« Logging ROI | Main | The Case for a Vendor-Neutral Open Log Standard »

Three SOX Learnings

New to the LogLogic team, I made my way to the ISACA(Information Systems Audit and Control Association) Silicon Valley Chapter's monthly meeting on August 11, 2006 to learn about Sarbanes-Oxley (SOX) efforts from the C-level exec's perspective. The panel line-up was excellent: Bill Vaas, President/COO of Sun Microsystems Federal Inc; Maria Shaw, Director of the Risk Control Group at McKesson; and Jeff Brzycki, Senior Director of IT Shared Services at Symantec Corporation.

The event proved to be a lively discussion between ISACA attendees and the panel, moderated by Ray Cheung, Director of Risk Advisory Services at KPMG. Here are three key SOX lessons that I took away from the discussion:

1. Reap the benefits of SOX. A common theme throughout the discussion was that of the upside and downside of SOX compliance requirements. On the upside, SOX has forced companies to take IT and financial processes and controls more seriously. Things like single sign-on, access management, segregation of duties and identity management have become more pervasive because of SOX, and companies are finding that they are ultimately better off for it. According to Jeff Brzycki, for those that have taken the proactive approach, companies have found that a SOX byproduct is "continuous improvement which otherwise may have been ignored." On the downside, some aspects of SOX requirements have forced companies to duplicate efforts or created manual controls which add up to unnecessary spending. As Bill Vass summed it up: "SOX can bring CIO's peace of mind, but unfortunately it sometimes brings unnecessary overhead as well." Bottom line: Companies who are now in their 2^nd or 3^rd year of SOX compliance have learned to be more proactive and build risk management and compliance automation plans into the IT development process up front. Automating compliance efforts through technologies such as log management and intelligence (LMI) can help to reduce duplication and unnecessary spending.
2. Designate SOX leaders. According to the panelists, when executives are grilled about financial and IT controls, it has been all too common to hear those executives say to their direct reports, "We're OK, right?" -- and so on, down the chain of command. To counter this dangerous "pass the buck" mentality, different companies are taking different approaches, but all are finding it necessary to put empowered managers in place to oversee their SOX and other compliance programs. Vass' recommendation was to set up an executive oversight committee and have a senior-level person manage the program on a day-to-day basis. Shaw suggested naming a C-level compliance exec to oversee not only SOX, but all compliance programs throughout the company. Whatever the approach, the important thing is to make sure there is accountability. According to Brzycki, the reality of SOX is that "personal accountability is a key reason to get C-level execs involved up front."
3. Move beyond compliance to total quality management (TQM). According to Jeff Brzycki, "SOX brought awareness of IT general controls to a larger group of people. These controls should be there, for companies to be effective and to maintain integrity in their IT operations. SOX simply reinvigorated the grasp of the importance of this. So, yes, SOX can evolve into a Business Quality exercise, but today compliance is still the number one objective." It was agreed across the panel that today there is still too much "voodoo" around compliance and that companies need to get more serious about using technological tools to take compliance to the next level. According to Maria Shaw, "While we're not there yet in terms of moving beyond compliance to TQM, it is imperative that we put in place repeatable processes to be able to measure success at a higher level. Today's manual processes and disparate systems are forcing companies into the weeds, making it difficult to step back and see the big picture." While her company now tackles each compliance requirement as a separate project (HIPAA, SOX, etc.) she envisions them moving to the point of putting everything through the same process.

According to Brzycki, "SOX is more than an internal issue, it's a brand issue." We at LogLogic couldn't agree more. Staying proactive on the compliance front is simply good for business. And using LogLogic's advanced appliances for log management can allow a company to meet these goals - without breaking the bank. - Heidi

Technorati : LMI, Log Management, LogLogic, SOX

Posted August 14, 2006 in Compliance | Permalink

---

Visit loglogic.com

Subscribe to this blog’s feed

• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007
• January 2007
• December 2006
• November 2006
• October 2006
• September 2006
• August 2006
• July 2006
• June 2006
• May 2006
• April 2006
• March 2006
• February 2006
• January 2006
• December 2005
• November 2005
• October 2005
• September 2005

Blogroll

• CynergisTek
• Bruce Schneier
• InfoSecDaily

Compliance

• Continuity Central
• Compliance Pipeline
• SOX Compliance Journal
• Sarbanes-Oxley 101

Good Reading

• Log Management ROI
• Log Management Best Practices
• SANS Institute Log Management White Paper

LogLogic

• O’Reilly
• Anton Chuvakin
• LogLogic.Com
• Jian Zhen

LogLogic Partners

• Juniper Networks
• ONStor
• Counterpane
• Bluecoat

Sites We Watch

• The Merc
• CRN
• IT Architect
• The Reg
• Security Focus
• Slashdot
• TechWeb
• SANS
• C/Net
• CIO Insight
• InformationWeek
• Jamie Lewis - Burton Group
• eWeek
• IT Manager's Journal
• MIT Magazine
• VNU