You are on page 1of 15

SECURITY MANAGEMENT PRACTICES

Sarbanes–Oxley and
Enterprise Security:
IT Governance — What It
Takes to Get the Job Done

William Brown and Frank Nasuti

everal sections of the Sarbanes– defines enterprise risk and places security as

S Oxley Act of 2002 (SOX) directly


affect the governance of the informa-
tion technology (IT) organization, including
a critical variable in enterprise risk assess-
ment. Effective IT and security governance
are examined in terms of SOX compliance.
potential SOX certification by the chief Motorola IT security governance demon-
information officer, Section 404 internal strates effective structures, processes, and
control assessments, “rapid and current” communications; centralized security lead-
disclosures to the public of material ers participate with Motorola’s Manage-
changes, and authentic and immutable ment Board to create an enabling security
record retention. The Securities and organization to sustain long-term change.
Exchange Commission (SEC) requires pub-
licly traded companies to comply with the INTRODUCTION
Treadway Commission’s Committee of In response to the series of business failures
Sponsoring Organizations (COSO) that and corporate scandals that began with

WILLIAM C. BROWN, Ph.D., CPA, is an assistant professor at Minnesota State University–Mankato,


College of Business. His professional experience includes teaching management information systems at
both the undergraduate and graduate levels and serving for more than 25 years as a financial officer.
He served as a chief financial officer in three companies that were Securities and Exchange Commission
registrants. His education includes an MBA, a CPA, an MS in software engineering, and a Ph.D. in
management information systems.
FRANK NASUTI, Ph.D., CPA, CICA, CFE, has served as a visiting and adjunct professor at Nova
Southeastern University, Widener University, Temple University, and Rutgers University, teaching
research methods, computer science, and accounting at both the doctoral and master’s levels. His pro-
fessional experience includes law enforcement as a special agent/criminal investigator, IT audit man-
ager for a Big 4 accounting firm, internal audit director for a financial services company, and senior
managing director for a major consulting firm. He founded The Institute for Internal Controls, a pro-
fessional certification and research organization. His education includes a BS in accounting, an MBA
in management, an MS in information science, and a Ph.D. in information systems. He is a CPA and
holds the designations of certified internal controls auditor and certified fraud examiner.

S E C U R I T Y M A N A G E M E N T P R A C T I C E S 15
N O V E M B E R / D E C E M B E R 2 0 0 5
Enron in 2001, the U.S. Congress enacted types (Ramos, 2004): (a) general computer
the Sarbanes–Oxley Act of 2002. The stated controls and (b) application-specific
purpose of SOX (2002) is to protect inves- controls, which will be described in more
tors by improving the accuracy and reliabil- detail later in this article. The purpose of
ity of corporate disclosures made pursuant this article is to examine effective security
to the securities laws. SOX outlines the governance for SOX in the IT organization.
duties of the chief executive officer (CEO), Christopher Alberts, a senior member of the
the chief financial officer (CFO), and the Networked Systems Survivability Program
auditor, including making each personally at the Software Engineering Institute at Car-
responsible for ensuring the credibility of negie Mellon, described the broader issue of
the financial reporting provided to stake- security as being primarily perceived as a
holders. Eleven sections of SOX (2002) technology problem, when in fact it is an
define auditor and corporate responsibilities, organizational problem with a technology
including expectations for financial disclo- component (Zorz, 2003). COSO described
sures, strong penalties for white-collar internal control as a process that is affected
crimes, and protection for “whistleblowers.” by people (COSO, 2005; Damianides,
Other regulatory measures, including the 2005). Organizational design, behavior, and
Health Insurance Portability and Account- IT governance play very significant roles in
ability Act of 1996 (HIPAA), the whether the enterprise can successfully
Gramm–Leach–Bliley Act of 1999 implement the ERM framework as defined
(GLBA), the Fair Credit Reporting Act by the Treadway Commission.
(FCRA), the Notification of Risk to Per- IT governance describes the selection
sonal Data Act (NORPDA), and the Per- and use of organizational processes to make
sonal Information Protection and Electronic decisions about how to obtain and deploy IT
Documents Act (PIPEDA), may create resources and competencies (Luftman, Bul-
financial and operational liabilities for the len, Liao, Nash, & Neumann, 2004). IT
enterprise. The steps recommended in secu- governance is about who makes these deci-
rity governance may help align the enter- sions (power), why they make them (align-
prise to meet these specific regulatory ment), and how they make them (decision
measures but are not specifically addressed process). Forrester Research (Symons,
in this article. 2005) offers a similar definition for IT gov-
The SEC offers little specific guidance ernance: how decisions are made, who
on IT security, leaving the door open to makes the decisions, who is held account-
interpretation as to the scope and nature of able, and how the results of decisions are
security initiatives for SOX compliance. measured and monitored. Specific to secu-
The National Cyber Security Task Force rity governance for the IT organization, the
recommended that the SEC define specific National Cyber Security Task Force (2005)
security requirements in future regulatory describes people, process, and technology
guidance. Although the SEC has not defined as the key elements of IT security gover-
security requirements per se, the SEC is a nance. The integration of people, processes,
very effective change agent and will assert and technology requires the following:
itself if additional compliance measures are
required (Mead & McGraw, 2004). CEO participation in accountability,
In connection with SOX compliance, the authority, and oversight of compliance
SEC does require the implementation of Executive management of security com-
Enterprise Risk Management – Integrated mensurate with risk and integration poli-
Framework (ERM) authored by the Tread- cies within the operations
way Commission’s Committee of Sponsor- Senior managers involved with risk
ing Organizations (COSO). The ERM assessment and the implementation of
framework divides IT controls into two security policies and operations security

