impossible for ideas to compete in the marketplace if no forum for
The Joy of SOX
Contributed by:Cybertrust, Inc.
OVERVIEW — THE ORIGINS OF SARBANES-OXLEY
In 2002, the US Congress passed into law the Public Company Accounting Reform and Investor Protection Act (PL 170-204), also known as the Sarbanes-Oxley Act (SOX). Its purpose was to stabilize the US markets in the wake of the enormous corporate scandals — Enron, WorldCom, HealthSouth, and the like — that cost investors millions of dollars and had a devastating impact on the US economy. Congress designed the Act to revise corporate governance procedures for publicly-traded companies, particularly the verification of the accuracy of earnings information and the disclosure of financial reporting. It also established the personal responsibility of CEOs, CFOs and other senior directors and officers of these organizations for the accuracy of this information. This will raise consumer confidence and allow them to make reasoned decisions when investing.
Sarbanes-Oxley affects all publicly-traded companies in the US, and foreign filers in US markets. It is a fairly broad and far reaching regulation, containing a variety of fraud protection provisions, including requirements for auditor independence, the rotation of public accountant partners every five years, appropriate uses of non-GAAP financial measures, and protection for corporate whistleblowers, but the provisions that most companies are concerned with are under sections 302 and 404.
DISCLOSURE AND INTERNAL CONTROLS
Sections 302 and 404 represent the lionâ€™s share of the work that a public company must perform when preparing for SOX compliance, and the manner in which the company and its public accounting firm must report to the SEC.
Section 302 governs the preparation of financial reports. It reads:
Section 302 requires the public company to make its assertion that controls in place are appropriate and that there are no errors, omissions, or misstatements in its disclosure. Both the public companyâ€™s officers and the public accounting firm must attest to the accuracy of the reporting. Should significant deficiencies or material weakness exist in the companyâ€™s internal controls, that information must be included in the disclosure. The signing officer for the public company asserts that the financial reporting is a fair and accurate representation of fact and in no way misleading.
In support of Section 302, Section 404 governs the management of the internal controls around the companyâ€™s financial data and reporting. It reads:
Section 404 requires the public companyâ€™s management to take an active role in creating and maintaining the internal control structure that governs financial reporting, and to report on the status of internal controls in its annual report. Once again, the public accounting firm must attest to the fairness and accuracy of managementâ€™s assessment. Section 404 is the most labor-intensive section of the Sarbanes-Oxley regulation. Public companies will most likely spend as much time and effort in preparing for 404 compliance as they do on the annual financial audit.
Clearly, heavy interpretation is required to map out a compliance strategy. SOX mandates the use of a publicly-vetted internal control framework to establish a control structure appropriate for compliance, and specifically references the COSO 1 framework, but does not mandate it as the only allowable framework. Public companies are free to use any framework that is publicly available, generally recognized, and thoroughly vetted by recognized organizations. Options include the COCO framework from Canada, and other in-country standards such as KonTrag from Germany, the Turnbull report from the UK, and the King report from South Africa.
US-based organizations, however, should be wary of using a framework other than COSO, for two reasons. First, the public company must be prepared justify the choice of another framework, because COSO is specifically referenced by SOX. Using another framework will automatically beg the question, not only from the public accounting firm, but perhaps the SEC as well. Secondly, it is likely a US auditor will not be as familiar with a foreign standard as they are with the COSO framework.
Use of the COSO framework is the simplest and most logical choice for the vast majority of US public companies.
COSO refers to the Committee of Sponsoring Organizations, and they sponsored the Treadway commission which dates back to the 1980s and the aftermath of junk bonds. The Treadway commission was formed to evaluate and correct fraud in US business, fostering ethical financial management and reporting. Its members include accounting and auditing organizations such as American Institute of Certified Public Accountants (AICPA), Institute of Internal Auditors (IIA), and the American Accounting Association (AAA). Together they created and managed the internal control framework for decades.
