Security and Sarbanes Oxley

In implementing any policy action designed to tighten security against hacking, spyware, and terrorism, a company or agency should consider the potential consequences as well as the costs of the action. Security issues, both physical and cyber, are only one element of what affects an entity's operations. Sarbanes-Oxley primary concern is the financial systems and where the information and finances meet. A listing of Sarbanes Oxley Information Technology resources are at http://www.projectbailout.com/PM/Sarbanes-Oxley-IT.htm or at www.projectbailout.com .

The essential first step in effective information security for Sarbanes-Oxley is that a risk assessment methodology be used to make informed security investment decisions. If a company has not conducted a risk assessment, it cannot know the extent of its security problem. Even when it knows the extent of security and cybersecurity needs, it cannot protect everything.

On the basis of the results of a risk assessment, infrastructure changes can be adopted to mitigate identified risks. These can be highly individualized since there are several categories of cybersecurity technologies available that could be used to better secure critical infrastructure systems. However, it is also important the company keep in mind the limitations of these technologies, as well as the interactions of the technologies with the security processes and the people using the technologies.

Security systems are much talked about but many remain uncertain about what they entail and how to build and maintain one. An important step in establishing a system is to have an external audit of what a company now does for defense against a security violation. It is also important for those businesses and agencies that have a security system to have it periodically checked by an outside audit. The object of an audit is not to try to find vulnerabilities but to assess the overall effect of any vulnerability on effective operations. Simply finding vulnerabilities can often lead to misrepresenting the efforts of internal staff, unnecessary expenditures for internal remediation, possible negative impact on production systems, as well as increasing the risk by providing a road map to hackers. The best and most valuable security audit not only details vulnerability, but also gives an overall assessment. The report highlights the overall level of risk to the business and indicates what executive level decisions that should be made to improve and to maintain a consistent information security program.


Security Audits: http://www.4terrorism.com/securityaudits.htm
Cyber Security Resources: http://www.4terrorism.com/listtemp.htm