[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [Fwd: Comment on SOX Section 404 - Management Assessment of InternalControls]
I'm not sure, but I believe I've hit upon the mother lode of business drivers for PKI - SOX Section 404 compliance! I raised this issue with two CSO's of major financial companies (who have spent many millions of dollars on getting themselves ready, to certify their internal controls by end of this year) and their only response was "That is a very good question!". I believe this issue completely missed their radar. If you believe this issue has merit, I would recommend that OASIS put out a press release highlighting this issue and mentioning how digital certificates with external cryptographic tokens can provide a measure of control that allows them to be SOX compliant. Every publicly traded company has to certify to these controls by June 2005. Arshad Noor StrongAuth, Inc. P.S. I would also recommend forwarding this to the people in your own company who're responsible for SOX compliance to see if they're aware of this. I believe the deadline for certifying Section 404 controls is November 15th, to the best of my knowledge. -------- Original Message -------- Subject: Comment on Section 404 - Management Assessment of Internal Controls Date: Mon, 07 Jun 2004 10:43:38 -0700 From: Arshad Noor <arshad.noor@strongauth.com> Organization: StrongAuth, Inc. To: rule-comments@sec.gov Ladies & Gentlemen, I'm not certain if the SEC is entertaining further comments on Section 404 of the Sarbanes-Oxley Act of 2002, but I thought that you should know of an important facet of controls that may have a significant impact on financial reports. Section 404, as you're aware, requires company management to assess the effectiveness of their internal controls with respect to financial reporting and for public accounting firms to certify this assessment. Since many companies that report to the SEC use computerized systems to manage their financial data, there is a major vulnerability in current controls of computer systems that can jeopardize the information. This is the User ID and Password - the mechanism used in, probably, 99.9% of all computer systems to authenticate and authorize users of computer systems and software. User IDs and Passwords are a form of authenticators known as Single-Factor Authentication, where supplying just the password to a legitimate User ID, gives you access to all capabilties authorized for that User ID, on the computer system. What is little understood is that an authentication system based on User ID and Passwords is INCAPABLE of distinguishing between an authorized user, who has legitimately logged in to perform a business function, and an unauthorized user who has logged in to attack the system using the compromised ID and Password of a legitimate user. The computer logs will indicate that an authorized user logged in at such-and-such time and performed such-and-such actions. While systems performing this level of logging will keep track of what this user does, there is no indication at all, that these actions were performed by an unauthorized user. As such, any financial reporting system that uses User IDs and Passwords as its sole authenticator, does not provide adequate internal control to assure stockholders of the integrity of its data. For example, if I'm an employee in the Sales Division of a company, who is responsible for entering Sales Orders into an application that feeds the Financial systems, my User ID and Password could be compromised in any number of ways without my knowledge - through a virus attack, keyboard- sniffers, dictionary attacks, phishing, social engineering, etc. - even though I might comply with all computer use policies of the company, allowing an unauthorized user to log into my account and change Sales Order information, thus affecting financial statements. The attacks can come from internal or external entities. Secret-key based, single-factor authenticators have been a major vulnerability of computer systems ever since the Internet changed how companies do business. However, few experts have recognized this fundamental vulnerability and have called for the replacement of this mechanism of Access Control, mandatorily. Solutions to address this problem have existed for more than a decade, vis-a-vis public-key cryptography and two-factor authenticators. You may want to consider highlighting this issue to public accounting companies who certify internal control assessments, as well as the companies that are regulated by the SEC. Regards, Arshad Noor President & CEO StrongAuth, Inc. 10846 Via San Marino Cupertino CA 95014-6333 (408) 331-2001
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]