16 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
A security program that integrates frame- survey respondents in the 2000 CSI/FBI
works, methods, policies, procedures, Computer Crime and Security Survey and
technology, and business continuity has declined in each consecutive year
plans (Computer Crime Research Center, 2005).
Ongoing reporting to the management According to the survey results, 2004 finan-
and Board of Directors cial losses resulted from, in descending
order, virus attacks, denial of service, and
Control Objectives for Information and theft of proprietary information, which cost
Related Technology (COBIT), a generally the companies of the respondents $55.0 mil-
accepted framework for IT auditors that lion, $26.0 million, and $11.4 million,
maps to SOX requirements (Chan, 2004; respectively. The 2004 CSI/FBI Computer
Ramos, 2004), categorizes IT processes into Crime and Security Survey also reported an
four domains. COBIT originally was increasing reluctance by companies to
released as an IT process and control frame- belong to information-sharing organiza-
work linking IT to business requirements tions. Over 50 percent of the survey respon-
(IT Governance Institute, 2005a). Begin- dents cited the perception that negative
ning with the addition of Management publicity would hurt their company’s stock
Guidelines in 1998, COBIT is now being or image. The survey respondents in the
used increasingly as a framework for IT financial, utility, and telecommunications
governance (Ramos, 2004). Recent research sectors reported that SOX is having an
suggests that certain characteristics of IT gov- impact on the organization’s security. With
ernance contribute to more effective align- the full implementation of SOX, it may be
ment and execution of IT programs, including more difficult to assess the scope of com-
security governance (Weill & Ross, 2004). puter crimes as companies comply with
That research will be explored to complete SOX and become more reluctant to share
the COBIT governance framework and to information. However, the survey revealed
describe effective security governance to that security practitioners understand that
meet SOX compliance. security breaches have very serious conse-
quences.
RECENT SECURITY SURVEYS AND SOX A second survey, the 2004 E-Crime
Two recent surveys (CERT® Coordination Watch Survey conducted by the U.S. Secret
Center, 2005; Computer Crime Research Service and Carnegie Mellon University
Center, 2005) suggest that security practi- Software Engineering Institute, reported an
tioners may have difficulty complying with increase in E-crimes as well as network,
SOX and other security frameworks. The system, and data intrusions (CERT® Coor-
2004 CSI/FBI Computer Crime Survey dination Center, 2005). Leading causes of
reported that 20 percent of the 494 respon- security breaches reported in this survey
dents representing a cross-section of indus- were similar to those reported in the 2004
tries said that they do not use IT security CSI/FBI Computer Crime and Security
audits as a tool to assess their organizations’ (Computer Crime Research Center, 2005).
security vulnerabilities (Computer Crime Respondents reported the following secu-
Research Center, 2005). In the same survey, rity breaches: viruses (77 percent of respon-
the percentage of respondents who experi- dents), denial of service (44 percent),
enced unauthorized use of computer systems generation of SPAM or junk e-mail (38 per-
in 2004 declined to 53 percent from 58 per- cent), unauthorized access by an insider (36
cent a year previously. Although this repre- percent), phishing or sending fraudulent e-
sented a significant improvement, it is still mails seeking secure information (31 per-
evident of an alarmingly high rate of unautho- cent), and unauthorized access by an out-
rized use. Four years earlier, the rate of unau- sider (27 percent). Significant to SOX
thorized use reached a peak of 70 percent of compliance, 7 percent of the respondents

