802
- GOVERNANCE AND THE MATURITY MODEL
- COBIT, ITIL, AND ISO 17799 FRAMEWORKS
- TRENDS IN SECURITY AND BUSINESS CONTINUITY PLANNING
- RECENT RESEARCH IDENTIFYING EFFECTIVE IT AND SECURITY GOVERNANCE
- SECURITY GOVERNANCE AT MOTOROLA
- TO SUSTAINABLE CHANGE
- CONCLUSION
- References
- TELECOMMUNICATIONS, NETWORK, AND INTERNET SECURITY
- Firewall Considerations for the IT Manager
- EVOLVING THREATS AND MATURING DEFENSES
- Highlights for 2001
- Highlights for 2002
- Highlights for 2003
- 2004: Current Firewall-Related Concerns for the IT Manager
- REGULATORY COMPLIANCE
- SARBANES–OXLEY ACT (SOX)
- CALIFORNIA SENATE BILL 1386
- GRAMM-LEACH-BLILEY ACT (GLBA)
- EUROPEAN UNION DATA PROTECTION DIRECTIVE
- BASEL II ACCORD
- USA PATRIOT ACT
- HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
- MANAGEABILITY
- MITIGATION OF VIRUSES AND WORMS
- Worm Considerations
- Future Worm Considerations
- REMOTE ACCESS SECURITY
- PRIVACY ISSUES
- INSIDER THREATS
- INFRASTRUCTURE
- APPLICATION SECURITY
- WIRELESS SECURITY
- PATCH MANAGEMENT
- Security Leadership Conference Series