Sarbanes Oxley – Regulating the Security Industry
In order to reform American business practices, the “Public Company Accounting Oversight Board” was created to regulate auditing professionals. The law has been revised since 2002, the year it was first passed. Regardless of changes, it is still the responsibility of companies to remain compliant with its requirements.
There are specific portions of the law that address changes made to existing records. S404 spreadsheets must be maintained, and version control should comply with the intent of the law. Because changes have to be documented, evaluated and signed for the purposes of the law, it is critical that a company required to conform to this law make sure it is thoroughly understood.
Each company that responds to this need is, in essence, reinventing the wheel. It is far more effective to hire a company that not only understands this important regulation but does so for more than one company. Such a company gains a level of expertise that would be far more difficult for any single company to achieve.
Since the intent of the law is to prohibit fraudulent earnings and reports, there is an added benefit to having a third party handle the details of compliance. Such a third party company, in this case, Nexigen, offers a reputation for understanding compliance that speaks well of those companies using our services. As is considered optimum, we use the standard most commonly associated with Sarbanes-Oxley, the Internal Control Framework which was released in 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This provides the framework for compliance at all levels.
ISO Certification Compliance
It is unlikely that any business can state with certainty that it will never work with companies located outside of the United States. If the possibility exists, it would be beneficial to comply with ISO Certification as soon as possible. ISO 9000 and 9001 are standards that have been developed and the methods of meeting those standards which define a level of quality that allows all interested parties to effectively communicate and do business with each other. It provides for a level of expectation that allows each company to have confidence in the business relationship.
Should your company wish to consider the benefits of ISO Certification Compliance, Nexigen is able to provide an explanation of what is entailed as well as a plan to prepare for independent confirmation which is required for such certification. While effort and expense are involved, the rewards are considerable for those companies interested in doing business internationally. It also results in a more efficient and effective business environment which means improved operation and profits.
Two areas of concern with respect to ISO Certification Compliance have to do with business continuity and disaster recovery. This is part of the reason Nexigen is able to assist with a company’s wish to seek ISO Certification. Everything that is done as part of this certification process results in a company that is able to respond to problems and the market more effectively.
The Securities and Exchange Commission is interested in the behavior of investment companies. Each company is required to conform to the requirements of the law by identifying an individual who coordinates the company’s efforts to comply with SEC regulations. Federal securities laws are designed to protect investors who place their trust in companies that make investments on their behalf.
Whether it is email archiving, Write-Once-Read-Many (“WORM”) technology, other electronic communication, requirements for registering with the SEC, encryption standards or other needs specific to SEC compliance, Nexigen has the expertise necessary to ensure your company’s compliance.
General Security Certification Compliance
There are several components to general compliance. Each is critically important because each represents a way for those wishing to do harm to your company to acquire unauthorized access to your network.
Mobile devices are ubiquitous. It is the rare person who does not own some kind of mobile phone. Many have the ability to access the Internet and, thus, your company network. There are some rules to follow to reduce risk including requiring the use of specific devices that allow protective techniques to be effectively utilized, requiring the use of encryption and authentication, providing a 24-hour contact to report a problem, controlling apps, having firewall policies, making use of intrusion deterrence programs and anti-virus software, and controlling the use of Bluetooth devices.
Your company should invest in the capacity to remotely wipe any device that has had access to the network in the event of an emergency. A device can be disabled and any information completely destroyed with the right program in place. Again, a 24-hour line should be available so a breach of security can be reported immediately. Even then, SD cards and other forms of storage might contain company critical information. A policy that prohibits saving company information to these cards will be effective.
Nobody likes changing passwords or having a complicated password, but it is necessary to help secure the company network. Passwords should require a mixture of character types and they should be changed frequently. These are two effective methods for making passwords a powerful protection tool. Nexigen can work with your company to create an effective policy.
Technology changes. Hackers have nothing better to do with their time than devise ways to cause harm. They don’t take vacations and they don’t take it easy. They do, however, take advantage of companies that do. That is why systems/security audits are crucial to maintaining vigilance.This is the cost of doing business even if – no, especially if – you’re a small or mid-market enterprise.
Nexigen takes this responsibility seriously. They care as much about your company as they do their own. That is why they make sure audits are thorough and frequent. Only by keeping a constant eye on your network can you feel confident that everything is being done to keep it safe.
Your company has an obligation to provide necessary access in order to facilitate the ability of your employees to do their jobs but you must exert complete control over employee access. That is your right. We will work with you to establish a set of protocols that will ensure network security by making sure those attempting to access the network are those you expect.
IT Policy Creation and Enforcement
You need rules. If you go to the trouble of creating network rules, it is only reasonable to enforce them. There are several reasons these rules are necessary.
Your employees are human beings. What used to be time spent at the water cooler or in the break room or hallway is now often spent on the Internet. A quick check of a personal email account for an important message, a phone call, or a chat can all spell trouble for a network. A lunch time spent at an employee’s desk can pose a serious problem if the employee decides to do some personal research. These are all innocent uses of the network, but they expose that network to risk.
While it is possible to ask employees who engage in this kind of activity to refrain, that is largely ineffectual because it is still possible for something unintended to cause a problem. It is better to be proactive and utilize advanced content filtering techniques to monitor Internet access in order to maintain network integrity.
Email, social media, chat services and even the telephone pose some level of threat. It is better to have a policy in place as well as software protections that will allow your employees to become part of the solution instead of the problem. Nexigen can help you employ the best software and develop policies that will help your employees comply.
It is almost impossible to do too much when it comes to security. There are many proven techniques that will help your company maintain a secure yet flexible environment that will allow work to be done with a minimum of risk. That is how Nexigen can help.