The end of the year was busy for me and my team. Already swamped with Sarbanes-Oxley audit activities and end-of-year project deadlines, even more security work came our way after a new round of layoffs.
Over the last couple of months of the year, I had to spend almost all my time with our third-party SOX auditors, poring over the year's records on various security-related things we're supposed to be doing. For the most part, we have been pretty good about keeping up with our SOX obligations, despite numerous challenges and competing priorities that I've written about over the course of this year.
But I have to ask myself what value our shareholders really get out of SOX. The controls don't seem to have much to do with protecting the accuracy of our financial reports, which is what SOX is supposed to be all about. A huge amount of work is generated by the nitpicky SOX process, which sucks up resources needed by both me and my organization, and those outside auditors sure aren't cheap. So, what's the return? Based on our experience, I have to imagine that SOX is costing American companies millions (or maybe billions) of dollars that could be going into more productive endeavors. My colleagues at other companies seem to think the same thing. Some go so far as to say that SOX is a waste of time. Personally, I think there is some value in having oversight into security processes, but I can't help wondering what the return on investment is.
OK, rant over.
While most of my time was being taken up by SOX matters, other business projects didn't seem to slow down at all. I've been working long hours just trying to keep the backlog down, but new projects keep cropping up. It's the end of the year, and it seems as if everybody is rushing to meet deadlines. Some of these projects are pretty big too, and they need serious security review. In some cases, we're signing up with outside services and websites for software-as-a-service applications, and some of those applications would handle financial or other confidential information. In every case, I want to do a thorough review of the vendor's security posture. And I try to drive all applications to our Active Directory for user authentication, which can be a challenge. So I have a professional stake in staying ahead of these projects. But my staff has become practically nonexistent, so it's nearly impossible to keep up.
The layoffs that hit us during this time not only decimated our staff resources, but also highlighted some security holes to add to my to-do list. For example, it turns out that if employees set up an Exchange email forwarding rule, it continues to function even after their account is disabled. That means their email continues to get forwarded to their personal webmail account after they're no longer here. And my Exchange administrator tells me there's no way to find and shut down those rules without opening each mailbox individually, by hand. On top of that, our Windows desktops and laptops all have a built-in administrator account that gives full access, and the password hasn't been changed in years. I got our desktop team to take care of that by setting a group policy to change the password. I found several other holes as well, but staying on top of that while doing everything else seems impossible. And after the layoffs, there's not going to be any budget for hiring additional staff in 2012.
I generally like to end the year on a positive note. But that just seems to keep getting more difficult every year.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at jf.rice@engineer.com.