News Archive

Risk Spend

by msecadm4921

A report published by the Information Security Forum (ISF) warns that the cost of complying with the Sarbanes-Oxley legislation is diverting spending away from addressing other security threats.

The not-for-profit organisation with some 260 members including half of the Fortune 100, says that many of its members expect to spend more than $10m on information security controls for Sarbanes-Oxley. The business imperative to comply also means that in many cases the true cost of compliance is unknown.

With concerns about compliance, the new ISF report provides an overview of the Sarbanes-Oxley Act 2002 and examines how information security is affected by the requirement to comply. The report provides practical guidance to address problematic areas in the compliance process. 

According to the ISF, these problem areas include poor documentation, informal controls and use of spreadsheets, lack of clarity when dealing with outsource providers and insufficient understanding of the internal workings of large business applications. What’s more, the forum adds, the Act ignores important security areas that are extremely important when dealing with risks to information, such as business continuity and disaster recovery. This makes it important to integrate compliance into an overall IT security and corporate governance strategy.

What they say

"In the wake of financial scandals like Enron and WorldCom, the Sarbanes-Oxley Act was designed to improve corporate governance and accountability but has proved difficult to interpret for information security professionals," says Andy Jones, ISF Consultant. "As neither the legislation nor the official guidance specifically mentions the words ‘information security’, the impact on security policy and the security controls that need to be put into place must be determined by each individual organisation in the context of their business. Additionally, for organisations whose business is not primarily financial for example, manufacturing or product-service industries, the diversion of information security attention from other risk areas to Sarbanes-Oxley compliance may lead to important business risks being neglected. It is important that Sarbanes-Oxley does not push organisations into following a compliance-based approach rather than a risk-based approach that may compromise information security. The ISF report helps companies to achieve compliance while also ensuring that they have the appropriate security controls in place."

The full Sarbanes-Oxley report is one of the latest additions to the ISF library of over 200 research reports, available free to ISF members.

About the forum

The Information Security Forum (ISF) was founded in 1989 and is a not-for-profit international association of over 260 organisations which fund and co-operate in the development of practical, business driven solutions to information security and risk management problems. The ISF undertakes a research programme, and has invested, it adds, more than US$75 million over the past 16 years in providing best practice material for its members.

Related News

  • News Archive

    Surveillance Debate

    by msecadm4921

    A panel debate is planned on Thursday, April 15, from 7pm, City University London about Surveillance, Politics and Civil Society. Organisers say…

  • News Archive

    LIVE05 Speakers

    by msecadm4921

    Norbain has unveiled the seminars at this year’s LIVE 05 regional security events. At each venue three seminars will be presented by…


Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing