Melvin H. Barnes, Jr.
In July 2002, the U.S. Congress passed the Sarbanes-Oxley Act into law. The Act was primarily designed to restore investor confidence following well-publicized bankruptcies that brought chief executives, audit committees, and the independent auditors under heavy scrutiny. The Act is applicable to all publicly registered companies under the jurisdiction of the Securities and Exchange Commission (SEC).
The Act calls for the formation of a Public Company Accounting Oversight Board (PCAOB) and specifies several requirements (“sections”) that include management’s quarterly certification of its financial results (Section 302) and management’s annual assertion that internal controls over financial reporting are effective (Section 404). In Section 404, the independent auditor of the organization is required to opine on management’s assertion over internal control and the fair presentation of the organization’s financial statements. This additional testing of management’s assertion is referred to as attestation examination.
Section 404 draws attention to the significant processes that feed and comprise the financial reporting for an organization. In order for management to make its annual assertion on the effectiveness of its internal control, management must document and evaluate all controls that are deemed significant to the financial reporting process. If the organization uses a service provider to process transactions, host data, or perform other significant services, management must look to the service organization for information on the design and operating effectiveness of the service organization’s controls.
Thus, the Sarbanes-Oxley Act requires chief executive officers and chief financial officers to certify each annual and quarterly report filed with the SEC, imposes criminal penalties for false certifications, and significantly increases the penalties for security law violations (Fleming, 2004). Although the Act makes no specific mention of information technology or information security/assurance, it requires organizations to verify or certify the internal controls of key business processes. When an organization determines what the key business processes are, it must answer the question, Does the network infrastructure that supports these processes have the proper controls?
Each organization affected by the Sarbanes-Oxley Act has some level of reliance on automated information systems to process and store the data that are the basis of financial reports (Byrum, 2003). Section 404 is the section that has the most impact on information technology resources and information assurance of the national electric grid infrastructure, due to the requirement of having internal controls implemented by the organization.
On May 22, 1998, President Clinton introduced Presidential Decision Directive (PDD) 63, which focuses on protecting the nation’s critical infrastructures from both physical and “cyber” attack (CCIPS, 1999). The nation’s electrical energy grid is a subset of one of the critical infrastructures for the United States. The nation’s critical infrastructures are energy (which the electrical grid is a subset), banking and finance, transportation, vital human services, and telecommunications. The first section of PDD-63 states:
The United States possesses both the world’s strongest military and its largest national economy. Those two aspects of our power are mutually reinforcing and dependent. They are also increasingly reliant upon certain critical infrastructures and upon cyber-based information systems.
Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government. They include, but are not limited to, telecommunications, energy, banking and finance, transportation, water systems and emergency services, both governmental and private. Many of the nation’s critical infrastructures have historically been physically and logically separate systems that had little interdependence. As a result of advances in information technology and the necessity of improved efficiency, however, these infrastructures have become increasingly automated and interlinked. These same advances have created new vulnerabilities to equipment failure, human error, weather and other natural causes, and physical and cyber attacks. Addressing these vulnerabilities will necessarily require flexible, evolutionary approaches that span both the public and private sectors, and protect both domestic and international security.
Because of our military strength, future enemies, whether nations, groups or individuals, may seek to harm us in nontraditional ways, including attacks within the United States. Because our economy is increasingly reliant upon interdependent and cyber-supported infrastructures, non-traditional attacks on our infrastructure and information systems may be capable of significantly harming both our military power and our economy (Clinton, 1998).
To carry out PDD-63, a government/commercial partnership was required that exceeded the working relationship between the military and industry. The National Infrastructure Protection Center (NIPC) at FBI Headquarters in Washington, D.C., is a joint government/private sector partnership and includes representatives from the relevant agencies of federal, state, and local governments and the private sector to address the daunting challenge of protecting the critical infrastructures on which our nation depends (CCIPS, 1999).
PDD-63 was superseded by Homeland Security Presidential Directive (HSPD) 7 on December 17, 2003. The creation of the U.S. Department of Homeland Security was followed by the transfer of certain critical infrastructure protection responsibilities from other agencies and departments to the Department of Homeland Security.
The purpose of HSPD-7 was stated as:
This directive establishes policies to strengthen the preparedness of the United States to prevent and respond to threatened or actual domestic terrorist attacks, major disasters, and other emergencies by requiring a national domestic all-hazards preparedness goal, establishing mechanisms for improved delivery of Federal preparedness assistance to State and local governments, and outlining actions to strengthen preparedness capabilities of Federal, State, and local entities (Bush, 2003).
