Columns

DE-CODER: Sarbox gives security a nudge

Business usually recoils at government meddling, but federal laws and regulations, especially the Sarbanes-Oxley Act, may actually be helping information security efforts. Sarbanes-Oxley was enacted in 2002 to curb corporate wrongdoing in the wake of a number of business scandals. Today, it appears to be paying dividends for information security practices.

Sarbanes-Oxley is a top-of-mind issue for information security experts. For instance, a survey by security vendor RedSiren found two-thirds of computer security professionals believe compliance with Sarbox and other fed regs has made their networks more secure, even though 62 percent of the more than the 300 surveyed say they’re spending more time complying with those regulations.


Little wonder, then, that experts predict a rise in security spending this year. They also predict security attacks over the Internet will also increase.

That’s why organizations such as Geisinger Health System, a Pennsylvania health care provider, are always on guard against security attacks and stress safe computing practices to its employees. At the same time, Geisinger must comply with the mandates of the Health Insurance Portability and Accountability Act, which the government passed in 1996 to help safeguard patients’ health information.

Jaime Chanaga, Geisinger’s chief information security officer, says HIPAA is “one of the ingredients” that has helped boost security efforts in his company and industry.

Robert Charette, a senior consultant at Cutter Consortium who directs its enterprise risk management and governance advisory service, sees more IT dollars going to security, along with business continuity management and IT operational risk issues. As many public companies deal with Sarbox, he adds, the law “will continue to cast a shadow on IT spending, as new systems will [be needed] to comply with its requirements.”

Part of the issue, Charette continues, is that with Sarbanes-Oxley, a company must make sure that its transactions are secure. “They have to because if you can’t show that your transactions are secure, then your financials are suspect,” he says.

In a recent report, CIO 2.0, The Changing Role of the Chief Information Officer, Deloitte Consulting says regulatory compliance is becoming more complicated, especially with matters related to business information. However, Deloitte says IT should look beyond compliance for opportunities to better leverage security and risk management “into better, more efficient operations, stronger brands and enhanced revenues.”