prevents the destruction of records.
And then, since going public last February, Sarbanes-Oxley compliance has been at the forefront of my life for a year and a half, and will continue to be so. The first year we spent a lot of time working to determine where we were and what we needed to do to remediate, so that we could get in line with Sarbanes-Oxley controls and the [Control Objectives for Information and related Technology] standards, which we use as our general computing-controls framework. The past four to five months, we have been working to solidify the behavior change that comes with new and updated controls and policies. It is a lot of working with people and with the IT group to make sure we are always doing everything consistently and following process.
Prior to SOX, we had a simple policy for change control. When we made a change to a production system, we had a way of documenting it. But in reviewing the procedure, we found that it wasn’t controlled enough and it didn’t provide necessary evidence. So we built in some new workflows and modified the policy and procedure.
I think the biggest behavior change has been to get people to make sure we all do it every single time and to make sure that there is evidence of testing and of approval. Not just,“We did the test,” but showing we did the test, proving it through a written essay about how you did it or documentation in the log files. If we don’t have documentation and it becomes part of the sample set of testing, we fail the test, and that’s a big deal.
There have been other things that have changed, such as keeping trails of evidence for everything we do. A lot of us used to keep materials in e-mail. An incident would happen on a system and the person on call would send an e-mail about resolution. Most of us would drop e-mails into a folder or delete them after the problem was resolved. But it’s very hard to pull evidence out of e-mail. So there’s been a big change to have a more formalized process for tracking all of
the things that we do. It’s not that we weren’t doing the tasks before, but our evidence trails were informal and casual, and the evidence wasn’t always in one location.
I have responsibility for SOX and other controls as it relates to IT — ensuring controls, policies and procedures are in place, acceptable and working. Therefore, it falls under my responsibility to make sure that we’re doing it.
It’s the control of everything. The regulations state we must be in control of everything, but technology moves fast and many times the convenience and “cool” factor of technology outpace the control and security aspect. This is why I worry about mobile devices. If a firm allows personal handheld devices to be used, there are many security implications. If you have a firm-supplied BlackBerry, we control just about every aspect of the device. If you bring in a personal Treo, I can connect you into our corporate e-mail system, but there are lots of things outside of e-mail that you can do that we cannot control or see.
We used to issue all BlackBerry devices. Today, it’s still majority firm-provided BlackBerries, but there are other devices allowed in now. A few years ago, it looked like it would be a big benefit in terms of cost savings to the firm to not pay for corporate devices, because if you look just at cost and not at risk considerations, those devices are very expensive. Now we are in discussions about whether we want to go back to having devices that we have control over.
We have policies in place to protect our data and mobile devices, and we enforce these policies on all mobile devices, whether
it’s firm-provided or your own. There are also risks associated with not being able to log IM or non-corporate e-mail and risks of multiplatform viruses and malware. The key is trying to figure out where and what the risks are in terms of both compliance and security. What would the cost be to the firm if there was a breach in security, a virus, or somebody took data from the firm?
We also have written policies and procedures in regards to personal IM and non-corporate e-mail. It’s very clear that nobody is to do firm business under an e-mail or IM account or service that we can’t log or archive. However, I think regulators really want the firms to be able to control it through technology.
I don’t think you can control everything with technology. Every day I hear about new ways to get around controls. We can control a certain percentage, and we rely on our security providers to be able to block things and be up-to-date on the new security issues. But I don’t know that you’ll ever have a way to block everyone from doing everything. Technology is the support and enforcement to the policy, procedure and training.
How do you deal with the need for employees to be able to collaborate with one another vs. the need to provide effective identity management, to make sure they’re not seeing data they shouldn’t be seeing?
One of the projects we started this year is a firmwide data-classification project. Even though we have data security and processes in place, we did not have classification tags on pieces of data, such as“confidential” or “public.” This project is a manual process of working with the individual business owners to examine the information they use and segregate classified and confidential information.
Another subject of discussion is user provisioning. Currently we have a very manual process which makes evidence for SOX challenging. The firm is a midsize corporation, and we find ourselves with big-company challenges but not big-com-
References:
Archives