The five components of the COSO framework which govern the management of internal controls relevant to SOX are:
Control Environment - COSO refers to this as “the tone at the top” of the organization, including concepts such as integrity, ethical values, management style, and operating style, as well as the practicalities of board and audit committee oversight. This encompasses corporate philosophies about the management of internal control, and associated risk assessments. How the organization manages and identifies the risks as they relate to business objectives and how the organization can develop a strategy to mitigate those risks are key ideas included in this element.
Risk Assessment - the company must identify the relevant risks to organization, and determine control measures appropriate to mitigate those risks. Risk assessment will be performed in two stages by most companies, first at the enterprise level and then for the IT environment. Risks identified within the IT organization may or may not directly impact the companyâ€™s financials; those identified as having a direct impact must be documented and presented to management as possible sources of deficiency.
Control Activities - these are the policies and standard operating procedures that are created as a direct result of the risk assessment to drive the companyâ€™s mitigation strategy. Control activities should include general controls over information systems as well as specific application controls that ensure the accurate and timely processing of transactions.
Information and Communication - when performing its risk assessment, management must consider the flow of information within the company and the appropriate communication channels that facilitate that flow. The internal control structure must support a flow of information that allows employees to carry out their duties in a timely manner. The IT department supports communication, and in most companies fully supports the preparation and production of financial reporting.
Monitoring - the IT organization is also responsible for monitoring the effectiveness of controls in place in the live production environment. Security incidents and events that may impact the companyâ€™s financial position must be evaluated to determine whether or not they represent a potential deficiency in the internal control structure. Monitoring activity within the corporate computing environment may be performed on a continuous basis, through a series of independent assessments, or a combination of the two, at the discretion of management.
The COSO framework provides guidance for management to establish an internal control structure for the public company, but it does not contain any criteria specific to information security. COSO is not intuitive; most public companies will require additional interpretation when applying the framework to their control environments.
Two information security standards have emerged as the leaders in the US for the interpretation of the COSO framework — Control Objectives for Information Technology (COBIT) and the BS ISO/IEC 17799 (ISO 17799). COBIT is a product of the audit community; it is managed by ISACA and therefore a very popular standard with the public accounting firms. Most of the lead auditors performing SOX compliance consulting and auditing will be familiar with COBIT. In practice, however, only the largest and most disciplined organizations manage to COBIT on a day-to-day basis. For many publicly-traded companies, COBIT will not be an appropriate standard to work with; for some it may even be overkill. ISO 17799, on the other hand, has been steadily gaining popularity in the US in the past few years and is widely regarded as a practical and achievable information security standard. For some publicly-traded companies, ISO 17799 will be a much easier and more practical tool to assist them in meeting compliance objectives and their auditors and consultants will certainly view it as an acceptable standard to work with. SOX itself does not mandate the use of any particular security standard to interpret COSO; that decision is made entirely at the discretion of management.
MATERIAL WEAKNESS AND IT
The key to section 404 is material weakness. The public company must fully disclose any material weakness that affects the internal controls over the financial data and/or the production of financial reporting. SOX uses the formal accounting definition of material weakness; generally accepted accounting principles (GAAP) and generally accepted auditing standards (GAAS) apply. In formal terms, material weakness is defined 2 as
Significant deficiency is defined as
Essentially, the financial auditor examines its public company client, looking for deficiencies in the target environment. When such deficiencies are found, the auditor will determine the degree to which the deficiency affects the public company, and generally treat it according to the following:
Deficiency - a finding to be brought to the attention of the public company, with minimal corrective effort required, and no further action on the part of the auditor
Significant Deficiency - a finding to be brought to the attention of the public company, with immediate corrective action required; disclosure and follow-up required by the auditor
Material Weakness - a reportable condition, representing imminent loss or damage to the public company; immediate corrective action required; disclosure and follow-up required by the auditor
A deficiency, even if minimal at first, can become significant or material depending upon circumstances within the environment. Severity of the deficiency is determined solely at the discretion of the financial auditor. The public company can appeal an auditorâ€™s decision to classify a deficiency as significant or material, but the auditor is still required to report the finding.