S E C U R I T Y M A N A G E M E N T P R A C T I C E S 17
N O V E M B E R / D E C E M B E R 2 0 0 5
reported critical system disruption affecting SEC registrants (i.e., public companies).
customers and loss of current or future rev- Increasingly, SOX’s provisions are becom-
enue from insider intrusion. Also significant ing applicable to private companies as well
to SOX and potentially material to financial (Heffes, 2005). In turn, lenders and states
statements (depending on the size of the increasingly are asking private companies
company), 3 percent of the respondents about the status of their internal control
reported monetary losses that exceeded environments.
$10.0 million in connection with security
breaches. Section 302
Lack of protection from once-proven While the CEO and the Board of Directors
technologies, new threats, and an onslaught are accountable for overall corporate man-
of new legislation have changed the per- agement, SOX also impacts IT administra-
spective of corporate management and tion, including organization governance, the
Board of Directors toward IT security and responsibilities of chief information officers
governance. Concurrent with the high pro- (CIOs), budgets, vendors, outsourcers, and
file prosecution of Enron and WorldCom business continuity plans. CEOs and CFOs
officers, the 2004 E-Crime Watch survey may require their IT organizations to pro-
(CERT® Coordination Center, 2005) reaf- vide proof that automated portions of finan-
firmed that current employees remain a very cial processes have appropriate controls,
serious security threat. Threats ranging from that computer-generated financial reports
terrorist attacks to phishing continue to dem-
are accurate and complete, and that any
onstrate the need for robust security gover-
exceptions are captured and reported in a
nance. Regulatory measures including
timely manner (Kaarst-Brown & Kelly,
HIPAA, GLBA, FCRA, NORPDA, and
2005).
PIPEDA and the legal liabilities associated
Recent surveys of CIOs reported that 44
with those laws have led to the boardroom
percent of the companies required the CIO
realization that security is no longer just an IT
to certify financial results under SOX com-
issue. Effective IT and security governance is
pliance (CIO Insight/Gartner, 2004). Gart-
essential for SOX compliance and ERM.
ner and various CIO journals have
suggested the SEC eventually may require
SARBANES–OXLEY AND IT GOVERNANCE the CIO to sign a statement in the annual
Key sections of SOX compliance that report attesting to the effectiveness of con-
directly involve IT include Sections 302, trols and the accuracy of the financial
404, 409, and 802 (SOX, 2002). reports (CIO Insight/Gartner, 2004).
Because of the significance of information
Section 302 requires corporate officers to
prepared by others, it is becoming common
make representations related to the dis-
for the CEO and CFO to request informa-
closure of internals controls, procedures,
tion and certification from those individuals
and assurance from fraud.
Section 404 requires an annual assess- who are directly responsible. This process is
ment of the effectiveness of internal con- known as sub-certification, and it usually
trols. requires the individuals to provide a written
Section 409 requires disclosures to the affidavit to the CEO and CFO that will
public on a “rapid and current basis” of allow them to sign their certifications in
material changes to the firm’s financial good faith (Ramos, 2004). Items that may be
condition. the subject of sub-certification affidavits
Section 802 requires authentic and include a statement of accuracy of specific
immutable record retention. account balances, compliance with company
policies and procedures, the company’s code
The scope of SOX is not limited to the of conduct, and the adequacy of the design or
CEO, CFO, and auditor, nor is it limited to operating effectiveness of internal controls.

18 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
Whether the reported 44 percent (CIO The COSO ERM framework describes
Insight/Gartner, 2004) will increase or five interrelated components of internal
decrease over time remains to be seen. In- control in Section 404. The CEO and the
depth interviews with over 50 CIOs in the CFO in concert with the CIO are responsi-
United States and Canada showed that rapid ble for the following (Ramos, 2004):
strategic business change and E-business
and technology complexity will be signifi- 1. “Tone at the top” that positively influ-
cant drivers in the near future (Reich & Nel- ences the attitude of the personnel
son, 2003). As organizations transition into 2. Identification of risks, objectives, and
more E-business and more architectural the methods to manage the risks
complexity, it is reasonable to assume that 3. Activities and procedures that are estab-
the 44 percent may increase to meet SOX lished and executed to address risks
compliance. 4. Information systems to capture and
exchange the information needed to
conduct, manage, and control its opera-
Section 404
tions
Section 404, in conjunction with the related
5. The monitoring of and responses to
SEC rules and Auditing Standard No. 2
changing conditions as warranted
established by the Public Company
Accounting Oversight Board (2005), is COSO created a framework that divides
driving pervasive change in the internal IT controls into two types (Ramos, 2004):
controls of the enterprise. Section 404 (a) general computer controls and (b) appli-
requires the management of a public com- cation-specific controls. General controls
pany and for the company’s independent include the following:
auditor to issue two new reports at the end
of every fiscal year (SOX, 2002). These Data center operations (e.g., job schedul-
reports must be included in the company’s ing, backup and recovery)
annual report filed with the SEC. Under Systems software controls (e.g., acquisi-
Section 404, management also must dis- tion and implementation of systems)
close any material weaknesses in internal Access security
control. If a material weakness exists, man- Application system development and
agement may not be able to conclude that maintenance controls
the company’s internal control over finan-
Application controls are designed to per-
cial reporting is effective (SOX, 2002).
form the following:
These management statements are not
enough, however; the company’s auditor Control data processing
also must attest to the truthfulness of these Ensure the integrity of transactions,
management internal control assertions. authorization, and validity
COSO (2005) of the Treadway Commis- Encompass how different applications
sion recommended the ERM integrated interface and exchange data
framework to manage and reduce risks, to
be applicable to all industries, and to The ERM framework, a cornerstone of
encompass all types of risk. Moreover, the Section 404 and COSO, requires ongoing
ERM framework recognizes that an effec- feedback from throughout the
tive ERM process must be applied within company. This feedback information must
the context of strategy setting. ERM is fun- be current, accurate, and sufficiently robust
damentally different from most risk models to support the analysis of different risk
used, in that it starts with the top of the orga- responses (COSO, 2005). Many firms are
nization and supports the organization’s implementing risk management applications
major mission (COSO, 2005; Louwers, to assist with internal control and assess-
Ramsey, Sinason, & Strawser, 2005). ment processes (Decker & Lepeak, 2003).

