By David Stern
With the holiday season fading into the horizon, a new more powerful theme has become pervasive in my daily activities. The auditors are upon us. The “pre-audit†crew from E&Y has departed and has been replaced by the SOX crew from BDO. At the same time VISA PCI issues are also in the forefront of my project list. Since all good things happen in “threes,†the TJ Max intrusion disclosure has shown up like the uninvited 2nd cousin at holiday dinner. This convergence of events gave me the impetus to internally examine my feelings on mandated audits.
The infamous Enron tragedy was a terrible blight on the history of business. Tens of thousands of people have been forced into financial turmoil. The US economy was already reeling from the effects of 9/11, and this scandal compounded that tenfold.
Not only did the investigation cost millions of dollars, but the resulting legislation has cost billions more. I truly believe that in the first years after SOX was enacted, IT innovation was stunted, with management focused on CYA instead of investment in new technology.
VISA PCI regulations came about as a result of forward thinking and not the result of a scandal. For both online and brick-and-mortar retailers, these requirements are seen as unnecessary distractions that consume more of an already hard-won profit margin.
The prevailing attitude towards SOX and VISA PCI audit standards is one of disdain. Management sees the requirement as undue burden, and IT staffers and application developers see them as obstacles. I disagree.
My organization was forced into purchasing an expensive and complex ID provisioning system to correlate accounts across many different platforms. The investment in money and time were huge, but so are the benefits. We have cleaned up and removed thousands of dormant accounts across critical systems. To get this result, we had to identify those critical systems, identify the stakeholders, and learn where our most sensitive data resides. We forced the HR and Accounting units to break dangerous habits and enforce separation of duties. The greatest result of SOX has been the cultural understanding that someone is watching and someone will hold stakeholders responsible for their activities.
VISA PCI requirements have forced the traditional old-line application developers who have always churned out custom code to support the retail operation, to embrace mainstream programming practices and version control. End to end encryption to protect credit card numbers, checking account information, and personal profiles for club cards is now mandatory. Firewalls and access controls now must be implemented to protect this data as it travels across wireless infrastructure. Unlike SOX, non-compliance with PCI standards results in immediate fines and the suspension of credit processing; a direct hit to the bottom line.
The TJ Max fiasco is just another in a long line of data theft that happens in retail, government, academia, and banking. Political conservatives decry these regulations as an undue burden upon business. As an information security insider, I can tell you that without regulation, today’s skin-tight budgets would have forced the same information security initiatives to the chopping block. Without them, the flood of private information into the hands of evildoers can never stop.