Best Practices for Wireless Network Security and Sarbanes-Oxley Compliance

White Paper




 










 



 



 What you need to know
The objective of this white paper is to provide an overall understanding of the impact of wireless network security on Sarbanes-Oxley compliance. An important component of any effective system of internal controls is maintaining systems that ensure the confidentiality and integrity of corporate, financial and customer data. This white paper will explore what security challenges wireless networks present, suggest best practices to ensure Wireless LAN security, and demonstrate how AirDefense Enterprise, a Wireless Intrusion Detection and Prevention System, can help you define, monitor and enforce your wireless security policy. By adequately protecting the wireless infrastructure, organizations can demonstrate effective internal control over protection of confidential data and ultimately ensure Sarbanes-Oxley compliance.





On July 30, 2002, the Sarbanes-Oxley (SOX) Act of 2002 was signed into federal law, largely in response to accounting scandals, such as Enron, MCI WorldCom, Tyco, etc. The stated purpose of this act is "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the security laws." It applies to all US companies that must report to the Securities Exchange Commission (SEC). The SOX Act consists of 11 titles, covering new responsibilities and reporting requirements, all designed to renew investors' trust and understanding of financial reporting. The two most relevant sections for this discussion are:
Section 302 - Corporate Responsibility for Financial Reporting Section 302 is probably the best known section. It requires the CEO and CFO to certify that they have reviewed the financial reports, the information is complete and accurate, and effective disclosure controls and procedures are in place to ensure material information is made known to them.
Section 404 - Management Assessment of Internal Controls Section 404 is a new section. It has three basic requirements: 1. Management must establish effective internal controls for accurate and complete reporting. 2. Annual assessment by management of the effectiveness of internal controls supported by documented evidence. 3. Validation of management's assessment by a registered public accounting firm.
All public US companies, with a market capitalization of more than $75 million, must comply for fiscal year ending on or after November 15, 2004. All other public US companies will have to comply for fiscal year ending on or after April 15, 2005.
  !!!!
While SOX Section 404 does not specifically discuss IT and security requirements, the reality is that most financial reporting systems are heavily dependent on technology. The burden falls on the CIO and IT department to establish effective internal control over the IT infrastructure that supports the financial reporting process. At the same time the IT Governance Institute recognizes that "There is no need to re-invent the wheel ... and many organizations will be able to tailor their existing IT control processes to 1comply with the provisions of the Sarbanes-Oxley Act." The intent of section 404 is to build a strong internal control program, which also includes the IT department, and enhance overall IT governance. Sound practices include corporate-wide information security policies and enforced implementation of those policies for employees at all levels. Information security policies should govern network security, access controls, authentication, encryption, logging, monitoring and alerting, pre-planned coordinated incident response, and forensics. These components ensure information integr... [download for more]