SOX compliance diverts funding from IT security

The multi-million pound cost of complying with the Sarbanes-Oxley Act (SOX) is diverting spending away from protecting against other security threats.

International security association the Information Security Forum (ISF) calculates that many of its members expect to spend more than $10m on information security controls for Sarbanes-Oxley.

ISF consultant Andy Jones said that although SOX was designed to improve corporate governance and accountability, it has proved difficult to interpret for information security professionals.

"As neither the legislation nor the official guidance specifically mentions the words 'information security', the impact on security policy and the security controls that need to be put into place must be determined by each individual organisation in the context of their business," he said.

The ISF warns that SOX ignores security issues that are extremely important when dealing with risks to information, such as business continuity and disaster recovery. This makes it important to integrate compliance into a wider IT security and corporate governance strategy, it said.

Jones also warned that SOX could divert attention from more pressing security risks: "For organisations whose business is not primarily financial, for example manufacturing or product-service industries, the diversion of information security attention from other risk areas to SOX compliance may lead to important business risks being neglected."

"It is important that Sarbanes-Oxley does not push organisations into following a compliance-based approach rather than a risk-based approach that may compromise information security," he added.

UK members of the ISF include Abbey National, Alliance & Leicester and AstraZeneca.