In general, deficiencies are associated with an organizationâ€™s business processes and procedures.
Failure by the organization to appropriately segregate duties is often considered a deficiency. If, for example, accounts payable and accounts receivable functions are performed by a single employee, or wire transfers are generated and approved by a single employee, a financial auditor would find the organization deficient. Another common deficiency in many organizations is the failure to classify and “tag” property and equipment. If:
Based upon the auditorâ€™s findings, management of the public company must determine the impact of any deficiencies on the companyâ€™s ability to produce accurate financial statements. Should a control fail, is a misstatement possible? Is it probable? Bear in mind that SOX does not make a distinction between deliberate or accidental action in this regard — whether an employee makes an honest error or a hacker attacks, for example, a failure of the controls that leads to the exposure of the financial data to alteration or harm will be viewed as equal by the companyâ€™s financial auditors and by Federal examiners.
Until recently, IT has not been considered a source of accounting or financial reporting material weakness in publicly-traded companies; most auditors and examiners were focused on accounting practices. The realities of todayâ€™s inter-connected eBusiness world however have made IT a new focal point for Federal legislators and regulators. There are real risks associated with creating, processing, transmitting, and storing data electronically. Vulnerabilities exist even in the most well-managed organizations, and they can literally number in the thousands. New threats and exploits emerge daily. Because of budget concerns, many organizations have limited resources to devote to information security. Given the vague language in both SOX and the COSO framework regarding IT, many public companies are now struggling to define specific information security measures that will appropriately support their internal control structure and meet with the approval of their financial auditors.
PREPARING FOR 404 COMPLIANCE
While it is generally understood by both public companies and financial auditors that IT security plays a role in the internal control structure, that role has yet to be clearly defined. Neither SOX nor the COSO framework contain specific information security requirements or criteria. To date, neither the SEC nor the PCAOB have issued specific guidance related to information security controls.
Interpretation is therefore left to the public company and its auditor, although the independence requirements under SOXâ€™s Title II (Sections 201-209) prevent the financial auditor from acting in an advisory capacity relative to information security consulting. Most public companies have found SOX compliance a complex exercise, and are obtaining assistance from consulting firms, infosec boutiques, or other sources.
Whether or not advisory services are engaged, organization is critical to successful compliance preparation. In order to define ITâ€™s role in the internal control structure, and identify existing vulnerabilities that may constitute deficiencies, the public company must take the following steps:
Define the scope of the target environment. Section 404 mandates that the organization maintain an appropriate internal control structure over financial reporting. The scope should include the systems, services, devices, data, and personnel involved in the creation, processing, transmission, storage, and destruction of financial data, as well as those IT personnel that maintain associated hardware, software, and periphery. In most cases, the scope will extend beyond physical facilities to follow the flow of the financial data.
Classify assets within the scope. This admittedly tedious exercise is critical to successful evaluation of the target environment. Identification of critical assets allows the organizations to assign value and ownership to components, assess risk, and work with the financial auditor to examine and correct deficiencies.
Perform a risk assessment on the target. Once critical assets have been identified, the public company must consider the vulnerabilities that exist in the target environment, and establish a level of risk tolerance — risk acceptable given the business model and cost/benefit analysis of mitigation. Understanding risk tolerance is critical to the public company, as it will dictate the development of the mitigation strategy and selection of appropriate information security controls for the target.
The results of the risk assessment will be different for each public company — it will reveal those vulnerabilities that are idiosyncratic within the target environment. There are essential mitigations and controls, however, that should be implemented at some level by most SOX-affected organizations.
These include Network segmentation. The systems, services, and devices involved in the processing and storage of financial data and associated organizational records should be appropriately isolated within the corporate computing environment. The public company should consider logical barriers between the target environment and other parts of the network, and carefully examine and secure connection to public networks.
