Information Security Forum Warns That The Cost Of Sarbanes-Oxley Compliance Is At The Expense Of Other Security Spending

11 July 2005: A new report published by the Information Security Forum (ISF) warns that the cost of complying with the Sarbanes-Oxley legislation is diverting spending away from addressing other security threats. The global not-for-profit organisation with over 260 Members including half of the Fortune 100, says that many of its members expect to spend more than $10m on information security controls for Sarbanes-Oxley. The business imperative to comply also means that in many cases the true cost of compliance is unknown.

With increasing concerns about compliance, the new ISF report provides a high-level overview of the Sarbanes-Oxley Act 2002 and examines how information security is affected by the requirement to comply. The report provides practical guidance to address problematic areas in the compliance process. According to the ISF, these

problem areas include poor documentation, informal controls and use of spreadsheets, lack of clarity when dealing with outsource providers and insufficient understanding of the internal workings of large business applications.

What’s more the Act ignores important security areas that are extremely important when dealing with risks to information, such as business continuity and disaster recovery. This makes it important to integrate compliance into an overall IT security and corporate governance strategy.

“In the wake of financial scandals like Enron and WorldCom, the Sarbanes-Oxley Act was designed to improve corporate governance and accountability but has proved difficult to interpret for information security professionals,” says Andy Jones, ISF Consultant. “As neither the legislation nor the official guidance specifically mentions the words “information security’, the impact on security policy and the security controls that need to be put into place must be determined by each individual organisation in the context of their business.”

“Additionally, for organisations whose business is not primarily financial for example, manufacturing or product-service industries, the diversion of information security attention from other risk areas to Sarbanes-Oxley compliance may lead to important business risks being neglected.”

“It is important that Sarbanes-Oxley does not push organisations into following a compliance-based approach rather than a risk-based approach that may compromise information security. The ISF report helps companies to achieve compliance while also ensuring that they have the appropriate security controls in place.”

The full Sarbanes-Oxley report is one of the latest additions to the ISF library of over 200 research reports that are available free of charge to ISF Members.

The Information Security Forum (ISF) was founded in 1989 and is a not-for-profit international association of over 260 global leading organisations which fund and co-operate in the development of practical, business driven solutions to information security and risk management problems. The ISF undertakes a leading-edge research programme, and has invested more than US$75 million over the past sixteen years in providing best practice material for its members.

For more information about the ISF and a list of members, visit www.securityforum.org.