zhaol's blog

这些日子，很多上市公司都在忙SOX（君不见UT已经乱在财务报告上了，从亚洲明星直接沦落到了这个样子），很多咨询公司都在忙SOX，于是很多顾问也都热心讨论SOX。可是，从SOX要求的IT内控体系上来看，从内容透明、可操作性、客观性等方面来看，都似乎还不够成熟。虽然说是ITGI坚持说CoBIT就是SOX需要的控制框架，可是与COSO毕竟中间还是隔了一层。Big4现在的角色既是裁判员，又是运动员，直接在热心的本土咨询商的额头上就贴上个”非权威“的标签。这就有失公平了，偶尔看VoIPsa的邮件列表，看到Gary Audin写了一篇文章，讨论VoIP的安全性与SOX的关系，并且开篇明义地怀疑了SOX对IT内控的当前操作，含蓄地预言SOX的IT内控将来可能会被重新定义。我把这篇评论贴在下面，在最后还有我当初的一个很短的评论，欢迎大家的讨论。

[separator]

Sarbanes-Oxley (SOX) is the reaction by the federal government to the financial misdeeds of organizations in the late 1990’s continuing into this century. VoIP and IP Telephony systems that do not comply may be turned off by the auditors or the enterprise may be in trouble with the federal government. The compliance issues should be covered in any future RFP and system procurement.

The SOX goal is to insure the reliability of publicly reported financial information. Corporate boards, enterprise executives and directors, attorneys, auditors, small business owners, rank and file employees and security analysts have expanded duties as well as penalties as result of the SOX act. The legislation was not thoroughly debated. The result is being questioned, delayed and will probably be modified. It is a moving target where auditors may develop new policies and requirements in the future. My initial comments on SOX will found in the previous Blog, “Putting up with SOX”. 作者认为SOX的具体要求在将来可能会被重新定义。

The concern for the VoIP/IP Telephony (IPT) implementers and operators is that they are being sold on the future of IPT which is in the applications and connection to IT servers. Those applications will have the potential to be connected to financial information systems. 这些IPT应用可能会连接到财务信息系统上。

银行和保险公司甚至还会对那些私有公司的内部安全控制提出要求。有时，这些要求还被扩展到了那些非盈利组织。
Banks and insurance companies are even asking privately held companies about their internal security controls. This has been extended to not for profit organizations. Organizations that are covered by SOX probably must comply with other regulations such as HIPAA or Gramm-Leach-Bliley. An organization that is compliant with these other regulations does not mean the organization is compliant with SOX.

Title III requires corporate accountability. There are three areas that will influence the IT department:

• The CEO and CFO are the executives responsible for the internal controls. They must insure that management receives accurate financial information. CEO/CFO 要对内控负责。他们必须保证管理层收到的财务信息是准确的。
• The internals controls must be reviewed 90 days before the financial report. 在财务报告制作前90天，应该对内部控制进行回顾和评估。
• The CEO and CFO must be informed of any significant changes to the internal controls. 所有重大的内部控制变更都必须通知CEO/CFO。

This means the telecom manager will be viewed from the top down in the enterprise. The internal controls must be certified as defined in section 404 that requires an annual internal control report. It will happen every year.

IP Telephony systems will have IP phones that may access the Internet and softphones that are compromised. These could be the man-in-the-middle for attacks or malicious behavior. The call server could be hijacked to create denial of service for the VoIP service. Trojan break-ins could access financial information from an IPT device. Even when there are security personnel and procedures in place, if they are handled poorly and the CEO and CFO falsely report that they are diligent in their control, penalties may occur. 呼叫服务器可能被劫持，造成拒绝服务攻击。特洛伊木马可能从IPT设备渗透到财务信息系统中。

Section 404 compliance is independent of the enterprise size, business processes and setup. There are several security policies that can be implemented for the improvement of the security for SOX compliance that relate to the IP Telephony system. These policies cover many areas. The policies listed below appear to be of the most importance to the telecom environment:

? Access control for regulating who has access to the hardware and software containing financial information. 访问控制必须到位，严格限制财务信息系统相关的软硬件的访问。
? Audit trails, that is secure logging of the applications, operating system etc. so that whomever accessed, modified or eliminated financial information is logged and available for analysis. 审计记录，即所有访问、更改、删除财务信息的行为都被安全地记录下来，保存并分析。
? Integrity controls for data so that financial information can not be modified by unauthorized individuals. 完整性控制，保证财务信息不会被非授权人员窜改。
? Data retention covers the requirements for the storing the information and the communications that occur relating to this information. 数据保护
? Messaging security covers the requirements for transmission of e-mail and instant messaging that contains financial related information. 消息安全
? Security assessments and audits means that there needs to be continuous testing for security vulnerabilities and exposures. 安全评估和审计意味着你需要持续地测试系统的安全漏洞。
? System monitoring that alerts the enterprise to security breaches. 安全入侵的系统监视
? User provisioning for adding and deleting users. 增加、删除帐号等用户配置管理
? Wireless network security for the network when the wireless network is connected to the network that has access to the financial information. 无线网络安全

Do not wait for the audit. The results can be costly. Be proactive as you move to VoIP/IPT. I will look at the impact on the enterprise of compliance requirements in a future blog.
－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－

<My comment on VoIP and SOX>IMHO, because SOX is a financial oriented act, so if VoIP/IPT is not your business, ie. revenue generator, you might not cover VoIP auditing in your SOX compliancy audit, because in general they are not used to process and control those financial numbers. However, it's different to those VoIP operators, where security control of VoIP billing directly impact the final financial results and morever the shareholders' benefit.