Access restriction. Physical and logical access to financial data and associated organizational records must be restricted. The public company should apply the principle of least privilege, based upon job function, when granting access. User rights and privileges to isolated segments of the network should be reviewed on a regular basis and updated as employeesâ€™ responsibilities change. Physical access to filing rooms and data centers should be similarly restricted.
Background checks. The public company should perform a background check on all employees working with sensitive data. Background check should be included in the hiring or promotion process. Sensitive data is often vulnerable to theft, damage or destruction by trusted insiders, so the organization must be exercise care when granting access.
Document, document, document! The public company should document the security controls implemented based on its most current risk assessment of the target, and be prepared to discuss those control measures with the financial auditor. Complete, organized documentation of control measures, policies, and standard operating procedures will facilitate the audit process.
These are controls that should be a part of any organizationâ€™s security program, and when implemented on an enterprise-wide scale will contribute to the overall health of its information security posture.
WHERE PUBLIC COMPANIES STRUGGLE
At its highest level the “object” of SOX is the financial data; the public company is responsible for ensuring the integrity and availability of that data. From an IT perspective, CIA is a standard requirement, and may apply to all data generated by the organization. SOX is not concerned with consumer data or any other organizational records not related to the financials - its sole focus is financial reporting, and integrity is key. The public companyâ€™s officers must be able to swear that the numbers are accurate, free from defect, and that no misstatements exist.
The prospect is daunting for many public companies. In order to make a reasonable attestation, management must have the utmost confidence in the computing environment that produces the financials — including the systems, services, devices, personnel, policies and standard operating procedures. In establishing the internal control structure, this subset of the corporate computing environment becomes the compliance target. One of the components of the COSO framework is risk assessment, but neither COSO nor Section 404 itself specifies the extent to which the assessment is to be performed on information security control measures as they function in the target environment, nor do they clearly define their role as a part of the internal control structure.
Section 404 does specifically require that testing be performed on the internal controls, and that such testing is able to adequately evaluate both the design of controls and their operating effectiveness. As management prepares its report to the SEC, the following four statements must be included:
In the report, the auditor also acknowledges managementâ€™s attestation and therefore shares responsibility when reporting to the SEC on the state of internal controls in the environment. Liability is also shared between the public company and the public accounting firm partner. If any material weakness is discovered, it must be accurately reported; management cannot then assert that its internal controls are effective.
The IT departmentâ€™s role in SOX compliance is largely a supportive one. IT certainly plays a part in the discovery, mitigation, and reporting of deficiencies relative to the target environment, but this is secondary to the public companyâ€™s overall compliance objective. Without specific information security criteria delineated in Section 404, and lacking guidance from the SEC and PCAOB, many public companies struggle when assigning compliance activities to IT. There are three critical compliance tasks, however, in which IT should take the lead.
THE RISK ASSESSMENT
Section 404 does not specifically mandate that a risk assessment be performed on the target environment, but the need is implicit. The organization must determine the risks associated with the target in order to identify and mitigate deficiencies.
Many organizations struggle with risk assessment. Should it be a qualitative or quantitative exercise? Should it be performed in-house or by a third party? Should the assessment be tools or audit-based? There is no single answer, no “best” way to approach risk assessment; issues will vary between organizations. One common problem, however, lies in the extent of the assessment. The first step is the appropriate identification of all assets that in the target environment. SOX provides general direction here, but the organization must make certain that it identifies and includes all relevant assets, clearly documenting the target environment.
Assessments of the target may be determined through a variety of means, including process audits, vulnerability scans, war dialing, penetration testing, etc., each of which will yield its own flavor of vulnerability report. Many organizations fall into a common trap at this point — treating the vulnerabilities as risks. Too often, organizations begin remediation activity based upon the raw results of these reports. In order to effectively protect the target, those reports need to be analyzed, first removing false positives, and then quantifying the vulnerabilities, to determine which represent real risk. Determining vulnerabilities is important, but it is only the first step in a risk assessment.