S E C U R I T Y M A N A G E M E N T P R A C T I C E S 19
N O V E M B E R / D E C E M B E R 2 0 0 5
A main objective of these tools is to lower 4. Monitor processes, assess internal con-
external audit verification costs. trols, obtain independent assurance, and
provide for the independent audit.
Section 409
The organizational design challenge is to
Section 409 requires that organizations dis- ensure that the four domains of IT gover-
close to the public, on a rapid and current nance can sustain the necessary activities to
basis, material changes to a firm’s financial meet SOX compliance.
condition (SOX, 2002). For example, a Sec- A useful assessment is to compare the
tion 409 compliance consideration for IT four domains of IT governance with the
would be a situation where a computer virus internal control reliability model. Internal
knocked out the supply chain and materially controls or Section 404 compliance is a
affected the financial performance on a major provision of SOX. The internal con-
quarterly financial report (Proctor, 2004). trol reliability model maps documentation,
This would be a disclosable event for finan- awareness and understanding, perceived
cial reporting purposes under SOX. value, control procedures, and monitoring
of internal controls to five levels of maturity
Section 802 (Ramos, 2004). At the systematic level of
The IT organization must have policies in the internal control reliability model, docu-
place to ensure appropriate record retention mentation is comprehensive, controls are
and security. SOX (2002) has a direct integral to operations, and control proce-
impact on data management, data and sys- dures are formal and consistent, but compli-
tem security, and business recovery prac- ance is not being monitored (see Table 1).
Compliance with Section 404 is attained
tices. The CIO must understand the
when the four domains of IT governance are
requirements and ensure that the appropri-
aligned with the internal controls maturity
ate policies are in place, including ongoing
model. The underlying premise of the inter-
compliance.
nal controls maturity model (see Table 1) is
that if an organization does not have defined
GOVERNANCE AND THE MATURITY and standardized processes, it is unable to
MODEL provide consistent and reliable services.
The IT Governance Institute (2005a, 2005b) Standardized processes to provide consis-
issued a governance model that provides the tent and reliable IT services are critical to
structure and practices for four IT domains: SOX compliance. Maturity in all four
domains of the IT governance model is
1. Plan and organize the strategic plan,
required to sustain SOX compliance.
architecture, IT organization, human The IT Governance Institute (2005a,
resources, and compliance with exter- 2005b) and Forrester Research (Symons,
nal requirements (including SOX); 2005) have described the maturity levels of
assess risks; manage projects; and man- IT governance. Mapping the maturity levels
age quality. of an organization to the internal control
2. Acquire and implement software, hard- reliability model can provide some insight
ware, infrastructure, and procedures; into whether a particular IT organization
install and accredit systems; and man- can meet SOX compliance. The four levels
age changes. of Forrester Research’s IT governance
3. Deliver and support service, perfor- maturity are (a) ad hoc, (b) fragmented, (c)
mance and capacity, systems security, consistent, and (d) best practices (Symons,
and user training; assist and advise cus- 2005). An ad hoc IT organization in matu-
tomers; and manage problems and inci- rity produces an initial level of reliability in
dents, data, facilities, and operations. internal controls and would be unacceptable

20 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
TABLE 1 Internal Control Reliability Model

Characteristics of Reliability
Reliability Awareness and Perceived Control
Level Documentation Understanding Value Procedures Monitoring

Initial Very limited Basic awareness Unformed Ad hoc,


unlinked
Informal Sporadic, Understanding not Controls separate from Intuitive,
inconsistent communicated business operations repeatable
Systematic Comprehensive Formal communication Controls integral to Formal,
and consistent and some training operations standardized
Integrated Comprehensive Comprehensive Control process part of Formal, Periodic monitoring
and consistent training strategy standardized begins
Optimized Comprehensive Comprehensive Commitment to Formal and Real-time
and consistent training on control- continuous improvement standardized monitoring
related matters

Adapted from How to Comply with Sarbanes–Oxley Section 404: Assessing the Effectiveness of Internal Control, by Michael
Ramos, John Wiley & Sons, Hoboken, NJ, 2004.

for SOX compliance. In contrast, an organi- and enables management to meet acceler-
zation at the best practice maturity level has ated disclosure deadlines.
been using best practices for a period of Several formal and informal frameworks,
time and has an optimized IT portfolio. A including COBIT, ISO 17799, and IT Infra-
best practice maturity level would meet structure Library (ITIL), which are
SOX compliance. The IT organization must explained in the following section, can help
evolve though internal development to inte- move the IT organization to high levels of
grate best practices into its IT governance maturity. Each framework offers particular
model. features that can contribute to the overall
Before a best practice is adopted and security governance framework adopted by
integrated into the governance model, a the enterprise. Security governance for an
practice approach should be developed and enterprise should include some part of each
implemented (Kola, 2004). The practice framework to build a comprehensive IT
approach formalizes and sets into motion security governance strategy.
(a) a standard operating procedure, (b) con-
sistent behaviors, and (c) routine monitor- COBIT, ITIL, AND ISO 17799
ing. The practice approach is repeatable and FRAMEWORKS
necessary for auditor testing. Best practices COBIT is a generally accepted framework
are characterized by (a) common structures that maps well to SOX requirements (Chan,
for Sections 302, 404, 409, and 802; (b) 2004; Ramos, 2004). COBIT and related
optimized management responsiveness; and sources are produced by the Information
(c) defined business benefits such as Systems Audit and Control Association
reduced liabilities. Creating value is (a) cre- (ISACA, 2005) and the IT Governance
ating business processes that resolve Sec- Institute (2005b). The COBIT framework
tion 302, 404, 409, and 802 issues before provides “good practices” developed by a
they happen; (b) using the company’s consensus of experts in the field and defines
resources more effectively; and (c) estab- a process framework against a set of high-
lishing the capability of the company to exe- level control objectives, one for each of the
cute to a defined and standardized process IT processes, grouped into four domains
(Cobb, 2004). The best practice approach (see Table 2).
aligns the standards of adequacy for disclo- According to the “Board Briefing on IT
sure controls with those for internal controls Governance” (IT Governance Institute,

