|
An important component of any effective system of internal controls is maintaining systems that ensure the confidentiality and integrity of corporate, financial and customer data. This white paper will explore what security challenges wireless networks present, suggest best practices to ensure Wireless LAN security, and demonstrate how AirDefense Enterprise, a Wireless Intrusion Detection and Prevention System, can help you define, monitor and enforce your wireless security policy. By adequately protecting the wireless infrastructure, organizations can demonstrate effective internal control over protection of confidential data and ultimately ensure Sarbanes-Oxley compliance.
On July 30, 2002, the Sarbanes-Oxley (SOX) Act of 2002 was signed into federal law, largely in response to accounting scandals, such as Enron, MCI WorldCom, Tyco, etc. The stated purpose of this act is "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the security laws." It applies to all US companies that must report to the Securities Exchange Commission (SEC).
The SOX Act consists of 11 titles, covering new responsibilities and reporting requirements, all designed to renew investors' trust and understanding of financial reporting. The two most relevant sections for this discussion are:
Section 302 ? Corporate Responsibility for Financial Reporting
Section 302 is probably the best known section. It requires the CEO and CFO to certify that they have reviewed the financial reports, the information is complete and accurate, and effective disclosure controls and procedures are in place to ensure material information is made known to them.
Section 404 ? Management Assessment of Internal Controls
Section 404 is a new section. It has three basic requirements:
1. Management must establish effective internal controls for accurate and complete reporting.
2. Annual assessment by management of the effectiveness of internal controls supported by documented evidence.
3. Validation of management's assessment by a registered public accounting firm.
All public US companies, with a market capitalization of more than $75 million, must comply for fiscal year ending on or after November 15, 2004. All other public US companies will have to comply for fiscal year ending on or after April 15, 2005.
While SOX Section 404 does not specifically discuss IT and security requirements, the reality is that most financial reporting systems are heavily dependent on technology. The burden falls on the CIO and IT department to establish effective internal control over the IT infrastructure that supports the financial reporting process.
At the same time the IT Governance Institute recognizes that "There is no need to re-invent the wheel ... and many organizations will be able to tailor their existing IT control processes to comply with the provisions of the Sarbanes-Oxley Act." The intent of section 404 is to build a strong internal control program, which also includes the IT department, and enhance overall IT governance.
Sound practices include corporate-wide information security policies and enforced implementation of those policies for employees at all levels. Information security policies should govern network security, access controls, authentication, encryption, logging, monitoring and alerting, pre-planned coordinated incident response, and forensics. These components ensure information integrity and data retention, while enabling IT audits and business continuity. As wireless technology is exploding in popularity, it also presents a new challenge to IT security, especially as it relates to maintaining confidentiality and integrity of data:
First, the air is a shared medium and lacks the physical control of its wired counterpart. Any wireless device can "see" all the traffic of other wireless devices in the network. Sensitive information that is transmitted between wireless devices can be intercepted and disclosed if not protected by strong encryption.
Second, businesses are steadily integrating wireless technology into their wired network, and connecting through the wireless network can often bypass the traditional wired-side security. Rogue or insecure Access Points can compromise network security, making them popular targets for hackers. Even if an organization has no sanctioned Wireless LANs, Wi-Fienabled laptops and PDAs can open backdoors into the corporate network and render existing security measures useless. The wired network can be protected by physical and logical barriers. Physical barriers include limiting corporate network access to employees within the confines of the building. Logical barriers include traditional security, such as firewalls and VPNs. Wireless technology presents a whole new challenge, as the signals bleed through the walls and into the parking lot.
|