HSPD-7 assigned roles and responsibilities to sector-specific federal agencies. The U.S. Department of Energy was assigned the responsibility for the nation’s energy critical infrastructure. Section 16 of the directive provided authority to establish a focal point for cyber-security. Section 16 states:
The Secretary will continue to maintain an organization to serve as a focal point for the security of cyberspace. The organization will facilitate interactions and collaborations between and among Federal departments and agencies, State and local governments, the private sector, academia and international organizations. To the extent permitted by law, Federal departments and agencies with cyber expertise, including but not limited to the Departments of Justice, Commerce, the Treasury, Defense, Energy, and State, and the Central Intelligence Agency, will collaborate with and support the organization in accomplishing its mission. The organization’s mission includes analysis, warning, information sharing, vulnerability reduction, mitigation, and aiding national recovery efforts for critical infrastructure information systems. The organization will support the Department of Justice and other law enforcement agencies in their continuing missions to investigate and prosecute threats to and attacks against cyberspace, to the extent permitted by law (Bush, 2003).
The differences between the two directives are not extremely large but they do reflect the change in American concerns following the September 11, 2001, terrorist attacks. The original purpose of PDD-63 was to require federal agencies to ensure the continuity and viability of physical and computer-based systems essential for minimal functioning of the U.S. government and economy in case of a terrorist attack. With the enactment of HSPD-7, the federal departments and agencies are required to develop methods and technologies to protect all critical infrastructures and key resources of the government and economic sectors.
The primary goal of HSPD-7 is to prevent the exploitation, incapacitation, or destruction of these infrastructures and resources. A secondary goal, however, is to foster the development of methods and technologies that can minimize the impact if an adverse event actually occurs. Federal departments and agencies have been instructed to work with state and local governments, and with the private sector, to accomplish the objectives laid out in this directive.
It is my assertion that the federal government’s goal of increased competition has had a negative impact on the security of the national electrical grid from an information technology standpoint. Government regulations that sought to provide transparency to corporate governance and increase competition in the electrical energy industry have opened a new age. Today, the control of electrical energy systems and resources has moved from dedicated channels to the Internet. The Internet provides access to all information technology systems regardless of their physical location. Nonetheless, the challenge for today’s electrical energy system is no longer a purely physical concern; it is now an information assurance concern.
Is my assertion true?
LinkedIn: Melvin Barnes, Jr.
Google+: Melvin Barnes, Jr.
Abel, A. (2004). Government Activities to Protect the Electric Grid. Retrieved June 7, 2006, from www.fas.org/sgp/crs/RS21958.pdf.
Aczel, A. D., & Sounderpandian, J. (2006). Complete Business Statistics (6th ed.). New York: McGraw Hill.
Angle, S., Bobbish, D., & Wenner, A. (2002). FERC issues proposed rule on standard electricity market design. International Financial Law Review, 1.
Ballonoff, P. (1996). Decree Number 888. Regulation, 19(3).
Bush, G.W. (2003). Homeland Security Presidential Directive/HSPD-7. Retrieved November 12, 2007, from http://www.whitehouse.gov/news/releases/2003/12/20031217-5.html
Byres, E., & Lowe, J. (2004). The Myths and Facts behind Cyber Security Risks for Industrial Control Systems. Paper presented at the VDE Congess, Berlin, Germany.
Byrum, S. (2003). The Impact of the Sarbanes-Oxley Act on IT Security. Bethesda, MD: SANS Institute.
Carlson, R. (2002). High-Security SCADA LDRD Final Report. Retrieved May 10, 2006, from http://www.sandia.gov/scada/documents/020729.pdf
CCIPS. (1999). Critical Infrastructure Protection. Retrieved February 17, 2007, from http://www.usdoj.gov/criminal/cybercrime/critinfr.htm
Chandley, J. (2001). A Standard Market Design for Regional Transmission Organizations. Cambridge, MA: Harvard University.
Chang, S.E. & Lin, C. (2007). Exploring organizational culture for information security management. Industrial Management & Data Systems, 107(3).
Choi, J. W. (2002). The Limits on Regulatory Policymaking: The SEC and the Securities Market, 1930s–1990s. Chicago: University of Chicago.
Clinton, W.J. (1998). Presidential Decision Directive 63: Combating Terrorism. Retrieved February 17, 2007, from http://www.fas.org/irp/offdocs/pdd-62.htm
Cohen, J. (1992a). A Power Primer. Psychological Bulletin. Psychological Bulletin, 155-159.
Cohen, J. (1992b). Current Directions in Psychological Science, 1(3), 98-101.
