Table of Contents
Jacket-X Corporation having been publicized on the New York Exchange (NYSE) is faced with the responsibility of ensuring that it complies with the rules and regulations of Sarbanes-Oxley Act (SOX). Even though compliance and responsibility appear to direct the corporation’s resources meant for operation toward auditing and monitoring, it is very crucial for the good progress of Jacket-X. Since the corporation is extremely interconnected, it is important to protect its information fidelity and ensure a sound resource in the current information-based economy.
It has been noted that compliance is very important when it comes to shielding a company against malfeasance, a phenomenon that has lead to death of public trust in most companies. Jacket-X Corporation is not left out of this emerging disaster. It implies that for Jacket-X to regain this trust from the public, it will have to show financial transparency to its shareholders as well as its customers and the general public.
With the plan of implementing a reporting system, Jacket-X will be in the best position to only assign compliance related duties to its employees and also follow up the employees’ respective duty areas. This action will call for thorough scrutiny of technical environment during auditing process. Based on Westby’s (2004) understanding, there are some of the fragile areas in the technical environment that have to be addressed. These areas include possible threats and vulnerabilities of the enterprise network and the security measures that can be put in place to address these threats.
Threat and Vulnerability Analysis
It is evident that this modern system has some threats and to some extent vulnerable in compliance with SOX requirements. Physical access restriction is prone to vulnerability since it poses restrictions that are unnecessary. In Microsoft’s (2011) view, even by insisting that even employee with access to a particular room should get further permission from the network is being over strict. In addition, bestowing all the power to grant and to deny upon one individual is a threat. Such powers should be given to a group of individuals to avoid discrimination. In this system, it is only the network administrator who is authorized to either give access or deny an individual entry into the networking room.
A critical access restriction is a total threat in the progress of Jacket-X Corporation. It also has internal contradictions within itself. System critical processes such as web filter management, antivirus updating among others can only be handled by the selected group of senior network administrators and no all stakeholders. This contradicts the fact that every individual is entitled to at least a system-critical process (Adler, 2006). In other words, an individual is directly responsible for one of such systems. Giving responsibility of a system to an individual while on the other side, having a combined master login neutralizes the main objective of using this system for security. It is a threat since it lacks a well defined way of choosing the personnel to be responsible.
The system allows developers to enact changes directly into the environment production including the IT system (Adler, 2006). It is quite risky to permit developers to carry out changes into and out f Jacket-X environment on their own. People have personal interests and this can influence the kind of changes they make some of which may not be beneficial to the corporation. It has been proven that deletion of the accounts of employees who quit the company is never safe and secure even if it is done with the approval from the manager of the affected group and the departmental head. But this system proposes the termination of accounts of the employees who leave Jacket-X.
Recommended Measures to Solve the Security Threats
Preventing these security threats is not an easy task. There are several proposed ways through which it can be handled. First and foremost, conducting Jacket-X corporation financial statements and reporting should involve both the CIO and chief financial officer. This should include areas such as process of IT compliance, financial control implementation and the financial control reviews. Through such measures, both the CIO and CFO have different roles to carry out in this process.
Developing an agreement with the relevant authorities in the process of compliance is another way to ensure that the security threats are avoided. All sections of Jacket-X Corporation have to comply with SOX statutes. This means that each department has a crucial role to play in the process. According to Adler (2006), collaborating with the management when creating rules and ensuring that these rules are done in top-down manner are some of the ways of preventing the occurrence of security threats. Involvement of personnel from the management sector and departmental staff is a better remedy. Lastly, ensuring that these rules are availed to employees in time will help solve the problem.
Right choice of visible system is likely to be of help. Right choice can be made on the basis of need for immediacy and relevance. Provision of weekly reports to both management and departmental heads is an effective measure to control emergence of security threat in the process. These reports should specifically address accounting and operations issues (Spinello, 2003). These risks are avoidable when employees are allowed to unconditionally view the database containing information on accounting and operations giving details of their privileges. The management should also be encouraged to go through the proactive metrics for accounting and the general operation and if need be give their opinions.
In rolling out the implementation plan for the compliance system, the option with the highest level of flexibility should be given the first priority. In this case Jacket-X, setting a specific date of rolling out the solution to management, departmental staff and heads and the entire employees after its revision and testing by the IT section, is very effective (Microsoft, 2011). It is well known that automation is an important tool in the process of management identification, although it is only if it is applied wisely and judiciously. There are three ways through which automation can be done. First one involves subjecting the process to thorough automation to help cut down cost of production at Jacket-X Corporation. Spinello (2003) asserts that one should ensure that such process is kept in a manual form to prevent any form of interference in a case of disruption.
Out-of-Band Server Infrastructure: In order to ensure that there is secuurity in the access of the information, restriction and use of combined master login password should be replaced with limiting the ability of users to access the firm’s out-of-band infrastructure. This security measure would ensure that those using the cyberspace either incorrectly or maliciously do not destruct the server (Microsoft, 2011). The service limit the access of the physical access of the server by using a serial port and a terminal concentrator that has security features instead of the combined pass word that has often been used.
Well- Defined Service Processors: Security in the cyberspace implementation would also be ensured through the use of service processors that have well-designed security implementation features as opposed to restricting of critical assessed points. Often, internal and critical access restriction hardly works in implementation of cyberspace security for organizations (Adler, 2006). Jacket-X is not exempted in such a situation as it has been revealed through the internal contradictions that such measure poses to the organization. Therefore, by setting up a service processor, the access to various network interfaces would be secured because the enabled services processor with well-designed security implementation will only allow secure access to facilities and not otherwise (Spinello, 2003).
Independent Network to Manage Traffic: During the implementation, it would be appropriate to consider installing an independent network that is specifically designed to manage traffic within the system. Microsoft (2005) asserts that termination of employee account and allowing developers to make direct changes on the system has been cited to be one of the security threats. Such cases can easily be resolved by having separate network dedicated to manage traffic whose main aim is to add an additional support to the system thus offering firm security. Moreover, it would only allow those with known secure management stations to access such kind of network thus keeping off intruders, inversion by private developers, and prevent destruction and termination of employees’ account (Microsoft, 2011). At the same time, implementing a separate network dedicated to managing traffic would imply that the network would have no access to the internet and only allows trusted users thereby protecting it from cyberspace crime (Adler, 2006).
Enact Appropriate Measures to Ensure the Continuity of Compliant: SOX requires all businesses to comply with expected standards so as to eliminate fraud and malfeasance. According to Westby (2004), attaining such capacity requires a system that incorporates compliance measures in the day-today operation often perceived to be an interconnected system. Such system would collaborate and coordinate departments, evaluate security measures, examine privacy measures, document efforts, and manage information (Optical Image Technology Inc, 2011).
In summary compliance with SOX system in cyberspace not only requires an independent main control, but also an interconnected networked system that meets the cyber security requirement. In doing so, instance of cyber fraud and crime would greatly be reduced both within the departments and in the entire business. Adopting appropriate practices with regard to cyberspace and security would naturally propagate continued compliance with an organization.