S E C U R I T Y M A N A G E M E N T P R A C T I C E S 21
N O V E M B E R / D E C E M B E R 2 0 0 5
TABLE 2 COBIT IT Processes

Domain Key Processes

Planning and organization Define a strategic plan


Define the information architecture
Define the IT organization and relationships
Communicate management aims and direction
Manage human resources
Ensure compliance with external requirements
Assess risks
Manage quality
Acquisition and implementation Acquire and maintain application software
Acquire and maintain technology infrastructure
Develop and maintain procedures
Install and accredit systems
Manage changes
Delivery and support Define and manage service levels
Manage third-party service levels
Manage performance and capacity
Ensure continuous service
Ensure systems security
Educate and train users
Manage the configuration
Manage problems and incidents
Manage data
Manage facilities
Manage operations
Monitoring Monitor the processes
Assess internal control adequacy
Obtain independent assurance

Adapted from How to Comply with Sarbanes–Oxley Section 404: Assessing the Effectiveness of Internal
Control, by Michael Ramos, John Wiley & Sons, Hoboken, NJ, 2004.

2005a), the overall objectives of IT gover- Governance, and the Technical Reference
nance activities are (a) to understand the Model.
issues and strategic importance of IT, (b) to ISO 17799 is a detailed “what to do”
ensure that the enterprise can sustain its security standard that is organized into 10
operations, and (c) to ascertain that it can major sections, each covering a different
implement the strategies required to extend topic or area (“What is: ISO 17799,” 2001):
its activities into the future. The IT Gover- (a) business continuity planning, (b) system
nance Institute (2005a) has provided an access control, (c) system development and
extensive compilation of leadership, value maintenance, (d) physical and environmen-
creation, performance management, gover- tal security, (e) compliance, (f) personnel
nance frameworks, governance officers, security, (g) security organization, (h) com-
and enterprise architecture implementation. puter and network management, (i) asset
The IT Governance Institute integrates classification and control, and (j) security
numerous recognized best practices, frame- policy. ISO 17799 has a narrow focus on
works, and processes, including the bal- security management and cannot stand
anced scorecard, “Board Briefing on IT alone as a security governance standard
Governance,” Capability Maturity Model, (Stolovitch, 2004; Symons, 2005). ISO
COSO ERM Integrated Framework, Euro- 17799 can play a meaningful role in risk
pean Framework for Quality Management, management assessment and therefore a
Enterprise Architecture, ISO 9001–2000, role in security governance.
Malcolm Baldridge Quality Criteria Frame- ITIL, initially developed in the U.K. by
work, OECD Principles of Corporate the Office of Government Commerce,

22 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
defines a broad range of processes that are governance through more collaborative
considered best practices and are docu- opportunities between the business profes-
mented in a series of books. Processes sionals and IT security management and
include (a) incident management, (b) through defined decision rights that involve
change management, (c) problem manage- technical decisions.
ment, (d) service-level management, (e) The 10 barriers to security and business
continuity management (disaster recovery), continuity planning defined by the Corporate
(f) configuration management, (g) release Executive Board Working Council (2003a)
management, (h) capacity management, (i) include (a) subjective risk prioritization, (b)
financial management, (j) availability man- poor risk communication, (c) security
agement, (k) security management, and (l) requirements mismatch, (d) siloed business
help desk management. ITIL is extremely protection, (e) unclear business continuity
useful in improving the infrastructure to ownership, (f) insufficient user awareness,
provide ongoing services through service (g) inconsistent password policies, (h)
management. ITIL should be applied as a incomplete business continuity prepared-
tool within the context of a broader organiza- ness, (i) poor crisis communication, and (j)
tional strategy but should not be considered a external partner vulnerabilities. SOX
comprehensive solution (Meyer, 2005). requires compliance with the Treadway
The ITIL security management frame- Commission’s COSO ERM framework and
work examines security from the service therefore requires security risk prioritiza-
provider perspective, identifying the rela- tion and communication to be consistent
tionship between security management and with those standards. SOX (2002) Sections
the IT security officer as well as outlining 302, 404, 409, and 802 are affected by all of
how it provides the level of security neces- these items, with the exception of subjective
sary for the entire organization. COBIT and risk prioritization and poor risk communi-
ITIL are complementary; COBIT takes on the cation.
role of audit and control, and ITIL takes on
the role of best practices for services RECENT RESEARCH IDENTIFYING
(Symons, 2005). EFFECTIVE IT AND SECURITY
GOVERNANCE
TRENDS IN SECURITY AND BUSINESS In a survey of 256 IT organizations, the best
CONTINUITY PLANNING predictor of effective IT governance perfor-
Central information security groups are mance was the percentage of managers in
assuming greater seniority, with 40 percent leadership positions who could accurately
or more of the security groups reporting describe their IT governance processes
directly to the CIO (Corporate Executive (Weill & Ross, 2004). In above-average
Board, 2003b). The central security is governance-performing enterprises, 45 per-
assuming responsibility for governing and cent or more of managers could describe
coordinating policy and standards formula- accurately their IT governance, whereas in
tion, architecture, vendor selection, compli- below-average performing enterprises, only
ance auditing, vulnerability assessment, and a few managers in leadership positions
intelligence gathering. Three emerging could describe their governance process.
roles for the central information security Other factors associated with effective IT
organization are (a) awareness campaigns, governance include (a) a higher percentage
(b) central password management, and (c) of senior managers who engage more often
supply-chain security programs. Consistent and more effectively in IT governance
with the research by Weill and Ross (2004), (committees, announcements, etc.), (b)
a direct reporting relationship by a central- more direct involvement of the senior busi-
ized security organization creates the oppor- ness leaders in IT governance, (c) clearer
tunity for more effective security business objectives for IT applications, (d)

