Sarbanes Oxley and IT small business

1
Sarbanes Oxley and other IT Audits
2
What Is Sarbanes Oxley?

• Became law on 30 July 2002
• Response to Enron scandal etc.
• Aims to prevent fraud primarily
• Also to protect the interests of workers and
  shareholders
• Only issuers must comply (i.e. companies that
  must file periodic reports with SEC)
• Small companies must comply by July 31, 2005
• Listed (Public) companies had to be compliant by
  end of 2004

3
What Is Sarbanes Oxley?

• Non-issuers not affected?
• Public Companies have to assert that their
  partners / suppliers systems are secure /reliable
• SAS70s (or other certifications) may be required
  in takeover situations, asserting the state of
  the smaller companys IT/Security
• SAS70 Audit is very similar to a Sarbanes Audit
  in many ways
• SAS70 Audits can take 3-6 mths and cost anything
  from 60k to 200k

4
What Is Sarbanes Oxley?

• 11 Sections in total
• Sections 302, 401, 404, 409, 802 and 906 are key
• 404 is key to IT, requiring review of Internal
  Controls (General Controls and Key Controls)
• 20 of the 2.5 billion spent on Sarbanes Oxley
  is directly spent on IT

5
What Is Sarbanes Oxley?

• Early stages right now, not mature
• No standards to measure by
• Audits are therefore relatively subjective right
  now
• Difficult to anticipate what Auditors will look
  for
• SEC, PCAOB and Accounting firms are trying to
  work out the rules

6
What If We Dont Comply?

• The buck stops with the CEO
• The CFO should be worried too!
• Both CEO and CFO must certify accuracy of
  Financial statements
• Must also disclose material changes to financial
  considerations/operations
• External Auditors disclose any Material
  Weaknesses found in their letter accompanying
  Financial Statements
• Failure to do so can theoretically end up with
  the CEO / CFO in jail
• More likely to result in fines

7
How to Comply (Business Side)?

• Be committed to ethical behavior in all areas of
  business
• Make sure Sales people are not overestimating
  income to make themselves look good
• Make sure it is clear what is real income and
  what is forecast/predicted income
• Make sure computer applications reflect reality
  of financial info
• Provide employees with a means of anonymously
  reporting issues

8
How To Comply (IT Side)?

• Conform to IT Best Practices
• Carry out your own Internal IT Audit before the
  Auditors arrive
• Make this process repeatable as you will need to
  do it at least annually

9
How To Comply (IT Side)?

• Because no standards exist, rely on existing
  frameworks to evaluate performance internally
• COBIT
• COSO
• ISO 17789
• Agree framework and approach with Auditors if
  possible
• Get advice from Independents and other Auditors
  if possible
• CISA
• CISSP
• CPA professionals

10
How To Comply (IT Side)?

• Quick Overview of Solutions
• Be committed to Best Practices / Industry
  Standards
• Take IT and Security very seriously at all levels
• Keep staff well-trained/informed
• Do regular internal audits and scans
• Use Audit tools (see resources at the end)
• Use Industry standard software where possible

11
How Real Is The Risk?

• 31 of all companies (private and public) have
  experienced 1-3 major security breaches in the
  past 6 months (CompTIA, early 2004)
• Real number is HIGHER! Companies keep breaches
  secret!

12
What Is The Biggest Risk?

• Not having good security procedures?
• Having good security procedures that are not
  followed?
• Terrorism?
• Hackers?
• Internal misuse/errors?
• Viruses/worms?
• Trojan Horses?

13
Biggest Risk? Internal Users!

• Human error is the most significant cause of IT
  security breaches (63)
• Research shows that good training would be the
  most effective way of improving security in most
  organizations
• Employee fraud is
  next on the list

Computing Technology Industry Assoc (CompTIA)
14
Biggest Risk? Internal

• Internal security breaches seen as a much bigger
  threat than external ones by 51 of respondents
  to an Oracle/Institute of Directors survey

• Threat can be to
• Fraud
• Data theft
• Privacy of data
• Corruption of data
• Loss of data integrity
• Loss of data altogether
• Loss of whole system!

15
What Are IT/Security Audits?

• Security is the sum of
• Access controls
• Authentication methods
• Availability of data/systems
• Confidentiality of data/info
• Data Integrity
• Non-repudiation of transactions
• Policies
• Reliability of data/systems
• IT Controls include
• Documentation
• Source code control/change mgt
• Hardware/software management
• Testing

16
What Are IT/Security Audits?

• Determine Policy
• Use documents (Policies, Standards, Guidelines
  etc)
• Ask those at the top of the company
• Audit
• Determine if the policy is followed
• Use testing to determine this
• Perimeter scans
• Sample testing
• Code reviews
• Automated tools
• Report (to Mgt first, then Auditors)
• Exceptions
• Remediation
• Action
• Determine a plan for putting right exceptions
• Determine project plans for Remediation work

17
Solutions? Company Policies

• Chase up references
• Do background/ security checks on staff
• Check out Temp staff carefully
• Give Temp staff limited access
• Get staff to signup to security policy
• Switch off rights of ex-employees
• Ensure it is very clear which staff have which
  roles and responsibilities, and try to limit the
  power of individuals