The organization must also identify the relevant threats to the critical assets within the target, and determine the outcomes and costs associated with successful exploits. Event cost is measured by the total damage created by a successfully-executed threat, e.g., downtime, lost data, damaged reputation, remediation expenses, and lost revenue from a successful attack; for SOX-affected organizations, noncompliance penalties should also be factored into cost.
Ultimately, risk is the product of a simple equation:
Risk = Threat * Vulnerability * Event Cost
Event costs will vary in terms of dollars, but threat and vulnerability vary according to a number of factors. Malicious code and hacking represent significant threats to all organizations, since the rate at which they occur is increasing monthly 3. This is particularly true for malicious code, some of which can affect entire populations of computer users worldwide. Other threats such as physical theft of laptops, affect individual organizations, and may have a lower rate but a greater impact. In such a case, the event cost represents the loss of the laptops, as well as the data resident on the hard drives, the employeesâ€™ “downtime”, and ITâ€™s time and effort to replace the hardware, install the software, and replace lost data.
Vulnerabilities, which exist in every organization, may never represent real risk in terms of a quantifiable value in the threat and event cost variables. Organizations can waste significant time and resources addressing unquantified vulnerabilities without tangible results. It is absolutely critical to the success of the security posture and compliance efforts that the organization focus on real risk to the target environment and pursue its mitigation strategy accordingly.
3 Source: ICSA Labs
Although it may seem a somewhat fanciful exercise, considering a few “worst case scenarios” will prove valuable to many SOX-affected organizations, particularly for the risk assessment and in contingency planning. The scenarios need not be far-fetched; IT should consider a few common “what ifs”.
What if, for example:
Issues for IT to consider:
What if, for example:
There is a new virus or worm in the wild which bears a malicious payload that searches for and destroys *.dbf files. The organization then becomes infected.
Issues for IT to consider:
Both of these examples represent simple and common occurrences. Though not specifically mandated by Section 404, working through a few security incident scenarios will aid the organization in developing response and emergency mode operation plans. IT should review documentation from any security incident or breach that occurred within the target environment in the past 24 months, determine whether the appropriate repairs were made, retest as appropriate, and consider how a similar incident would impact the organization today.
Examining the cost and benefit of information security control measures goes hand-in-hand with the organizationâ€™s risk assessment activities. Once real risk has been determined, the organization must take appropriate steps to mitigate that risk. Selecting and implementing appropriate information security controls in a live production environment is not always an easy task, and can quickly turn from an appropriate compliance exercise to a spending spree.
This was never the intent of Section 404 — to encourage organizations to spend beyond their means to prove compliance. But unlike current information security regulations, such as HIPAA and GLB, there is no specific directive in Section 404 that the organization establish a level of risk tolerance based on business model, nor do a formal cost/benefit analysis.
In the real world, however, the organization must follow a rational decision-making process in order to avoid the overspending trap. It is possible to spend a fortune on technical security controls for the sake of compliance yet remain as vulnerable to exploit as if those controls had never been implemented. Often a smaller set of cost-effective, layered synergistic controls working together provide far more reliable protection than more expensive individual controls, which can represent a single point of failure. For example, if the organization needs to control and monitor access to its data center, using key cards to control and log ingress and egress coupled with security cameras aimed at the doors is a reliable solution that may be far less costly than implementing biometric palm print or iris readers. The organization would gain no additional security benefit by implementing the more costly solution with respect to meeting SOX requirements.
To prove compliance to the auditor, the organization should document its control selection process, tying it to the results of the risk assessment. The organization should be prepared to attest or demonstrate how synergistic controls work together to mitigate risk in the target environment. The auditor is unlikely to find fault with an organization that can demonstrate the rationale behind critical compliance decisions.
WHAT TO EXPECT FROM THE REGULATORS
The Securities and Exchange Commission (SEC) is the supervisory authority for the Sarbanes-Oxley regulation. The SEC is responsible for the management and enforcement of the regulation. Public companies will submit compliance reporting to the SEC as they submit their quarterly reporting. The Public Company Accounting Oversight Board (PCAOB) is responsible for the establishment and maintenance of the auditing standards and for the publication of compliance guidance. AICPA has no official role in compliance. ISACA and the Information Technology Governance Institute (ITGI) however have taken an active role in creating compliance guidance.
