SOX giveth as well as taketh away
It's SOX season again. As a publicly traded company, we have to comply with the Sarbanes-Oxley Act.
SOX compliance is a necessary part of business, like tax accounting and HR, for all publicly traded companies, thanks to legislation passed in 2002, in the wake of the Enron scandal. It's meant to reduce the risk of financial fraud that might cost investors a lot of money. But it ends up costing the companies themselves. SOX is one of the most costly and complex pieces of legislation Congress has produced.
My company is relatively small. We're certainly not on the Fortune 500 list, and you've probably never heard of us, though you can buy our stock if you want to. The cost of SOX compliance for a company like mine is disproportionately higher than for larger companies, because we have to do all the same things.
Our internal audit department, which is needed to coordinate all SOX activities, is four times the size of my information security team. We also pay millions of dollars a year to an outside audit firm. And we spend an enormous number of man-hours with all these auditors. If I could get only a small fraction of those resources for my team, I could do a lot more to protect the company.
But I have to admit, SOX has done some good things for us. There are certain policies and practices, especially in the area of user account management, that I might have a hard time getting implemented if I didn't have SOX to lean on. When it comes to ordinary best practices in the security field, I usually have to spend a lot of time explaining, educating and justifying my position. But if something falls into the domain of SOX Section 302 or Section 404, which are the parts that most affect what I do, I can simply say we need to do it to be SOX-compliant. No further argument is necessary.
And sometimes I can wield SOX as a lever to refuse requests from the business that are unreasonably or excessively risky. For example, last week I was asked to open up Internet connectivity to an internal Web server that somebody had developed. They built the server on our private network and expected to use it in place for accepting connections from Internet-based Web browsers. There is no way I would say yes to such a request, not without a firewall and some network isolation in place to protect the rest of our network in case the server gets compromised. In this case, the Web server is communicating with our financial systems, so instead of giving a lengthy explanation, I just had to say, "That would violate SOX and we'd get in a lot of trouble."
If you work for a publicly traded company, you probably know exactly what I'm talking about. SOX is a double-edged sword -- it helps me get some things done, but it also takes away some of my scarce security resources and diverts company attention away from some of my other priorities. And this is the time of year it hits hardest, because most of the things the auditors are looking at are done at the end of the year, so we have to spend a lot of time going over documentation that we collected throughout the year.
I don't like to rely on laws to get the company to do the right thing, but sometimes it's the best way. My experience, at every company I've been with, companies just won't practice good behaviors unless the law tells them to. I find that really disappointing, but it's the reality. So as costly as SOX is to my company, it's had a positive impact.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.