|
18 Oct 04 -- Ben Bradley, managing director of GrowingCo, Inc.
recently sat down for with Mike Gutknecht, Network Engineer, Brent
Leland, Director of Business Information Technology and Rick Dempsey,
CIO for Rayovac to discuss the impact of Sarbanes Oxley on IT processes,
myths about ROI justification and the unanticipated benefit of Sarbanes
Oxley on IT budgets.
Rayovac Corporation is a global consumer products company with a
diverse portfolio of world-class brands, including Rayovac, Remington
and VARTA. The Company holds many leading market positions including:
the world's leader in hearing aid batteries and the number one selling
brand of men's and women's foil electric razors in North America.
Rayovac markets its products in more than 100 countries and trades
on the New York Stock Exchange under the ROV symbol.
BRADLEY: What is Sarbanes Oxley?
DEMPSEY: Section 404 of Sarbanes Oxley (SOX) says that firms listed
on U.S. stock markets must provide annual disclosures and quarterly
updates to shareholders on the effectiveness of their internal controls.
The executive office must see the details behind reported financial
information and must know in real-time of any changes to business
performance. In other words, if you aren’t secure, your controls
are not effective.
BRADLEY: Let’s start with some background on the
problem? What was life like before Sarbanes Oxley?
LELAND: Prior to SOX, we behaved very much like every other company.
We were proactive on some issues, reactive on others – such
as security patches and vulnerabilities. If Microsoft issued a security
bulletin, we would review the bulletin, then patch the systems that
required patching.
GUTKNECHT: Every IT guy in the world has an ideal picture of how
systems should work for a given organization. Then, from that picture,
you work backwards into budgets and other realities. Hiring a technical
security expert was part of the “ideal” picture, but
historically, was not valued by the business. With the advent of
Sarbanes-Oxley, the focus on network and system security has increased
and allowed Rayovac to come closer to realizing that picture. We
have recently added a position that focuses on our system and network
security from a technical perspective.
BRADLEY: How do you define a significant security event?
LELAND: Public release of sensitive information, disclosure of
financial data, system failure, anything that would impact P&L,
release of customer information, vandalism of the website, anything
that has PR value.
BRADLEY: How do you define a vulnerability?
LELAND: Good question. For us, at first vulnerabilities were network
attacks, poor patch management, corrupt data, etc. But with SOX,
we discovered a new vulnerability – not being able to demonstrate
the effectiveness of our controls.
BRADLEY: What did you do when you first learned about SOX?
LELAND: When SOX was first announced, internally we went through
an informal audit to identify all our controls (which controls were
most important? Which controls will be impacted and which need to
improve? Problem was, at the time, we didn’t know the scope
of our own vulnerabilities and our CFO didn’t have time to
pore over binders full of reports.
LELAND: To solve this problem, we identified an automated vulnerability
assessment vendor, Beyond-IP (www.beyond-ip.com) and asked them
to show us our vulnerabilities. They ran more than 2000 vulnerability
tests and gave us a report that detailed every single vulnerability
that they identified.
When you pick a VA vendor, you put tremendous faith in that vendor
and their abilities. Beyond-IP, the North American distributor for
Beyond Security, LTD, was an obvious choice. The solution they offer
is backed by Securiteam.com, a large security portal, so we knew
the service would be fast, timely and thorough – all critical
since we’re talking about vulnerabilities.
DEMPSEY: We showed a 1 page summary report to the CFO and money
became available. What the vulnerability assessment, the vulnerability
tests and SOX did was focus us on how things should be done. The
unanticipated benefit was that we were given the resources to improve
our controls and network security. Corporate took it very seriously.
It forced us to look inward at our processes and ask ourselves the
question, “are our controls as good as they should be?”
BRADLEY: Were they?
DEMPSEY: Controls and processes can always be improved. The Sarbanes-Oxley
effort focused our attention on this continual improvement.
BRADLEY: How did you measure the financial impact of security
vulnerabilities?
DEMPSEY: Attaching a price to pay for securing your network is like
purchasing insurance. The degree to which you invest in this insurance
reflects your tolerance for risk. The Sarbanes-Oxley legislation
has had an effect on Rayovac to lower it’s tolerance for risk
and increase our spend to insure a secure environment.
BRADLEY: How often do you now scan for vulnerabilities?
GUTKNECHT: Before SOX, we’d do a scan every 18 months. We
now have the ability to scan at any time. Regular VA scans are like
having sonar on our own network. We always know what is going on
around us.
LELAND: One of the unanticipated benefits of this network sonar
is that we now know what devices are running on the network. We
get an instant alert if someone, for example, sets up an unsecured
rogue wireless network. For compliance purposes, we can now generate
a monthly report that indicates what changes have taken place in
the network topology over a specific interval, and accurately certify
exactly what devices are on the network at a specific time.
DEMPSEY: We have a better idea about the scope of our vulnerabilities
which means we can assign an owner to fix each vulnerability. If
you know you have a problem and you know the scope of the problem,
it is much easier to fix the problem. With the right data, we can
also manage the vulnerabilities over time.
BRADLEY: So how do you prioritize vulnerabilities?
LELAND: We don’t. We prioritize our remediation process.
We use combination of processes and tool that impact how we prioritize
remediating vulnerabilities. First is a “H, M, L” (high,
medium, low) vulnerability rating. This rating is assigned by our
primary vulnerability assessment vendor. We also look at SAN’s
top 20 list of vulnerabilities (http://www.sans.org/top20/#threats)
and a variety of other sources. We combine the severity of the vulnerability,
the perceived likelihood of attack, and the importance of the system
to be patched to develop a metric. This metric drives the prioritization
of our remediation effort.
BRADLEY: Have you done enough to prepare for SOX?
DEMPSEY: Only time will tell. Everything will be borne out of case
law in the next 5-10 years, so it will be a while before we know
if we’ve done too much or not enough. I do know that, each
month, I can say how many vulnerabilities we have, the severity
of each vulnerability, the importance of the specific server that
has the vulnerability and the general likelihood of the attack on
that vulnerability.
Most important, I can clearly demonstrate that I am addressing
my vulnerabilities over time. The goal, as I see it, is to demonstrate
that our systems are tight and that we are proactively managing
risk over time. We’re doing that.
BRADLEY: What is the most difficult thing about network
security?
LELAND: If you want to connect to the rest of the world, you can
truly never be 100% secure. Accept it.
Ben Bradley is the founder of GrowingCo, Inc -- (see www.growingco.com),
a provider and facilitator of peer-driven intelligence, interactions
and insight. He can be reached at ben@growingco.com.
|
