Click here to close now.


Agile Computing Authors: Pat Romanski, David Dodd, Brian Daleiden, Dana Gardner, Harry Trott

Related Topics: Cloud Security

News Feed Item

Cyber Security Industry Alliance Issues Findings from Summit on Sarbanes-Oxley and IT Security

Most Stakeholders Not Looking for More Official Guidance on IT Security

ARLINGTON, Va., Aug. 15 /PRNewswire/ -- Cyber Security Industry Alliance (CSIA), the only public policy and advocacy group dedicated exclusively to cyber security, today released a report that summarizes key findings and conclusions from a conference held to discuss the adequacy of guidance given on IT security in Sarbanes-Oxley. Today's announcement follows a Sarbanes- Oxley compliance initiative that began in 2004 with a CSIA report outlining the implications of Section 404 for information security.

Attendees at IT Security and Sarbanes-Oxley Compliance: A Roundtable Dialogue of Lessons Learned, addressed whether the statutory and administrative materials governing Section 404 provide enough guidance on IT security to enable management and auditors to carry out their compliance obligations.

"The conference proceedings and subsequent announcements from the Securities and Exchange Commission (SEC) indicate that additional detailed guidance on information technology and security controls under Section 404 is neither desired by corporate management nor likely to be forthcoming from regulators, who have expressed a preference for relying on management's discretion and judgment in establishing IT controls rather than providing specific audit control lists," said Paul Kurtz, executive director of CSIA. "Against this backdrop, many auditors, legal counsel and management plan to rely on generally agreed upon frameworks for IT security, such as COBIT and ISO 17799. Regardless of how management decides to specifically address information security, the one thing that remains clear is that it must be considered an important part of overall compliance."

Sponsored by CSIA, George Mason University School of Law's Critical Infrastructure Protection Program (GMU), The Institute of Internal Auditors (IIA), the Information Systems Audit and Control Association (ISACA) and the Information Systems Security Association (ISSA), the conference brought together experts representing each of the key stakeholder communities involved in Section 404 compliance. Corporate management, audit and accounting, legal counsel and IT security officers and professionals made up four panels that discussed experiences and lessons learned in addressing IT security issues relating to Section 404 and whether or not more official guidance is needed.

The report highlights five lessons learned from the first round of compliance efforts that include:

* Steep learning curve inevitable regardless of adequacy of IT guidelines The heated political climate that led to the passage of Sarbanes-Oxley, combined with the bright spotlight directed at corporate leaders with each new revelation of scandal, mismanagement or fraud, virtually assured that the first round of compliance was going to entail a steep learning curve, regardless of the level of guidance provided. * IT security is not a CEO priority The relationship between IT and compliance under Section 404 has not been well understood by senior management and therefore, not given personal priority attention. This is because Congress has been silent on the issue of IT and CEOs listen and act on what Congress says. Also, the relationship between the concept of "internal controls," an accounting concept, and the role of IT security is not well recognized by corporate leaders. * Deference to auditors by management and legal counsel Section 404 under Sarbanes-Oxley is designed to hold management and auditors separately accountable; however, both management and legal counsel tend to defer to auditors in terms of interpreting and implementing Section 404. * Augmentation of COSO framework required Section 404 states that a company's internal controls must be based on "a suitable, recognized control framework established by a body of experts that followed due-process procedures," and specifies the COSO framework, published by the Treadway Commission's Committee of Sponsoring Organizations, as suitable. However, the COSO framework alone provides insufficient guidance, and some say it is too broad and not sufficiently focused on financial controls. Some auditors and IT professionals refer to the standard set forth in the Control Objectives for Information and related Technology (COBIT), developed by ISACA's IT Governance Institute. * Existing control processes and procedures affect Sarbanes-Oxley compliance activities Companies with already established and implemented internal controls throughout their organization have an easier time meeting Section 404 compliance obligations. Those without solid internal controls are confronted with a more complicated compliance process.

The report concludes that management and legal counsel representatives generally opposed additional IT governance and security guidance from the Public Company Accounting Oversight Board (PCAOB), as it was seen as unnecessary, unhelpful and unwanted. However, representatives from public accounting firms were in favor of additional PCAOB guidance and many panelists were in favor of formal recognition by the PCAOB of COBIT.

Representatives were unanimous in the view that stakeholder communities do not communicate with one another effectively on IT governance and security, as they all speak in terms and language unique to their profession. They also agreed that a common lexicon and framework is needed to ensure all stakeholders share a common understanding of each other's roles and responsibilities in the Section 404 compliance process.

