IT Security and Sarbanes-Oxley Act - Term Paper Example

? IT Security & Sarbanes-Oxley Act Number I) Introduction Also known as the Corporate and Auditing Accountability and Responsibility Act [in the House], and the Public Company Accounting Reform and Investor Protection Act [in the Senate], the Sarbanes-Oxley Act 2002 came into being, following its enactment on July 30th, 2002. This law derives its name from its sponsors, the then United States Senator Paul Sarbanes and Representative Michael Garver Oxley. Because of this, this Act is sometimes informally referred to as SOX or Sarbox. The Sarbanes-Oxley Act of 2002 sought to set enhanced standards for all American public company management, boards and accounting firms. However, it is a fact that Sarbox also provides parameters and mechanics for enhancing IT security. Thesis statement The benefits of incorporating the provisions of Sarbanes-Oxley Act of 2002 in IT security far outweigh the short-term gains of non-compliance, since the Act injects organizational transactions with security and confidentiality. II) Brief overview/history of the Sarbanes-Oxley Act The Sarbanes-Oxley Act of 2002 was enacted on July 30th, 2002. Because of the original intention and the mandate of the Act, financial accuracy must be certified by the management concerned. Because of the provisions of the Same Act, the penalties for financial fraud have been made more severe. Similarly, the Sarbanes-Oxley Act of 2002 strengthened the autonomy of external auditors who analyze and reexamine the accuracy of corporate statements of accounts and also bolstered the oversight function of the board of directors. Simon, Smalley, and Schultz (2009) divulge that the Sarbanes-Oxley Act of 2002 comes against the backdrop of serious corporate and accounting scandals such as the Enron, Adelphia, Tyco International, WorldCom and Peregrine Systems Scandals. These scandals had cost investors billions of dollars, following the collapse of the affected companies' share prices. These scandals, together with their serious effects weakened public confidence in America's security markets. The Act comprises 11 sections which range from criminal penalties to additional corporate board responsibilities. The Sarbanes-Oxley Act of 2002 demands that the Securities and Exchange Commission implements rulings on prerequisites to compliance with the law. III) How the Sarbanes-Oxley Effects & Constraints on Information Technology Security (Industry & Management) Section 404 Compliance One of the ways the Sarbanes-Oxley Act of 2002 effects and constraints IT security section 404 compliance is by emphasizing a comprehensive understanding of internal controls, as a set of an enterprise's internal procedures, providing reasonable assurances that the enterprise will meet its target in all the specified areas. This is the case since Section 404 Compliance extends emphasis on not just historical financial reporting, but on internal controls also. Together with the rules spelled out in the SEC, there is a requirement that public companies' management should assess and report periodically, on the effectiveness of internal controls on financial reporting. To this effect, it is given that the report that the management hands in must be accompanied by statements of evaluations by an external auditor to provide an attestation to the credibility and reliability of the conclusions that the management has made. According to SAI Global (2010), the portfolio that Information Technology Security Section provides also addresses matters beyond Sarbanes-Oxley, to tackle other auditing and legal dimensions of internal controls and the responsibilities that sundry and all actors dispense, when executing systems of internal controls. Even though the Sarbanes-Oxley Act of 2002 is leaner in scope than internal controls, the Portfolio agrees with the fact of the tremendous impact of the legislation and studies a number of its provisions which force moderations on diverse aspects of internal controls. Again, through the provisions of Information Technology Security Section 404, the Portfolio is accommodated in the Accounting Policy and Practice Series which through its comprehensive series of titles explicates, explains and offers commentaries on a broad range of finance and accounting management topics such as income taxes, revenue recognition, leasing, debt instruments, business combinations, internal controls and risk management. In summation, through internal controls which Information Technology Security Section 404 supports, the Sarbanes-Oxley Act §404 and Beyond allows one to gain from: time-saving accessibility to pertinent sections of regulations, court cases, tax laws and IRS documents; real-world and deeper analysis which enable one to explore different options; alternative approaches to unique and common tax scenarios; practice documents such as tables, lists and charts; and guidance from experts from the world over. IV) IT Security as it pertains to the Health Insurance Portability