Quantcast

Rayovacs IT Team Discusses Network Security, Sarbanes Oxley and ROI Myths

Get the WebProNews Newsletter:


[ Business]

Rayovac Corporation is a global consumer products company with a diverse portfolio of world-class brands, including Rayovac, Remington and VARTA. The Company holds many leading market positions including: the world’s leader in hearing aid batteries and the number one selling brand of men’s and women’s foil electric razors in North America. Rayovac markets its products in more than 100 countries and trades on the New York Stock Exchange under the ROV symbol.

Ben Bradley, contributing writer, recently sat down for with Mike Gutknecht, Network Engineer, Brent Leland, Director of Business Information Technology and Rick Dempsey, CIO for Rayovac to discuss the impact of Sarbanes Oxley on IT processes, myths about ROI justification and the unanticipated benefit of Sarbanes Oxley on IT budgets.

BRADLEY: What is Sarbanes Oxley?

DEMPSEY: Section 404 of Sarbanes Oxley (SOX) says that firms listed on U.S. stock markets must provide annual disclosures and quarterly updates to shareholders on the effectiveness of their internal controls. The executive office must see the details behind reported financial information and must know in real-time of any changes to business performance. In other words, if you aren’t secure, your controls are not effective.

BRADLEY: Let’s start with some background on the problem? What was life like before Sarbanes Oxley?

LELAND: Prior to SOX, we behaved very much like every other company. We were proactive on some issues, reactive on others – such as security patches and vulnerabilities. If Microsoft issued a security bulletin, we would review the bulletin, then patch the systems that required patching.

GUTKNECHT: Every IT guy in the world has an ideal picture of how systems should work for a given organization. Then, from that picture, you work backwards into budgets and other realities. Hiring a technical security expert was part of the “ideal” picture, but historically, was not valued by the business. With the advent of Sarbanes-Oxley, the focus on network and system security has increased and allowed Rayovac to come closer to realizing that picture. We have recently added a position that focuses on our system and network security from a technical perspective.

BRADLEY: How do you define a significant security event?

LELAND: Public release of sensitive information, disclosure of financial data, system failure, anything that would impact P&L, release of customer information, vandalism of the website, anything that has PR value.

BRADLEY: How do you define a vulnerability?

LELAND: Good question. For us, at first vulnerabilities were network attacks, poor patch management, corrupt data, etc. But with SOX, we discovered a new vulnerability – not being able to demonstrate the effectiveness of our controls.

BRADLEY: What did you do when you first learned about SOX?

LELAND: When SOX was first announced, internally we went through an informal audit to identify all our controls (which controls were most important? Which controls will be impacted and which need to improve? Problem was, at the time, we didn’t know the scope of our own vulnerabilities and our CFO didn’t have time to pore over binders full of reports.

LELAND: To solve this problem, we identified an automated vulnerability assessment vendor, Beyond-IP (www.beyond-ip.com) and asked them to show us our vulnerabilities. They ran more than 2000 vulnerability tests and gave us a report that detailed every single vulnerability that they identified.

When you pick a VA vendor, you put tremendous faith in that vendor and their abilities. Beyond-IP, the North American distributor for Beyond Security, LTD, was an obvious choice. The solution they offer is backed by Securiteam.com, a large security portal, so we knew the service would be fast, timely and thorough – all critical since we’re talking about vulnerabilities.

DEMPSEY: We showed a 1 page summary report to the CFO and money became available. What the vulnerability assessment, the vulnerability tests and SOX did was focus us on how things should be done. The unanticipated benefit was that we were given the resources to improve our controls and network security. Corporate took it very seriously. It forced us to look inward at our processes and ask ourselves the question, “are our controls as good as they should be?”

BRADLEY: Were they?

DEMPSEY: Controls and processes can always be improved. The Sarbanes-Oxley effort focused our attention on this continual improvement.

BRADLEY: How did you measure the financial impact of security vulnerabilities?

DEMPSEY: Attaching a price to pay for securing your network is like purchasing insurance. The degree to which you invest in this insurance reflects your tolerance for risk. The Sarbanes-Oxley legislation has had an effect on Rayovac to lower it’s tolerance for risk and increase our spend to insure a secure environment.

BRADLEY: How often do you now scan for vulnerabilities?

GUTKNECHT: Before SOX, we’d do a scan every 18 months. We now have the ability to scan at any time. Regular VA scans are like having sonar on our own network. We always know what is going on around us.

LELAND: One of the unanticipated benefits of this network sonar is that we now know what devices are running on the network. We get an instant alert if someone, for example, sets up an unsecured rogue wireless network. For compliance purposes, we can now generate a monthly report that indicates what changes have taken place in the network topology over a specific interval, and accurately certify exactly what devices are on the network at a specific time.

DEMPSEY: We have a better idea about the scope of our vulnerabilities which means we can assign an owner to fix each vulnerability. If you know you have a problem and you know the scope of the problem, it is much easier to fix the problem. With the right data, we can also manage the vulnerabilities over time.

BRADLEY: So how do you prioritize vulnerabilities?

LELAND: We don’t. We prioritize our remediation process. We use combination of processes and tool that impact how we prioritize remediating vulnerabilities. First is a “H, M, L” (high, medium, low) vulnerability rating. This rating is assigned by our primary vulnerability assessment vendor. We also look at SAN’s top 20 list of vulnerabilities (http://www.sans.org/top20/#threats) and a variety of other sources. We combine the severity of the vulnerability, the perceived likelihood of attack, and the importance of the system to be patched to develop a metric. This metric drives the prioritization of our remediation effort.

BRADLEY: Have you done enough to prepare for SOX?

DEMPSEY: Only time will tell. Everything will be borne out of case law in the next 5-10 years, so it will be a while before we know if we’ve done too much or not enough. I do know that, each month, I can say how many vulnerabilities we have, the severity of each vulnerability, the importance of the specific server that has the vulnerability and the general likelihood of the attack on that vulnerability.

Most important, I can clearly demonstrate that I am addressing my vulnerabilities over time. The goal, as I see it, is to demonstrate that our systems are tight and that we are proactively managing risk over time. We’re doing that.

BRADLEY: What is the most difficult thing about network security?

LELAND: If you want to connect to the rest of the world, you can truly never be 100% secure. Accept it.

Ben Bradley is the founder of GrowingCo, Inc — (see www.growingco.com), a provider and facilitator of peer-driven intelligence, interactions and insight. He can be reached at ben@growingco.com.

Rayovacs IT Team Discusses Network Security, Sarbanes Oxley and ROI Myths
Comments Off


Top Rated White Papers and Resources

Comments are closed.

  • Join for Access to Our Exclusive Web Tools
  • Sidebar Top
  • Sidebar Middle
  • Sign Up For The Free Newsletter
  • Sidebar Bottom