Convergence Research. (1996). Commission Orders Sweeping Changes for Electric Utility Industry, Requires Wholesale Market to Open to Competition. In C. Research (Ed.). Retrieved June 13, 2006, from http://www.converger.com/FERCNOPR/888_889.htm
Cormack, A. (2001). Do We Need a Security Culture? VINE, 31(2), pp. 8-10.
Dacey, R. F., Johnston, E., Addison, S., Fiorino, J., Jacobs, A., & Pierson, T. (2004). Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems. Retrieved June 6, 2006, from www.gao.gov/new.items/d04354.pdf
Elzinga, A., & Jamison, A. (1995). Changing policy agendas in science and techology. In G. E. M. S. Jasanoff, J.C. Petersen, & T. Pinch (Eds.), Handbook of Science and Technology Studies (pp. 572-597). London: Sage Publications.
Evans, S. C. (2003). Kolmogorov Complexity Estimation and Application for Information System Security. Troy, NY: Rensselaer Polytechnic Institute.
Falco, J., Stouffer, K., Wavering, A., & Proctor, F. (2002). IT Security for Industrial Control Systems. Retrieved May 24, 2006, from http://www.isd.mel.nist.gov/documents/falco/ITSecurityProcess.pdf
Federal Energy Regulatory Commission. (1996). Order No. 888: Promoting Wholesale Competition Through Open Access Non-discriminatory Transmission Services by Public Utilities; Recovery of Stranded Costs by Public Utilities and Transmitting Utilities. Retrieved January 21, 2006, from http://www.ferc.gov/legal/maj-ord-reg/land-docs/order888.asp
Federal Energy Regulatory Commission. (1997a). Order No. 888-A: Promoting Wholesale Competition Through Open Access Non-discriminatory Transmission Services by Public Utilities; Recovery of Stranded Costs by Public Utilities and Transmitting Utilities. Retrieved January 21, 2006, from http://www.ferc.gov/legal/maj-ord-reg/land-docs/order888.asp
Federal Energy Regulatory Commission. (1997b). Order No. 889-A: Open Access Same-Time Information System and Standards of Conduct. Retrieved January 21, 2006, from http://www.ferc.gov/legal/maj-ord-reg/land-docs/order889.asp
Federal Energy Regulatory Commission. (2000). Order No. 2000-A: Regional Transmission Organizations. Retrieved February 17, 2006, from http://www.ferc.gov/legal/maj-ord-reg/land-ord.asp
Fleming, M. (2004). The Role of IT Security in Sarbanes-Oxley Compliance. Bethesda, MD: SANS Institute.
Gay, L. R., & Diehl, P.L. (1991). Research Methods for Business and Management. New York: Macmillan.
Gorman, S. P. (2004). Networks, Complexity, and Security: The Role of Public Policy in Critical Infrastructure Protection. Fairfax, VA: George Mason University.
Hogan, W. W. (2005). Electricity Restructuring: Open Access from Order 888 to Successful Market Design (“SMD”). Cambridge, MA: Center for Business and Government, John F. Kennedy School of Government, Harvard University.
Howell, D.C. (1992). Statistical Methods for Psychology, 3rd ed. Boston: Kent Publishing Company.
Infante-Durana, M. D. (2006). Electricity Sector Liberalization in the European Union: The Political Economy of Regulatory Reform. Unpublished dissertation, The Johns Hopkins University, Baltimore.
ISO/IEC 17799 (BS 7799-1) (2005). Information technology. security techniques. Code of practice for information security management, Britain.
Jacobs, R. M. (2005). Educational Research: Action Research in Schools. On Educational Research – EDU 8603. Villanova, PA: Villanova University.
Kamal, M. (2008). How to create a security culture in your organization. Journal of American Academy of Business, Cambridge, 13(1), 145-151.
Kolokotronis, N., Margaritis, C., Papadopoulou, P., Kanellis, P., & Martakos, D. (2002). An Integrated Approach for Security Electronic Transactions Over the Web. Benchmarking, 9(2), 166-182.
Korzyk, S., & Alexander, D. (2002). A Conceptual Design Model for Integrative Information System Security. Unpublished Dissertation, Virginia Commonwealth University, Richmond.
Lipsey, M. W. (1990). Design Sensitivity: Statistical Power for Experimental Research. Newbury Park, CA: Sage Publications.
Lowi, T. J. (1972). Four systems of policy, politics, and choice. Public Administration Review(32), 298-310.