S E C U R I T Y M A N A G E M E N T P R A C T I C E S 23
N O V E M B E R / D E C E M B E R 2 0 0 5
more differentiated business strategies, (e) Weill and Ross (2004) reported that the
fewer approved exceptions, and (f) fewer most effective decision-making structures
changes in governance from year to year are
(Weill & Ross, 2004).
Executive management committees
Of the 256 companies in Weill and Ross’
IT leadership committees
(2004) survey, in those organizations with
Business/IT relationship managers
the most effective IT governance decisions,
decisions were led by management, busi- The least effective IT decision-making
ness unit leaders, and IT specialists in each structures are
of the respective areas:
Capital approval committees
IT principles (clarification of the busi- Architectural committees
ness role of IT): IT and top management The most effective alignment processes are
or business unit leaders tracking IT projects and resources con-
IT architecture (integration and stan-
sumed. The least effective are charge-back
dardization of IT requirements): IT spe-
mechanisms and tracking the business value
cialists of IT investments.
IT infrastructure (sharing and enabling The methods of engagement include (a)
of IT services): IT specialists senior management announcements that
Business application need (evaluation of
reinforce and alert governance changes; (b)
business needs for purchased or devel- formal committees to add weight and cross-
oped applications): corporate and busi- functional influence; (c) a recognized advo-
ness units, with or without IT cate, owner, and organizational home; (d) a
IT investment (funding for IT initiatives):
dialogue to educate and address concerns;
IT and top management or business unit and (d) a single place for governance infor-
leaders mation such as an intranet (Weill & Ross,
For those organizations with the least 2004).
effective IT governance decisions, decisions
were led by management, business unit SECURITY GOVERNANCE AT MOTOROLA
leaders, and IT specialists in each of the Many enterprises are concerned with secu-
respective areas: rity, but Motorola has made it a strategic
priority (Weill & Ross, 2004). Security gov-
IT principles: top management or busi- ernance secures the support of executive
ness unit leaders management through a Management Board
IT architecture: top management or busi- for IT Principles and IT Investment, but the
ness unit leaders security leaders maintain the final decision
IT infrastructure: top management or authority over the security architecture and
business unit leaders infrastructure. The decision-making process
Business application need: corporate and at Motorola security includes the following:
business units, with or without IT
IT investment: top management or busi- IT principles: Management Board and
ness unit leaders security leaders
IT architecture: security leaders
Perhaps it is no coincidence that a Gartner IT infrastructure: security leaders
survey of 75 senior compliance executives Business application need: business
found that 37 percent of companies had no leaders
IT representation on SOX compliance IT investment: Management Board and
teams (Leskeia & Logan, 2003). security leaders

24 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
Motorola’s Corporate Information Secu- As another example of how Motorola
rity Officer participates at quarterly Man- security integrates itself into the IT architec-
agement Board meetings with the ture and infrastructure, Motorola developed
following: the Extended Enterprise Protection Plan to
evaluate risks in the supply chain, provide
An identification of Motorola’s security incentives for suppliers to improve their
risks and the alternatives for addressing security, and identify areas where Motorola
them should take action internally to mitigate
An education about the likelihood of var- risks (Corporate Executive Board, 2003a).
ious security breaches and the potential The plan includes six steps: (a) the identifica-
impacts of each threat tion of mission-critical partners, (b) a partner
Recommended security principles and self-assessment using an ISO 17799 check-
priorities in certain areas of the business list, (c) a partner perimeter scan by a trusted
A budget that is approved separately third party to scan partner networks for vul-
from the rest of the IT budget. nerabilities, (d) an offer of discounts to part-
ners to access Motorola’s vendors, (e) offers
Using a monarchy decision-making of cyber-insurance discounts, and (f) internal
style, Motorola’s Corporate Information steps to mitigate any weakness that partners
Security Officer fail to address.
Implements security plans at both a cor- In the development of centralized secu-
rity protection for 65,000 desktop and por-
porate and business unit level
Designs and builds appropriate technol- table computers and supply chain security
programs, Motorola’s security governance
ogy with his support staff
identified and prioritized risks, communi-
Works with IT architects at both the cor-
cated the risks to the business units and
porate and the sector levels to ensure that
external partners, matched the security
security measures are built seamlessly
requirements to the needs, avoided siloed
into the IT infrastructure and applications
business protection, and managed external
As an example of how Motorola security partner vulnerabilities. Motorola completed
integrates itself into the IT architecture and the business protection life cycle through
infrastructure, Motorola created a single, three major security processes: (a) risk
global department tasked with centrally assessment, (b) policy setting and oversight,
rolling out standard configurations across and (c) effective execution.
the enterprise (Microsoft Executive Circle, A strategic approach to information secu-
rity transforms the IT security function from
2004). Motorola’s security organization is
a set of ad hoc activities with an emphasis
ultimately responsible for 65,000 desktop
on technology to a coordinated approach of
and portable computers plus embedded
principles, behaviors, and adaptive solu-
devices and other computers spread across
tions that map to business requirements
the Americas, Europe, Africa, and Asia. (Proctor, 2004). A centralized security gov-
Before centralizing the upgrades, updates ernance within Motorola works closely with
using third-party software programs or a Management Board to define policies and
complete security updates to protect Motor- priorities, to educate stakeholders, and to set
ola’s enterprise from viruses, hackers, and budgets apart from IT operations. Motorola
other security threats would take weeks. security leaders take sole possession and
The company consolidated 600 domains leadership of the IT security architecture
into a single environment with nine child and infrastructure. Motorola security has
domains. Software updates that formerly transformed itself from a loosely distributed
took months are now completed in less than set of domains across the world into a cen-
a week. trally coordinated approach to secure