18
Solutions? Training

• Good, effective training
• Training is an ongoing process
• Train employees in what NOT to say to an Auditor
  too!
• Poster campaigns, newsletter updates etc. can
  provide effective security training

66 per cent believe that staff training/certificat
ion has improved their IT security, primarily
through increased awareness, as well as through
proactive risk identification (sourceCompTia)
19
Solutions? Company Policies

• IT Security Policies
• Lock sensitive documents/disks away
• Physically secure laptops and PCs
• Ensure passwords are not written down
• Employee records/contracts etc hidden
• No wireless access to the network unless
  using secure protocols

20
Solutions? Physical Security

• Visitors/guests accompanied at all times
• Reception area manned at all times
• All staff must wear a pass
• Access to work areas by pass only
• Access to sensitive areas by keycode
• Servers housed in a room with no windows,
  inaccessible to unauthorised personnel, air
  conditioned with failover power, fire prevention
  and a failover facility

21
Solutions? Access Controls

• Use roles and groups
• Restrict access to minimum possible
• Use VPNs to allow external access
• Keep intranet protected from internet using
  Firewalls

• Enforce policy on passwords
• change regularly
• not easy to guess
• minimum length
• must contain numerics
• cant reuse

22
Solutions? Application Security

• Access Controls
• Authentication (userid and password)
• Digital keys (public and private)
• Access to info by user class

• Code quality
• Programmers should be well-trained and security
  aware
• Code walkthroughs
• Testing/QA procedures
• Source code control/version control
• Bug/defect tracking

23
Solutions? Browser and Mail

• Internet Explorer Permissions
• Internet Options -Security Zones
• Internet Options-Privacy
• Internet Options-Advanced
• Enforce default policy for IE across company
• Dont open email from anyone you dont know
• Dont download files/attachments from emails or
  web pages unless from a trusted source (esp
  .exe or .vbs files)

24
Solutions? Network Security

• Ensure your network staff are well-trained
• Keep software/patches up to date
• Ensure your network is protected via Firewalls,
  NATs, Port controls etc.

25
Solutions? Web Server Security
26
Solutions? Software

• Install protection software
• Firewalls
• Proxy Servers
• Anti-Virus software
• Update key software regularly
• Web servers
• Operating systems
• Mail software
• Anti-virus software
• Dont forget patches!!

27
Solutions? Software

• Use SSL (Secure Socket Layer)
• Protects private information
• Encrypted using digital key
• Especially for payment data
• Use public/private keys
• To authenticate parties
• To encrypt data
• To digitally sign documents
• Some have whole infrastructures

Verisign Onsite Managed Trust Services
28
Solutions? Spreadsheets

• Access Controls
• Stored in directories accessible only by
  authorized users
• Sensitive spreadsheets should be password
  controlled
• Lock formulae so that they cant be changed

• Reviews
• Someone should be responsible for checking
  formulas, testing spreadsheet results at regular
  intervals
• Backup/recovery
• Ensure backed up regularly
• Test restores

29
Solutions? Disaster Recovery

• Redundancy essential
• Of servers, firewalls, hubs, routers, air
  conditioning, power
• Of ISP (in case ISP fails!)
• Physically separate location for failover
• Have disaster recovery plans
• Test those plans!
• Test those plans regularly!

Video on Security and Company Policies
http//webevents.broadcast.com/ZDAUwebcast/enemy/i
ndex.asp?loc1
30
Solutions? Documentation

• Clearly document procedures esp Finance or IT
  related
• Ensure documentation is up to date
• Ensure staff know where to locate documentation
• Ensure staff follow company procedures and know
  what to do in exception circumstances
• Keep full document trails of everything
• Ensure system audits are generated by software,
  are kept and are reviewed regularly

31
Solutions? Monitor Usage

• Log usage
• Carry out regular audits/checks of logs
• Disable access if misuse detected
• Auto send emails of exception usage

32
Solutions? Audit Testing

• Carry out regular network/port scans (pref by
  external independent auditor)
• Carry out password cracking tests regularly
• Carry out IT Security surveys to determine
  awareless levels
• Carry out regular reviews of access levels
• Check documentation is up to date
• Check that procedures are being followed as
  documented

33
Resources

• Web Sites
• http//www.exceptiona.com my site with links to
  lots of relevant sites
• http//www.isaca.org ISACA site
• http//www.sarbanes-oxley-forum.com Forum about
  SOX
• http//www.sox-online.com All kinds of info
  about SOX

34
Resources

• Audit Tools may help (many available, I cannot
  recommend any)
• Certisphere SOX Compliance tool
  http//www.net-endeavor.com/
• E-Janco SOX Compliance Kit http//www.e-janco.com/
  SOX.htm
• The Sox Portal http//www.soxportal.com/
• ReportIt Anonymous reporting tool
  http//www.reportit.net/
• QSolve IA http//www.qsolve.com/qsolve_ia.asp

35
Resources

• Michelle Johnston Sollicito
• http//www.exceptiona.com
• Michelle Johnston 678 357 3661
• Email michellesollicito_at_exceptiona.com
• Security reviews/IT reviews/Audits
• Code reviews
• Training
• Web site reviews/audits
• ELearning
• More..

36
Questions?