The public accounting firms will play a critical role in SOX compliance. Their auditors will use the PCAOB Auditing Standards to evaluate each public companyâ€™s compliance efforts. Auditing Standard No. 2 (4) states the following with regard to information security:
PCAOB identifies IT general controls as:
The organization should document and be prepared to demonstrate the following at minimum:
In practice, the auditor will begin by reviewing managementâ€™s assertions, including the documentation of the internal control structure and the results of testing of the effectiveness of internal controls. The auditor will then establish the scope of testing with management, test the limits of that scope for coverage, and evaluate a random sampling of individual control measures. In most cases, the public company should expect the process to be similar to that of the annual financial audit, and the workload for both staff and audit team should be equivalent. The focus of SOX 404 auditing will be focused almost entirely on transactions and processes rather than on the balance sheet. Of particular interest to the auditors will be any significant transactions for the company, any merger and acquisition activity, and the development of any new lines of business. These areas would be the most likely sources of deficiency and material weakness.
The SEC will not directly examine each public company for compliance. Instead, they will review reporting as it is submitted and most likely examine those companies that disclose serious material weakness. Whether this will be all such companies is impossible to determine at this point; it will depend upon the number of companies that make such disclosures. If the majority of companies filing disclose material weakness the SEC may examine only a random sampling. Enforcement actions for Section 404 will be determined by each companyâ€™s ability to complete corrective action in a timely and demonstrable way.
There will be fallout. The language of the regulation and the COSO framework is sufficiently vague that interpretation will vary widely. This is new territory for both the public companies and public accounting firms, and most are admittedly making their best guess when it comes to measuring IT for Section 404 compliance. There is a consensus in the public accounting community that the nuances of compliance, particularly where IT is concerned, will be worked out in the courts. Information security, after all, is an inexact science; even the most vigilant public companies can suffer security breaches, and they and their auditors may not realize that a vulnerability or deficiency existed in the target environment until a breach brings it to their attention.
Will the fallout be harsh and punitive? Given the current regulatory environment and the fact that the SOX regulation was born out of the corporate scandals of 2000, public companies should be prepared for harsh treatment by the SEC. Individuals and companies already facing charges under SOX have so far found little tolerance, either for deliberate actions or for legitimate error.
There is currently no private right of action under Sarbanes-Oxley — no consumers or individual investors will be able to sue a public company for failure to comply with SOX. Civil litigation, however, can never be ruled out entirely. Should a civil suit be brought against a company for the loss of funds invested for example, clever plaintiffâ€™s attorneys will no doubt examine SOX disclosures in an effort to cast doubt on the companyâ€™s demonstration of a professional level of due care. It is unlikely, however, that this will be normative.
THE CYBERTRUST APPROACH
As an information security company, Cybertrust recognizes the importance of Sarbanes-Oxley to the publicly-traded community and is therefore working to provide effective information security management solutions supportive of SOX 404 compliance efforts. Interpretive work began with a thorough review of the PCAOBâ€™s Audit Standard #2. Cybertrust then chose the COSO framework to interpret Section 404, as it is the predominant framework for SOX interpretation in the United States, and will be used by the majority of public companies preparing for compliance. To interpret COSO, Cybertrust chose to base most of its work on the ISO 17799 information security standard, supplemented as necessary by control measures taken from the COBIT standard. These blended control measures provide both high level and practical security control objectives to Cybertrust clients.
Cybertrust is the leading provider of intelligent risk management products and services. As an organization, Cybertrust dramatically improves security and reduces risk by assisting client organizations to make better security decisions and maximizing the effectiveness of existing security personnel, processes and technology. Currently, Cybertrust has three offerings that can assist client organizations with security management issues specific to the SOX 404 requirements.