To obtain a copy of today's CSIA report, "IT Security and Sarbanes-Oxley Compliance: Conference Summary of Findings and Conclusions," please visit

About the Cyber Security Industry Alliance

CSIA is the only advocacy group dedicated exclusively to enhancing global cyber security through public policy, education, awareness and technology. The organization is led by CEOs from the world's top security providers, who offer the technical expertise, depth and focus to encourage a better understanding of cyber security issues. It is the belief of the CSIA that a comprehensive approach to ensuring the security, integrity and availability of global information systems is fundamental to national and economic stability. To learn more about the CSIA, please visit our Web site at or call +1-703-894-2742.

Members of the CSIA include BindView Corp. ; Check Point Software Technologies Ltd. ; Citadel Security Software Inc. ; Citrix Systems, Inc. ; Computer Associates International, Inc. ; Entrust, Inc. ; Internet Security Systems Inc. ; iPass Inc. ; Juniper Networks, Inc. ; McAfee, Inc. ; PGP Corporation; Qualys, Inc.; RSA Security Inc. ; Secure Computing Corporation , Surety, Inc.; Symantec Corporation and TechGuard Security, LLC.

Cyber Security Industry Alliance

CONTACT: Stacy Simpson of the Merritt Group, +1-703-390-1528, or
[email protected], for the Cyber Security Industry Alliance

Web site:

More Stories By PR Newswire

Copyright © 2007 PR Newswire. All rights reserved. Republication or redistribution of PRNewswire content is expressly prohibited without the prior written consent of PRNewswire. PRNewswire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

