Sarbanes-Oxley - a huge boon to information security in the US

Few pieces of legislation have affected so much so quickly and profoundly as the SarbaneseOxley (often abbreviated ‘‘SoX’’) Act of 2003. Triggered by accounting scandals such as Enron’s several years ago, SoX has many provisions, some of the most important of which require management of publicly traded companies to establish and maintain ‘‘an adequate internal control structure and procedures for financial reporting’’ as well as to provide an assessment of the effectiveness of the structure and procedures that have been established. As expected, accounting and legal firms have flourished as a result of SoX going into effect. Reports of large accounting firms searching desperately for additional SoX-qualified professionals have frequently made the news, especially recently because the compliance deadline date is rapidly approaching. What many, myself included, did not initially realize, however, was just how much SoX would impact the information security arena. It is easy to understand how this Act would tap the knowledge and expertise of the audit community in which internal control is the central focus and well-established IT governance methodologies such as CoBIT are widely used. The relationship of SoX to the information security arena is not, however, quite as intuitive. For years information security professionals have struggled to vault their information security practices into positions of prominence and influence, ones that have strategic value to their organization. We’ve all tried a variety of approaches, some (such as establishing and using metrics as the basis of establishing value to an organization’s business) of which have worked considerably better than others. All things considered, however, it would be difficult to claim