Blogger: Diana Kelley
Remember when Enron and WorldCom were melting down? When the venerable Sarbanes and Oxley came up with their now infamous bill? As an IT security professional did you have any inkling that these events would forever change our IT lives? Few of us did – until section 404 became woven into the fabric of most security professionals' lives.
SOX was meant to protect investors by providing them with real numbers in the annual report. Numbers that could be used by investors to realistically assess the health and financial projections of the corporations they were investing in. For IT folks it became an exercise in access control, logging, firewall, and identity management. Few would support the assertion that Enron, Andersen, or WorldCom fell because their IT systems were not being managed properly – because a firewall wasn’t configured properly or a mail server went down. While some of the misdeeds associated with what happened could have been preserved by IT mechanisms (forced email archiving, for example) – the bottom line is that if CEOs and CFOs are feeding bad data into the books and then forcing deletion of the real records, there’s not a lot the IT departments can do about that.
Well, here it is, the end of 2007 and it seems we’re going back to the future with bad information to investors. This time around the problem centers on risky subprime lending, CDOs (collateralized debt obligations) and SIVs (structured investment vehicles). For more information on CDOs, Peter Eavis of Fortune provides a much clearer explanation than I could. These structures resulted in billions of dollars of loss at Merrill-Lynch and Citibank this fall and in the departures of Merrill's and Citi's CEOs. Reports indicate that Bank of America and HSBC are also at risk for significant losses.
Did investors have any clue that the FIs were at risk for such heavy losses? It looks like the answer is no because the full risk exposure associated with CDOs was maintained in off-balance sheets even though the FI is ultimately responsible if losses occur in association with the CDO.
Which to me would mean it was always a risk exposure and should have been on the balance sheet. But what do I know? I’m neither an economist nor an accountant.
But I am an IT security professional and I’m smelling something brewing here. If we in IT had a major hit from SOX/404 – is it possible that the CDO meltdown is going to result in more work, regulations, and compliance fire drills for IT? I think it just might. For example, IT may be enlisted to help ensure that the databases or spreadsheets where the officially "off balance" information was kept is available and access to this data is being audited and monitored. With any luck, though, we should be able to leverage our SOX work if some new regulations hit the books post 2007-CDO crisis.
For savvy IT teams, I recommend getting ahead of the curve by reviewing the audit and monitoring for accounting systems and key financial databases. Also, review access control and identity management for employees and partners that have access to those systems. And finally, especially for FI IT teams – check on monitoring and archiving for all key communications channels. This includes SMS messages, email, VoIP, and IM. If proper controls are already in place for protection – new legislation or audit rules should be a matter of doing a mapping of existing controls to them.
We’re living in a reactive world where legislation is written when new loopholes are exposed. This may be how financial and tax law is created – but in IT we don’t have to be in perpetual response mode. Be proactive about documentation and controls – and strive to be ready to map and support, rather than scramble and slide, when the next decree comes down.