S E C U R I T Y M A N A G E M E N T P R A C T I C E S 25
N O V E M B E R / D E C E M B E R 2 0 0 5
65,000 computers and to administer a sup- approximately 30 percent (Beer & Nohria,
ply-chain security program. Effective deci- 2000). Management that emphasizes
sion-making structures, alignment change from the top down to yield quick
processes, and methods of engagement are results often uses outside consulting firms.
integral to effective security governance In contrast to a quick-change environment
and ultimately to SOX compliance. There- initiated by an outside consulting firm,
fore, senior security leadership in gover- ongoing change must be sustained by an
nance structures such as Motorola likely can organization in which employees are emo-
fully explain their governance process. tionally committed to solving the new chal-
Additionally, Motorola is likely to imple- lenges that continually arise. The most
ment successfully a SOX compliance pro- successful long-term approach is to inte-
gram that can change and evolve as the grate both a top–down and a bottom–up
security environment changes and evolves. approach to change management. A suc-
The security governance framework cessful integration of a top–down and bot-
includes (a) structures, (b) processes, and tom–up approach emphasizes several
(c) communications (Symons, 2005). The dimensions of change:
Motorola governance framework includes
Leadership both sets direction from the
(a) security managers within the security
top and engages the staff below.
organization who report to the Management
Focus is simultaneously on the hard
Board, (b) processes that include the man-
(structures and systems for SOX compli-
agement of security-related architecture and
ance) and on the soft (corporate culture to
infrastructure for the enterprise, and (c)
sustain ongoing responsiveness).
communications that directly involve the
Process involves planning for spontane-
Management Board and include ongoing
ity.
education and budget direction. Executive
Reward system uses incentives to rein-
management committees (such as the Man-
force change but not to drive it.
agement Board at Motorola), IT leadership
Consultants use expert resources who
committees, and business/IT relationship
empower employees.
managers are among the most effective gov-
ernance structures for the IT organization and Several specific approaches can be used
are likely to have a positive influence on secu- to maintain the momentum to integrate Sec-
rity governance. The governance framework tion 404 into operational practices, includ-
at Motorola has created an enabling organi- ing expanded use of the internal audit
zation rather than a support organization. function, risk identification and manage-
ment programs, integrated information sys-
TO SUSTAINABLE CHANGE tems to support Section 404 compliance,
A project characterized by a one-time and active change management to design
change agent, created for first-time imple- and implement Section 404 compliance as
mentation, may develop an unsustainable the business evolves (Dittmar, 2004).
and potentially untestable approach to Sec- Application-level controls and general com-
tion 404 compliance (Kola, 2004). Such a puter controls have been major focuses of
short-term project concentrates responsibil- attention in first-year projects. Many com-
ity for compliance in the hands of a few and panies have used technology to help man-
is often typified by retention of outside con- age their Section 404 efforts and to provide
sultants who take the process knowledge control repositories and audit trails.
with them when they leave companies.
Most change initiatives, including the CONCLUSION
installation of new technology, downsiz- In organizations with the least effective IT
ing, restructuring, or trying to change cor- governance, decisions were led by man-
porate culture, have had success rates of agement and business unit leaders in IT

