Cyber Security Industry Alliance Issues Findings from Summit on Sarbanes-Oxley and IT Security
16 August 2005 - 1:51AM
PR Newswire (US)
Most Stakeholders Not Looking for More Official Guidance on IT
Security ARLINGTON, Va., Aug. 15 /PRNewswire/ -- Cyber Security
Industry Alliance (CSIA), the only public policy and advocacy group
dedicated exclusively to cyber security, today released a report
that summarizes key findings and conclusions from a conference held
to discuss the adequacy of guidance given on IT security in
Sarbanes-Oxley. Today's announcement follows a Sarbanes- Oxley
compliance initiative that began in 2004 with a CSIA report
outlining the implications of Section 404 for information security.
Attendees at IT Security and Sarbanes-Oxley Compliance: A
Roundtable Dialogue of Lessons Learned, addressed whether the
statutory and administrative materials governing Section 404
provide enough guidance on IT security to enable management and
auditors to carry out their compliance obligations. "The conference
proceedings and subsequent announcements from the Securities and
Exchange Commission (SEC) indicate that additional detailed
guidance on information technology and security controls under
Section 404 is neither desired by corporate management nor likely
to be forthcoming from regulators, who have expressed a preference
for relying on management's discretion and judgment in establishing
IT controls rather than providing specific audit control lists,"
said Paul Kurtz, executive director of CSIA. "Against this
backdrop, many auditors, legal counsel and management plan to rely
on generally agreed upon frameworks for IT security, such as COBIT
and ISO 17799. Regardless of how management decides to specifically
address information security, the one thing that remains clear is
that it must be considered an important part of overall
compliance." Sponsored by CSIA, George Mason University School of
Law's Critical Infrastructure Protection Program (GMU), The
Institute of Internal Auditors (IIA), the Information Systems Audit
and Control Association (ISACA) and the Information Systems
Security Association (ISSA), the conference brought together
experts representing each of the key stakeholder communities
involved in Section 404 compliance. Corporate management, audit and
accounting, legal counsel and IT security officers and
professionals made up four panels that discussed experiences and
lessons learned in addressing IT security issues relating to
Section 404 and whether or not more official guidance is needed.
The report highlights five lessons learned from the first round of
compliance efforts that include: * Steep learning curve inevitable
regardless of adequacy of IT guidelines The heated political
climate that led to the passage of Sarbanes-Oxley, combined with
the bright spotlight directed at corporate leaders with each new
revelation of scandal, mismanagement or fraud, virtually assured
that the first round of compliance was going to entail a steep
learning curve, regardless of the level of guidance provided. * IT
security is not a CEO priority The relationship between IT and
compliance under Section 404 has not been well understood by senior
management and therefore, not given personal priority attention.
This is because Congress has been silent on the issue of IT and
CEOs listen and act on what Congress says. Also, the relationship
between the concept of "internal controls," an accounting concept,
and the role of IT security is not well recognized by corporate
leaders. * Deference to auditors by management and legal counsel
Section 404 under Sarbanes-Oxley is designed to hold management and
auditors separately accountable; however, both management and legal
counsel tend to defer to auditors in terms of interpreting and
implementing Section 404. * Augmentation of COSO framework required
Section 404 states that a company's internal controls must be based
on "a suitable, recognized control framework established by a body
of experts that followed due-process procedures," and specifies the
COSO framework, published by the Treadway Commission's Committee of
Sponsoring Organizations, as suitable. However, the COSO framework
alone provides insufficient guidance, and some say it is too broad
and not sufficiently focused on financial controls. Some auditors
and IT professionals refer to the standard set forth in the Control
Objectives for Information and related Technology (COBIT),
developed by ISACA's IT Governance Institute. * Existing control
processes and procedures affect Sarbanes-Oxley compliance
activities Companies with already established and implemented
internal controls throughout their organization have an easier time
meeting Section 404 compliance obligations. Those without solid
internal controls are confronted with a more complicated compliance
process. The report concludes that management and legal counsel
representatives generally opposed additional IT governance and
security guidance from the Public Company Accounting Oversight
Board (PCAOB), as it was seen as unnecessary, unhelpful and
unwanted. However, representatives from public accounting firms
were in favor of additional PCAOB guidance and many panelists were
in favor of formal recognition by the PCAOB of COBIT.
Representatives were unanimous in the view that stakeholder
communities do not communicate with one another effectively on IT
governance and security, as they all speak in terms and language
unique to their profession. They also agreed that a common lexicon
and framework is needed to ensure all stakeholders share a common
understanding of each other's roles and responsibilities in the
Section 404 compliance process. To obtain a copy of today's CSIA
report, "IT Security and Sarbanes-Oxley Compliance: Conference
Summary of Findings and Conclusions," please visit
http://www.csialliance.org/. About the Cyber Security Industry
Alliance CSIA is the only advocacy group dedicated exclusively to
enhancing global cyber security through public policy, education,
awareness and technology. The organization is led by CEOs from the
world's top security providers, who offer the technical expertise,
depth and focus to encourage a better understanding of cyber
security issues. It is the belief of the CSIA that a comprehensive
approach to ensuring the security, integrity and availability of
global information systems is fundamental to national and economic
stability. To learn more about the CSIA, please visit our Web site
at http://www.csialliance.org/ or call +1-703-894-2742. Members of
the CSIA include BindView Corp. (NASDAQ:BVEW); Check Point Software
Technologies Ltd. (NASDAQ:CHKP); Citadel Security Software Inc.
(NASDAQ:CDSS); Citrix Systems, Inc. (NASDAQ:CTXS); Computer
Associates International, Inc. (NYSE:CA); Entrust, Inc.
(NASDAQ:ENTU); Internet Security Systems Inc. (NASDAQ:ISSX); iPass
Inc. (NASDAQ:IPAS); Juniper Networks, Inc. (NASDAQ:JNPR); McAfee,
Inc. (NYSE:MFE); PGP Corporation; Qualys, Inc.; RSA Security Inc.
(NASDAQ:RSAS); Secure Computing Corporation (NASDAQ:SCUR), Surety,
Inc.; Symantec Corporation (NASDAQ:SYMC) and TechGuard Security,
LLC. DATASOURCE: Cyber Security Industry Alliance CONTACT: Stacy
Simpson of the Merritt Group, +1-703-390-1528, or , for the Cyber
Security Industry Alliance Web site: http://www.csialliance.org/
Copyright
Bindview (NASDAQ:BVEW)
Historical Stock Chart
From Aug 2024 to Sep 2024
Bindview (NASDAQ:BVEW)
Historical Stock Chart
From Sep 2023 to Sep 2024