CYBERTRUSTâ€™S BUSINESS SECURITY ASSESSMENT
Business Security Assessments provide an independent evaluation of the effectiveness of security controls in place across a given organization. More flexible in scope than Risk Commander or the Risk Management Programs, the BSA enables Cybertrust consultants to examine the entire organization or those areas within the organization that are of particular importance to the client, measuring the compliance status against internal, regulatory and 3rd party security standards including Sarbanes-Oxley Section 404.
The BSA goes beyond measuring the effectiveness of technology assets, delivering an in-depth review of the personnel, processes and other organizational factors that influence the overall security posture.
Cybertrustâ€™s analysis results in an objective assessment of the state of the security posture and strategic recommendations on actions to improve problem areas and how to refocus resources to achieve optimal impact.
The BSA has the flexibility to incorporate specific assessment criteria required by the organizationâ€™s business needs, regulatory bodies, or 3rd party stakeholders, allowing client organizations to meet compliance obligations. Recommendations resulting from the assessment are presented in a format that is both actionable and prioritized in terms of cost and risk-reduction. These assessments can also be delivered in combination with traditional technology assessment methodologies (e.g. penetration testing, vulnerability assessment or application testing).
The BSA results in a “score” representing the quality of the client organizationâ€™s controls in place and security practices; the score takes into account current and planned security controls, business benefits, and whether they support the firmâ€™s strategic imperatives. Cybertrust consultants collect and analyze data according to security criteria that is specific to the client organizationâ€™s business, ensuring appropriate and constructive results. The BSA is a customized, tailored program that provides specific, actionable recommendations to strengthen the overall security posture.
CYBERTRUSTâ€™S RISK COMMANDER
Cybertrustâ€™s Risk Commander is a compliance management and risk analysis application that enables client organizations to effectively direct and track progress toward compliance with information security regulations, standards and practices, and to demonstrate overall risk reduction across the enterprise.
Risk Commander provides a single interface to monitor information security compliance. It allows the client organization to:
Risk Commander offers flexible configuration options so that the client organization can properly manage compliance activities. It has automated the compliance process into three distinct phases:
Using the Adaptive Survey Module, the organization collects data for specific regulations and standards, as well as its own corporate security policies. Risk Commander can also automatically import and integrate data from multiple commercial and proprietary asset management, vulnerability scanning, and compliance testing tools. Risk Commander consolidates this data in a controlled, repeatable and efficient manner to ensure consistent data quality.
Risk Commanderâ€™s proprietary automated analysis engine applies rules developed by subject matter experts and compares collected data to standards and regulations to quickly identify compliance issues.
Automated analysis helps reduce overall compliance assessment efforts by identifying risks, and producing consistent, measurable results. This allows scarce resources to be directed to the most urgent remediation activities.
Risk Commanderâ€™s Dashboard and Scorecards deliver quantitative graphical and trend charts that offer at-a-glance insight into organizational performance. User-defined filters help pinpoint compliance issues and vulnerabilities of particular interest. Narrative reports support the overview charts and graphs for in-depth review. Risk Commanderâ€™s workflow can automatically generate a remediation task for every vulnerability and compliance issue it detects, enabling comprehensive remediation management and oversight.
Risk Commander facilitates access to critical information, by providing:
Risk Commander delivers the tools, knowledge, and automation necessary to the client organization to effectively manage enterprise-wide compliance efforts, by:
CYBERTRUSTâ€™S RISK MANAGEMENT PROGRAM
With Cybertrustâ€™s Risk Management Program (RMP), client organizations gain perspective on real information security risks that require action. The process assists with the prioritization and allocation of resources to mitigate those risks and establish a heightened level of confidence conduct to strategic business operations.
Effective risk management begins with comprehensive data gathering. Cybertrustâ€™s Intelligence Security Knowledge Network actively collects and integrates data from multiple sources on a regular basis, both daily and quarterly. With a customer base of more than 700 organizations and locations spread across 30 countries as well as pre-positioned sensors and monitoring sources around the world, the Knowledge Network gathers data and actively tracks the most damaging threats and exploits.