and Accountability (HIPAA) Compliance Sarbanes-Oxley Act 2002 has greatly influenced the execution of HIPAA Compliance and IT operations. In the first place, Sarbanes-Oxley Act 2002 has helped HIPAA carry out its primary mandate which is to establish and strengthen: confidentiality and safety of all healthcare data and standardized mechanisms for electronic data interchange (EDI) security. Because of the provisions of IT operations and the introduction of Sarbanes-Oxley Act 2002 into IT security, HIPAA has been able to carry out the stipulations of the HIPAA Act. The As the Act mandates, Sarbanes-Oxley Act 2002 has strengthened standardized formats for all the administrative, financial and patient health data, and specific identifiers (ID) numbers for all healthcare entities, employers, healthcare providers, individuals health plans. Importantly, Sarbanes-Oxley Act 2002 has enforced and strengthened the observation of security mechanisms so as to ensure data integrity and confidentiality. To this effect, it is unlawful for a healthcare institution to release data belonging to a client, or an individual patient to the third party. At the same time, through the provisions of Sarbanes-Oxley Act 2002, HIPAA has been able to curtail the culture of falsification of statements of accounts, by healthcare services providing institutions. In another wavelength, Sarbanes-Oxley Act 2002 has strengthened the need for Joint Commission Accreditation. The Joint Commission Accreditation determines that at a minimum, a hospital must completely familiarize itself with current standards, and examine the very processes policies and procedures that are relative to the stipulated standards, so as to improve on the same. V) IT Security as it pertains to the Payment Card Industry Data Security Standard (PCI DSS) According to Wright (2011), through the ratification of the Sarbanes-Oxley Act 2002, the PCI DSS system became very strong and subject to reviews in the last 10 years. It is these reviews that have led to the emergence of newer regulations which have made PCI-DSS payment systems more secure. Some of the regulations which have been newly crafted, passed and implemented include Basel II, Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley Act and the California State Bulletin 1386. In a separate vein, the Sarbanes-Oxley Act 2002 has strengthened the need to integrate PCI DSS systems with effective use of Primary Account Number (PAN) to help store, process and transmit data or payment. Because of this, merchants or dealers who carry out transactions are mandated to totally comply with PCI DSS standards. The place of IT security and the Sarbanes-Oxley Act 2002 comes in, in the sense that PCI DSS 1.2 has security requirements that apply to all systems components that are connected to the PCI DSS cardholder data environment. In this light, there is lucidity in observing that the systems components are fully reliant upon the Act and that the Act in turn bolsters IT security. This standpoint is worthy of credence, given that the systems components are inclusive of: servers (web, authentication, database, proxy, mail, DNS and NTP); network components (switchers, firewalls, routers, security appliances and network appliances); and all applications (external and internal, and purchased or custom applications) (Thomas and Stoddard, 2012). The only drawback that is being cited as being relevant to the introduction of the Sarbanes-Oxley Act 2002 is the additional cost of compliance. This is also due to the fact that organizations have had to outsource services from dealers in enterprise connectivity market such as Open-Text Connectivity Solutions. This is because, such arrangements have to cover a wide range of needs such as connecting: legacy application access; data in transit security; legacy application access; data integration and transformation; heterogeneous networks data exchange; and high-end graphical Unix applications. VI) Conclusion However, despite additional financial expenditures that are being cited as a form of drawback in the implementation of Sarbanes-Oxley Act 2002 in IT security, the gains that are accrued from the same, far outweigh the cost. The same is a radical and necessary step in the quest to alleviate fraud in the corporate and public sector. Moreover, the cost of non-compliance far outweighs the gains that would be incurred, when one attempts to evade IT security measures. Non-compliant organizations are normally exposed to heavy fines and penalties. References SAI Global. (2010). Sarbanes-Oxley Act and Healthcare Requirements Addressed: HIPAA / HITECH Compliance. New York: McGraw Hill. Simon, M. L., Esq., Smalley, K. Esq., and Schultz, J. L., Esq. (2009). Internal Controls: Sarbanes-Oxley Act §404 and Beyond. New York: Wiley Press. Thomas, M. T. & Stoddard, D. (2012). Network Security First. London/ NY: CISCO Systems Inc. Wright, S. (2011). PCI DSS: A Practical Guide to Implementing and Maintaining Compliance. Cambridge: IT Governance Publishing. Read More