Recent financial scandals prompted lawmakers to enact the Sarbanes-Oxley legislation, which is intended to help ensure the accuracy and integrity of corporate financial data. Companies working toward Sarbanes-Oxley compliance are required to have adequate security measures in place for the purpose of protecting this data from tampering by unauthorized personnel. Chances are you're facing an imminent SOX compliance audit, and SecureAware can help you.
The first step in developing a solid information security program is to clearly define the ground rules - the business policies and procedures that will govern your security infrastructure. Those policies should be written in plain language and conform to industry standards to ensure they are complete and easy to follow. For many IT professionals, this can be a daunting task and is often overlooked. The result is typically a random assortment of ad hoc security measures thrown in place without a cohesive plan.
While it is important to have the requisite protections in place, such as anti-virus, firewalls, etc., it is more effective if those countermeasures are aligned with business objectives. SecureAware is based on the comprehensive ISO/IEC 27002 information security management standard, and it will help you develop and organize your living security policy document in a structured, methodical approach.
Most auditors will use an industry standard (published "best practices" document) such as ISO/IEC 27001, 27002, and CobiT as a reference, and your policy will be the first thing they look at. After examining your policies and procedures, the auditor will ask you to prove that you practice what you preach. You will have to provide evidence of the control measures in place that conform with, and enforce, your policies. For this reason, your policies should be carefully examined one by one to ensure that they are realistic and meet the specific requirements of your business. With each step of the audit, the information gathered will be more and more granular and technical in nature, but step one will be your overall infosec policy.
SecureAware is a powerful information security intranet that provides the cohesive framework and content required for creating, communicating and managing your information security program. It can instantly create a comprehensive policy in conformance with internationally-recognized standards and make it accessible by all employees via web browser. Unlike text-based solutions, SecureAware utilizes a database of policy "objects" that can be selected or deselected to form your customized policy. This approach makes it much easier to track changes and automatically update policy awareness programs.
Another requirement of the SOX legislation is regular security awareness training for all employees. The reason for this is that humans are most often the cause of serious security breaches. People are weakest part of the security process, and they need constant reminding of threats that could ultimately compromise data integrity. Most security products can be rendered useless by the actions of a single employee who didn't know better.
Security awareness training can be a large undertaking in itself, but SecureAware makes it simple. Integration between the SecureAware Survey, Education and Policy modules eliminates duplication of effort. An effective awareness program, based on your specific policies and procedures, can be generated with a couple of mouse clicks. Employees are trained and tested on all aspects of your policy as well as general security concepts, and the reported results can be used to determine overall security posture.
Sarbanes-Oxley is not an event, it's a law, and laws must be obeyed at all times. The most efficient way to do that is by incorporating it into the everyday business process and automating specific activities required for compliance. Security and policy awareness must be a continual process in order to maximize effectiveness of the security infrastructure and ensure the integrity of your busines.
Read more about the SecureAware solution
Download brochure (no registration required)
Neupart, an ISO 27001 certified company, provides an all-in-one IT GRC solution allowing organizations to automate IT Governance, Risk and Compliance management. Whether you need to manage evolving business risks or achieve continuous compliance with PCI DSS, ISO 27001, Sarbanes-Oxley, CSA, ENISA or WLA SCS, Neupart allows you to respond effectively - in the cloud or on the ground. More than 300 organizations worldwide are Neupart customers, including governments, utilities, banks and insurance firms, IT Service providers and lotteries. Learn more ..