The key to successful information security management is the ability to transform raw data into “actionable intelligence.” Cybertrust employs several proprietary models for the analysis of aggregate data, distilling it into real risk information applicable to client organizations. These include a proprietary risk equation, ballistic threat model, and Cybertrustâ€™s Risk Index, which delivers an assessment of risk on a global basis as well information particular to a single industry or market segment and custom per client organization. Security control strategies and concepts such as early warning and threat analysis systems, policy compliance programs, and essential practices and controls now take actionable form—client organizations actually experience the end result of global information gathering.
SECURITY MANAGEMENT METHODOLOGY
Based on its ability to gather data and translate that into actionable intelligence, Cybertrust has developed a comprehensive risk management methodology that integrates a number of critical-security activities and disciplines into a formal program that reduces risk and results in a high security posture for the client organizationâ€™s corporate computing environment. The program incorporates multiple activities including vulnerability assessments of both the externally-facing and internal network environments, physical and human or administrative areas, and the latest and most popular technical threat vector — wireless. When integrated these service activities paint a comprehensive picture of an organizationâ€™s current risk posture, creating a foundation upon which a comprehensive program can be put in place to address the deficiencies.
The framework for the programâ€™s assessment and remediation process is a proprietary set of standards and control measures known as the Essential Practices, which differ in philosophical concept from what is commonly known as “best practices.” Cybertrustâ€™s essential practices focus on real risk - risks most likely to be successfully exploited and those risks will have the greatest impact on the organization — meeting them at an essential level. This establishes a baseline for the organization — practices and controls that must be in place in order for the client organization to function securely. Best practices on the other hand are often too academic, too aggressive to achieve, too expensive, and too impractical; in order to implement and maintain them, the organization would have to devote an inordinate amount of time and money relative to the return on investment, nor would there be an associated increase in the level of the security posture.
Cybertrustâ€™s program follows a pragmatic approach that enables customers to achieve significant risk reduction at a fraction of the cost typically associated with enterprise-level security management and delivers demonstrable results in the form of reporting and certification that client organizationâ€™s can share with senior management and third parties, such as customers, business partners, and auditors.
The Cybertrust Risk Management Program is a comprehensive and cost-effective approach for reducing risk and addressing compliance pressures. It is delivered to client organizations on a subscription basis, allowing them to keep their security postures current and providing them the reliability of continuous and dynamic testing and evaluation. Cybertrust stays with its client organizations, facilitation maintenance, advising on new and emerging threats, and assisting in the ongoing management of information security over time.
Many organizations face the challenge of navigating complex information security compliance requirements in an increasingly risky technological landscape. Cybertrust provides tools and advisory services that allow its client organizations to establish a level of risk tolerance appropriate to the business model that is fully supportive of the internal control management required by Section 404 of Sarbanes-Oxley. Cybertrust clients benefit from an independent third-party validation of controls in place in the corporate computing environment, demonstrable evidence of a good faith effort to comply, and a fully-documented and defensible compliance position.
Cybertrust, Betrusted, TruSecure, and ICSA Labs are trademarks and registered trademarks of Cybertrust, Inc. Ubizen is a registered trademark of Ubizen NV. Cybertrust is a global provider of information security, providing a unique mix of products, processes, and people to enable enterprises and government agencies to secure and manage their IT infrastructure. With over 15 years of proven experience, Cybertrust is the first company to comprehensively address the entire security lifecycle by providing offerings for each of the four critical security domains: identity, threat, vulnerability, and compliance management. These offerings leverage Cybertrustâ€™s unmatched security knowledge and intelligence-gathering resources, which includes ICSA Labs®, the global leader in information security product certification. Headquartered in Herndon, Virginia, USA with more than 30 offices around the globe, Cybertrust is the trusted advisor for information security to over 4,000 customers worldwide.
Search the ENTIRE Business
Forum site. Search includes the Business