| New times ask for new attitudes. If the internet has helped us in so many ways it doesn't mean that it hasn't brought with it some hard times too. All the companies around the world have benefited from the various advantages of quick data transfer. On the other hand, an information security policy was strongly required in order to keep things under control. Many have said that this policy shouldn't exists, as it only makes things harder for the companies, but on the other side there are a lot of external threats out there that could put all you infrastructure at risk. Communication, although so necessary, is the first one that can be damaged or hacked. This is why a common information security policy had to be set up.
In the corporate world, financial information created, stored and transmitted electronically is maintained and controlled by the IT department via the information security policy procedures and practice. The Sarabanes-Oxley Act regulates the system of communication in each company. All U. S. companies, but also foreign ones that pierce the American market are obliged to comply with the Sarabanes-Oxley Act (or, in short, SOX), as well as privately held companies with public debt, as it regulates the system of communication in each company. Without an information security policy the company's business communication can be compromised; this is the reason so strong regulations had to be imposed.
The ones that are responsible for complying with the Sarabanes-Oxley Act are, in a last stage, the Chief Executive Officer along with the Chief Financial one; they are the ones that have to guarantee that all practices are sound and that the internal control over financial reporting is indeed effective. Among those practices information security policy compliance is mandatory and should be implemented at all levels. Indeed, the regulation states that the information security policy governs a lot of aspects, like network security, access control or logging and so on. All these aspects will provide the required environment for the integrity of the information and the retention of the data, thus making possible IT audits, but also business continuity. The truth is that when you need to do all the changes required in order for you to be able to ensure SOX compliance you'll have to go all the way, as it affects almost all the areas of a company. Actually, Gartner research called this information security policy "the most sweeping legislation to affect publicly traded companies since the reforms during the Great Depression." Of course, nowadays it is only normal for companies to manage data electronically, from storage to transmition and maintenance. It becomes more than obvious that each IT department is directly responsible for ensuring that the information security policy is implemented and respected at all levels required. Actually, here is the full list of the levels that must be governed by the information security policy: network security, access controls, authentification, encryption, logging, monitoring and alerting, pre-planning coordinated incident response and, at last, forensics. This is indeed a very long list, but companies have to keep up and respect the full regulation if they don't want to face the consequences. If they want to prove that they have been respecting the information security policy, companies must be able to show that a full review of the financial reports has been done, that the information is complete and that effective disclosure controls and procedures work as required in order to be sure that the information about the company is made known. There are, also, a lot of requirements to meet at the simple communication level within the company, making the information security policy pretty hard to deal with if you are not used to. The best thing you could do is to get professional advice, at least at the start, in order to make sure everything is in its place.
Back To Articles... |
