Rayovac markets its products in more than 100 countries and trades on the New York Stock Exchange under the ROV symbol. Ben Bradley, contributing writer, recently sat down for with Mike Gutknecht, Network Engineer, Brent Leland, Director of Business Information Technology and Rick Dempsey, CIO for Rayovac to discuss the impact of Sarbanes Oxley on IT processes, myths about ROI justification and the unanticipated benefit of Sarbanes Oxley on IT budgets.
BRADLEY: What is Sarbanes Oxley?
DEMPSEY: Section 404 of Sarbanes Oxley (SOX) says that firms listed on U.S. stock markets must provide annual disclosures and quarterly updates to shareholders on the effectiveness of their internal controls. The executive office must see the details behind reported financial information and must know in real-time of any changes to business performance. In other words, if you aren't secure, your controls are not effective.
BRADLEY: Let's start with some background on the problem? What was life like before Sarbanes Oxley?
DEMPSEY: Prior to SOX, we behaved very much like every other company. We were proactive on some issues, reactive on others - such as security patches and vulnerabilities. If Microsoft issued a security bulletin, we would review the bulletin, then patch the systems that required patching.
GUTKNECHT: Every IT guy in the world has an ideal picture of how systems should work for a given organization. Then, from that picture, you work backwards into budgets and other realities. Hiring a technical security expert was part of the "ideal" picture, but historically, was not valued by the business. With the advent of Sarbanes-Oxley, the focus on network and system security has increased and allowed Rayovac to come closer to realizing that picture. We have recently added a position that focuses on our system and network security from a technical perspective.
BRADLEY: How do you define a vulnerability? LELAND: Good question. For us, at first vulnerabilities were network attacks, poor patch management, corrupt data, etc. But with SOX, we discovered a new vulnerability - not being able to demonstrate the effectiveness of our controls.
BRADLEY: What did you do when you first learned about SOX?
LELAND: When SOX was first announced, internally we went through an informal audit to identify all our controls (which controls were most important? Which controls will be impacted and which need to improve? Problem was, at the time, we didn't know the scope of our own vulnerabilities and our CFO didn't have time to pore over binders full of reports.
LELAND: To solve this problem, we identified an automated vulnerability assessment vendor, Beyond-IP (www.beyond-ip.com) and asked them to show us our vulnerabilities. They ran more than 2000 vulnerability tests and gave us a report that detailed every single vulnerability that they identified. When you pick a VA vendor, you put tremendous faith in that vendor and their abilities.
Beyond-IP, the North American distributor for Beyond Security, was an obvious choice. The solution they offer is backed by Securiteam.com, a large security portal, so we knew the service would be fast, timely and thorough - all critical since we're talking about vulnerabilities.
DEMPSEY: We showed a 1 page summary report to the CFO and money became available. What the vulnerability assessment, the vulnerability tests and SOX did was focus us on how things should be done. The unanticipated benefit was that we were given the resources to improve our controls and network security. Corporate took it very seriously. It forced us to look inward at our processes and ask ourselves the question, "are our controls as good as they should be?"
BRADLEY: Were they?
DEMPSEY: Controls and processes can always be improved. The Sarbanes-Oxley effort focused our attention on this continual improvement.
BRADLEY: How did you measure the financial impact of security vulnerabilities?
DEMPSEY: Attaching a price to pay for securing your network is like purchasing insurance. The degree to which you invest in this insurance reflects your tolerance for risk. The Sarbanes-Oxley legislation has had an effect on Rayovac to lower it's tolerance for risk and increase our spend to insure a secure environment.
BRADLEY: How often do you now scan for vulnerabilities?
GUTKNECHT: Before SOX, we'd do a scan every 18 months. We now have the ability to scan at any time. Regular VA scans are like having sonar on our own network. We always know what is going on around us.
LELAND: One of the unanticipated benefits of this network sonar is that we now know what devices are running on the network. We get an instant alert if someone, for example, sets up an unsecured rogue wireless network. For compliance purposes, we can now generate a monthly report that indicates what changes have taken place in the network topology over a specific interval, and accurately certify exactly what devices are on the network at a specific time.
DEMPSEY: We have a better idea about the scope of our vulnerabilities which means we can assign an owner to fix each vulnerability. If you know you have a problem and you know the scope of the problem, it is much easier to fix the problem. With the right data, we can also manage the vulnerabilities over time.
BRADLEY: So how do you prioritize vulnerabilities?
LELAND: We don't. We prioritize our remediation process. We use combination of processes and tool that impact how we prioritize remediating vulnerabilities. First is a "H, M, L" (high, medium, low) vulnerability rating. This rating is assigned by our primary vulnerability assessment vendor. We also look at SAN's top 20 list of vulnerabilities (http://www.sans.org/top20/#threats) and a variety of other sources. We combine the severity of the vulnerability, the perceived likelihood of attack, and the importance of the system to be patched to develop a metric. This metric drives the prioritization of our remediation effort.
BRADLEY: Have you done enough to prepare for SOX?
DEMPSEY: Only time will tell. Everything will be borne out of case law in the next 5-10 years, so it will be a while before we know if we've done too much or not enough. I do know that, each month, I can say how many vulnerabilities we have, the severity of each vulnerability, the importance of the specific server that has the vulnerability and the general likelihood of the attack on that vulnerability. Most important, I can clearly demonstrate that I am addressing my vulnerabilities over time. The goal, as I see it, is to demonstrate that our systems are tight and that we are proactively managing risk over time. We're doing that.
BRADLEY: What is the most difficult thing about network security?
LELAND: If you want to connect to the rest of the world, you can truly never be 100% secure. Accept it.
About Beyond Security
Beyond Security, a privately-held company, develops leading vulnerability assessment and self-management solutions that facilitate preemptive, real-time and continuous network, server, database and application security. The company was founded in 1999 by the founders of SecuriTeam portal (www.securiteam.com), a leading source for vulnerability alerts and solutions serving 1.5 million monthly page views to IT security professionals. Beyond Security's founders are great believers in automation, which is why the company sells tools instead of using them to provide services. Beyond Security's goal is to decrease the number of security holes in products to manageable levels and empower software vendors to release secure products. For more information, visit www.beyondsecurity.com.