26 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
principles, IT architecture, IT infrastructure, Damianides, M. (2005, Winter). Sarbanes–Oxley and
IT governance: New guidance and IT control and
business application need, and IT investment. compliance. Information Systems Management.
In organizations with the most effective IT Decker, S., & Lepeak, S. (2003). Connecting to ERP
governance, IT decisions were shared by for SOX 404 Assessments. Available at the
META Group Web site: http:// www.metagroup.
management, business unit leaders, and IT com
specialists, with IT specialists leading the Dittmar, L. (2004, November). What will you do in
decision making in IT architecture and IT Sarbanes– Oxley’s second year?” Financial
Executive, 20(8), 17–18.
infrastructure. Motorola security gover- Heffes, E. (2005, January–February). FEI CEO’s
nance demonstrates the role of effective 2005 top 10 financial reporting issues. Financial
structures, processes, and communications Executive, 21(1). Available at http://www.fei.org
Information Systems Audit and Control Association.
and how centralized security leaders partic- (2005). About ISACA. Available at http://www.
ipate with the Management Board. At isaca.org
Motorola, security specialists led the deci- IT Governance Institute. (2005a). Board briefing on
IT governance. Available at http://www.itgi.org/
sion making for the IT architecture and IT IT Governance Institute. (2005b). Governance of the
infrastructure. The security governance extended enterprise, bridging business and IT
framework must integrate the (a) structures, strategies. Hoboken, NJ: John Wiley & Sons.
Kaarst-Brown, M., & Kelly, S. (2005). IT governance
(b) processes, and (c) communications to and Sarbanes–Oxley: The latest sales pitch or real
create an enabling security organization for challenges for the IT function? In Proceedings of
the 38th Hawaii International Conference on
the security life cycle of (a) risk assessment, System Sciences – 2005, IEEE.
(b) policy setting and oversight, and (c) exe- Kola, V. (2004, January–February). Sarbanes–Oxley
cution. The one-time consulting engage- Section 404: From practice to best practice.
Financial Executive, 20.
ment by an outside consulting firm must be Leskeia, L., & Logan, D. (2003). Sarbanes–Oxley
replaced by change management strategy compliance demands IS involvement. Available at
that sustains long-term change. the Gartner, Inc., Web site: http://www.gartner.
com/
Louwers, T., Ramsey, R., Sinason, D., & Strawser, J.
References (2005). Auditing and assurance services. New
Beer, M., & Nohria, N. (2000, May–June). Cracking York: McGraw-Irwin.
Luftman, J., Bullen, C., Liao, D., Nash, E., & Neu-
the code of change. Harvard Business Review,
mann, C. (2004). Managing the information tech-
HBR OnPoint.
nology resource. Upper Saddle River, NJ:
Chan, S. (2004). Sarbanes–Oxley: The IT dimension.
Pearson Prentice Hall.
The Internal Auditor, 61(1), 31–33.
Microsoft Executive Circle. (2004). Motorola case
CERT® Coordination Center. (2005). 2004 E-Crime
study. Available at the Microsoft Corporation
Watch Survey shows significant increase in elec-
Web site: http://www.microsoft. com
tronic crimes. Available at http://www.cert.org/ Mead, N. R., & McGraw, G. (2004). Regulation and
about/ecrime.html information security: Can Y2K lessons help us?
CIO Insight/Gartner. (2004, May). EXP Research: Sar- In IEEE Security and Privacy, IEEE.
banes–Oxley 2004: Are you ready to comply? Meyer, D. (2005). Beneath the buzz: ITIL is a power-
Available at http://www.cioinsight.com ful tool, but holds pitfalls in store for those who
Cobb, C. G. (2004, November). Sarbanes–Oxley: get obsessed with it. Available at the CIO.com
Pain or gain? Quality Progress, 37(11), 48–52. Web site: http://www.cio.com/leadership/buzz/
Committee of Sponsoring Organizations. (2005). column.html?ID=4186
FAQs for COSO’s Enterprise Risk Management— National Cyber Security Partnership. (2005). Gover-
Integrated Framework. Available at http://www. nance. Available at http://www.cyberpartnership.
coso.org/Publications/ERM/erm_faq.htm org/init-governance.html
Computer Crime Research Center. (2005). 2004 Proctor, P. (2004). Sarbanes–Oxley security and risk
CSI/FBI Computer Crime and Security Survey. controls: When is enough enough? In Infusion:
Available at http://www. crime-research.org/ Security & Risk Strategies. Available at the
news/11.06.2004/423/ META Group Web site: http://www.metagroup.
Corporate Executive Board. (2003a). Securing com
extended enterprise partners. Motorola, Inc., Public Company Accounting Oversight Board.
Working Council Research. Available at http:// (2005). PCAOB center for enforcement tips, com-
www.cio.executiveboard.com/ plaints and other information. Available at
Corporate Executive Board. (2003b). Trends in infor- http://www.pcaobus.org/Enforcement/Tips/
mation security and business continuity planning index.asp
from infrastructure protection to business enable- Ramos, M. (2004). How to comply with Sarbanes–
ment. Available at http://www.cio. Oxley Section 404. Hoboken, NJ: John Wiley &
executiveboard.com/ Sons.

S E C U R I T Y M A N A G E M E N T P R A C T I C E S 27
N O V E M B E R / D E C E M B E R 2 0 0 5
Reich, B. H., & Nelson, K. (2003). In their own Available at the Forrester Research Web site:
words: CIO visions about the future of in-house http://www.forrester.com/
IT organizations. The Database for Advances in Weill, P., & Ross, J. (2004). IT governance: How top
Information Systems, 34(4). performers manage IT decision rights for supe-
Sarbanes–Oxley Act of 2002, Public Law 107–204 rior results. Boston: Harvard Business School
(2002). Available at http://www.pcaobus.org Press.
Stolovitch, D. A. (2004, January 30). Canadian ISO What is: ISO 17799? (2001). Available at the Risk
Associates Web site: http://www.securityauditor.
17799 User Conference, Sun Life’s experience net/ISO17799/what.htm
with security governance and ISO 17799. Avail- Zorz, M. (2003, March 12). Interview with Christo-
able at http://www.scienton.com/7799ug/ Papers. pher Alberts, a senior member of the technical
html staff in the Networked Systems Survivability
Symons, C. (2005, March 29). IT governance frame- Program at the Software Engineering Institute.
work, structure, processes, and communication. Available at http://www.net-security.org

28 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M