Mackey, R., & Gossels, J. (2003). Mastering Fundamentals Part 3: A Continuing Series on the Fundamentals of Information Systems Security. Fundamentals of Information Systems Security. Retrieved April 4, 2005, from http://infosecuritymag.techtarget.com/articles/march00/features3.shtml
McKnight, W. L. (2002). What is Information Assurance? Retrieved March 5, 2006, from http://www.stsc.hill.af.mil/crosstalk/2002/07/mcknight.html
Mears, L., & von Solms, R. (2004). Corporate Information Security Governance: A Holistic Approach. Port Elizabeth, South Africa: Port Elizabeth Technikon.
Merriam-Webster. (2005). Merriam-Webster Online Dictionary. Retrieved January 13, 2007, from http://www.m-w.com/cgi-bin/dictionary
Mesich-Brant, J. L. (2002). Policy Effectiveness and Instrument Selection: An Examination of United States Organ and Tissue Donation Policies. Morgantown, WV: West Virginia University.
Moot, J. S. (2005). Whither Order No. 888? Energy Law Journal, 26(2), 21.
Myler, E.& Broadbent, G. (2006). ISO 17799: Standard for Security. Information Management Journal, 40(6), 43-52.
Oman, P., Schweitzer III, E.O., & Frincke, D. (2000). Concerns About Intrusions into Remotely Accessible Substation Controllers and SCADA Systems. Seattle: Seattle University.
Owens, D. K. (2000). EEI Requests Rehearing of FERC Order 2000, Debates Ownership Terms. EEI News.
D. K. (2006). Implenting Sarbanes-Oxley Act Section 404: Lessons Learned from the Front Lines. The CPA Journal.
Pagano, R.R. (1990). Understanding Statistics in the Behavioral Sciences, 3rd ed. St. Paul, MN: West Publishing Company.
Porter, K. (2002). Implications of Regional Transmission Organizations for Renewable Energy Technologies. On NREL Energy Analysis Seminar Series. Washington, D.C.: Exeter Associates Inc.
Robson, C. (2002). Real World Research (2nd ed.). Malden, MA: Blackwell Publishing Ltd.
Rotvold, G.M. (2007). Status of Security Awareness in Business Organizations and Colleges of Business: An Analysis of Training and Education, Policies, and Social Engineering Testing. Grand Forks, ND: University of North Dakota
Ryan, J. J. (2000). Information Security Practices and Experiences in Small Businesses. Washington, D.C.: The George Washington University.
Sawin, J. L. (2001). The Role of Government in the Development and Diffusion of Renewable Energy Technologies: Wind Power in the United States, California, Denmark and Germany, 1970-2000. Medford, MA: Tufts University.
Shea, D. A. (2003). Critical Infrastructure: Control Systems and the Terrorist Threat. Retrieved June 7, 2006, from www.fas.org/irp/crs/RL31534.pdf.
Simonsson, M., & Johnson, P. (2006). Defining IT Governance—A Consolidation of Literature. Stockholm: Royal Institute of Technology.
Studlar, D. T. (2002). Tobacco Control: Comparative Politics in the United States and Canada. Buffalo, NY: Broadview Press.
Tabachnick, B. G., and Fidell, L .S. (2001). Using Multivariate Statistics, 4th ed. Boston: Allyn and Bacon
Tatalovich, R., & Daynes, B. W. (Eds). (1988). Social Regulatory Policy: Moral Controversies in American Politics. Boulder: Westview Press.
Thomson, M., & von Solms, R. (1998). Information Security Awareness: Educating Your Users Effectively. Information Management & Computer Security, pp. 167-173.
U.S. Army. (2004). IS Terminology—Information Assurance Security Officer Certification Course. Retrieved April 25, 2005, from http://ia.gordon.army.mil/iaso/lesson01.htm
U.S. Department of Energy. (2001). Status of the Bulk Power Transmission Systems. Retrieved May 26, 2006, from http://www.eia.doe.gov/cneaf/electricity/epav1/bulkpower.html
U.S. Department of Energy. (2006). Overview of the Electric Grid. Retrieved April 3, 2006, from http://www.energetics.com/gridworks/grid.html
von Solms, B. (2001). Corporate governance and information security. Computers and Security, 20, 215-218.
Wenner, A., & Lake, K .C. (2000). United States: Power industry developments. International Financial Law Review, 1.
Whitfield Russell Associates. (1999). Refunctionalization of Transmission Assets Under FERC Order 888: Impact on Market Power. Washington, D.C.: author.
Wulgaert, T. (2005). Security Awareness — Best Practices to Serve Your Enterprise. Rolling Meadows: Information Systems Audit and Control Association.
Zucker, A. & Diamant., A. (2003). Introduction to the Basic Information on Electric Utility Restructuring. Retrieved April 7, 2006, from http://www.ece.umr.edu/power/Energy_Course/energy/Deregulation/basic.html