@ThingsExpo Stories
Continuous processes around the development and deployment of applications are both impacted by -- and a benefit to -- the Internet of Things trend. To help better understand the relationship between DevOps and a plethora of new end-devices and data please welcome Gary Gruver, consultant, author and a former IT executive who has led many large-scale IT transformation projects, and John Jeremiah, Technology Evangelist at Hewlett Packard Enterprise (HPE), on Twitter at @j_jeremiah. The discussion is moderated by me, Dana Gardner, Principal Analyst at Interarbor Solutions.
With all the incredible momentum behind the Internet of Things (IoT) industry, it is easy to forget that not a single CEO wakes up and wonders if “my IoT is broken.” What they wonder is if they are making the right decisions to do all they can to increase revenue, decrease costs, and improve customer experience – effectively the same challenges they have always had in growing their business. The exciting thing about the IoT industry is now these decisions can be better, faster, and smarter. Now all corporate assets – people, objects, and spaces – can share information about themselves and thei...
Too often with compelling new technologies market participants become overly enamored with that attractiveness of the technology and neglect underlying business drivers. This tendency, what some call the “newest shiny object syndrome” is understandable given that virtually all of us are heavily engaged in technology. But it is also mistaken. Without concrete business cases driving its deployment, IoT, like many other technologies before it, will fade into obscurity.
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound effect on the world, and what should we expect to see over the next couple of years.
Discussions of cloud computing have evolved in recent years from a focus on specific types of cloud, to a world of hybrid cloud, and to a world dominated by the APIs that make today's multi-cloud environments and hybrid clouds possible. In this Power Panel at 17th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists addressed the importance of customers being able to use the specific technologies they need, through environments and ecosystems that expose their APIs to make true change and transformation possible.
The cloud. Like a comic book superhero, there seems to be no problem it can’t fix or cost it can’t slash. Yet making the transition is not always easy and production environments are still largely on premise. Taking some practical and sensible steps to reduce risk can also help provide a basis for a successful cloud transition. A plethora of surveys from the likes of IDG and Gartner show that more than 70 percent of enterprises have deployed at least one or more cloud application or workload. Yet a closer inspection at the data reveals less than half of these cloud projects involve production...
Microservices are a very exciting architectural approach that many organizations are looking to as a way to accelerate innovation. Microservices promise to allow teams to move away from monolithic "ball of mud" systems, but the reality is that, in the vast majority of organizations, different projects and technologies will continue to be developed at different speeds. How to handle the dependencies between these disparate systems with different iteration cycles? Consider the "canoncial problem" in this scenario: microservice A (releases daily) depends on a couple of additions to backend B (re...
Growth hacking is common for startups to make unheard-of progress in building their business. Career Hacks can help Geek Girls and those who support them (yes, that's you too, Dad!) to excel in this typically male-dominated world. Get ready to learn the facts: Is there a bias against women in the tech / developer communities? Why are women 50% of the workforce, but hold only 24% of the STEM or IT positions? Some beginnings of what to do about it! In her Day 2 Keynote at 17th Cloud Expo, Sandy Carter, IBM General Manager Cloud Ecosystem and Developers, and a Social Business Evangelist, wil...
PubNub has announced the release of BLOCKS, a set of customizable microservices that give developers a simple way to add code and deploy features for realtime apps.PubNub BLOCKS executes business logic directly on the data streaming through PubNub’s network without splitting it off to an intermediary server controlled by the customer. This revolutionary approach streamlines app development, reduces endpoint-to-endpoint latency, and allows apps to better leverage the enormous scalability of PubNub’s Data Stream Network.
Apps and devices shouldn't stop working when there's limited or no network connectivity. Learn how to bring data stored in a cloud database to the edge of the network (and back again) whenever an Internet connection is available. In his session at 17th Cloud Expo, Ben Perlmutter, a Sales Engineer with IBM Cloudant, demonstrated techniques for replicating cloud databases with devices in order to build offline-first mobile or Internet of Things (IoT) apps that can provide a better, faster user experience, both offline and online. The focus of this talk was on IBM Cloudant, Apache CouchDB, and ...
Container technology is shaping the future of DevOps and it’s also changing the way organizations think about application development. With the rise of mobile applications in the enterprise, businesses are abandoning year-long development cycles and embracing technologies that enable rapid development and continuous deployment of apps. In his session at DevOps Summit, Kurt Collins, Developer Evangelist at, examined how Docker has evolved into a highly effective tool for application delivery by allowing increasingly popular Mobile Backend-as-a-Service (mBaaS) platforms to quickly crea...
I recently attended and was a speaker at the 4th International Internet of @ThingsExpo at the Santa Clara Convention Center. I also had the opportunity to attend this event last year and I wrote a blog from that show talking about how the “Enterprise Impact of IoT” was a key theme of last year’s show. I was curious to see if the same theme would still resonate 365 days later and what, if any, changes I would see in the content presented.
Cloud computing delivers on-demand resources that provide businesses with flexibility and cost-savings. The challenge in moving workloads to the cloud has been the cost and complexity of ensuring the initial and ongoing security and regulatory (PCI, HIPAA, FFIEC) compliance across private and public clouds. Manual security compliance is slow, prone to human error, and represents over 50% of the cost of managing cloud applications. Determining how to automate cloud security compliance is critical to maintaining positive ROI. Raxak Protect is an automated security compliance SaaS platform and ma...
Internet of @ThingsExpo, taking place June 7-9, 2016 at Javits Center, New York City and Nov 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with the 18th International @CloudExpo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world and ThingsExpo New York Call for Papers is now open.
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York and Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound cha...
We are rapidly moving to a brave new world of interconnected smart homes, cars, offices and factories known as the Internet of Things (IoT). Sensors and monitoring devices will touch every part of our lives. Let's take a closer look at the Internet of Things. The Internet of Things is a worldwide network of objects and devices connected to the Internet. They are electronics, sensors, software and more. These objects connect to the Internet and can be controlled remotely via apps and programs. Because they can be accessed via the Internet, these devices create a tremendous opportunity to inte...
Today air travel is a minefield of delays, hassles and customer disappointment. Airlines struggle to revitalize the experience. GE and M2Mi will demonstrate practical examples of how IoT solutions are helping airlines bring back personalization, reduce trip time and improve reliability. In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect with GE, and Dr. Sarah Cooper, M2Mi’s VP Business Development and Engineering, explored the IoT cloud-based platform technologies driving this change including privacy controls, data transparency and integration of real time context with p...
We all know that data growth is exploding and storage budgets are shrinking. Instead of showing you charts on about how much data there is, in his General Session at 17th Cloud Expo, Scott Cleland, Senior Director of Product Marketing at HGST, showed how to capture all of your data in one place. After you have your data under control, you can then analyze it in one place, saving time and resources.
The Internet of Things (IoT) is growing rapidly by extending current technologies, products and networks. By 2020, Cisco estimates there will be 50 billion connected devices. Gartner has forecast revenues of over $300 billion, just to IoT suppliers. Now is the time to figure out how you’ll make money – not just create innovative products. With hundreds of new products and companies jumping into the IoT fray every month, there’s no shortage of innovation. Despite this, McKinsey/VisionMobile data shows "less than 10 percent of IoT developers are making enough to support a reasonably sized team....
Just over a week ago I received a long and loud sustained applause for a presentation I delivered at this year’s Cloud Expo in Santa Clara. I was extremely pleased with the turnout and had some very good conversations with many of the attendees. Over the next few days I had many more meaningful conversations and was not only happy with the results but also learned a few new things. Here is everything I learned in those three days distilled into three short points.