Internal security controls implementation

Adam Bosnian, Is There A Digital Vault In Your Future (http://www.s-ox.com/): “As auditors become savvier about investigating companies’ security practices, more and more businesses are being put on notice that existing safeguards are not up to snuff”.

As we enter the second year of Sarbanes-Oxley regulations, and as companies continue to face increasingly stringent regulatory mandates from FDA, the Federal Reserve, and other agencies, it will be vital for organizations to proactively be aware of and address these shortcomings before they become a vulnerability identified on an audit result.

“Companies suffered $250 billion in intellectual property theft in 2004 alone. According to a study by the FBI, an estimated 70 percent of these network breaches originate from within”.

“After all, security concerns are similar, regardless of what information you’re looking to protect. Are you changing passwords on a regular basis? What measures are in place to shield high-level passwords? Do you securely store and transmit sensitive data? How do you prevent misuse of information, internally and externally?”

It’s often necessary for system administrators to give out “super user” passwords to numerous internal parties, such as technicians troubleshooting an issue or developers maintaining their own applications. These privileged user passwords are extremely powerful if they fall into the wrong hands: “Users with these passwords can wreak havoc on internal systems”.

In order to prevent security vulnerabilities, the companies need to consider the following issues:

Multi-layered security: Using multiple security technologies will prevent single points of failure that can hinder internal controls. This may include a combination of session encryption, firewall, access control, file encryption, strong authentication, secure backup, and version control. This end-to-end layered approach is essential for protecting sensitive data throughout the information lifecycle.

Dual control: This added security measure requires two individuals to give consent before allowing access to confidential records. When dual control is configured, any attempt to access protected information will trigger a request for clearance to the pre-defined secondary person.

Security systems should allow for passwords to be issued for specific time frames, such as during working hours, or for one-time use. Passwords can also limit access based on user location. For example, confidential records might only be accessible from certain rooms or buildings.


This blog is run by the authors of FindProtected.
FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

Leave a Reply