by Christopher Byrne, CISA, IBM CAAD, IBM CASA, IBM CASP
The Internet world certainly had a good laugh yesterday at the expense of ESPN. An application/web developer inserted an Easter egg into the ESPN web site back before April Fool's Day that exploded on the Internet when written about on the Kotaku blog yesterday afternoon.
inserted some Easter egg code into the ESPN web site a few weeks ago.
While funny on its face, the episode exposes a flaw in the information technology governance which puts Disney, ESPN's parent company company at potential risk of non-compliance with the Sarbanes-Oxley Act of 2002, as well as PCI security standards for credit card transactions associated with ESPN Insider subscriptions.
How does this put ESPN and Disney at risk?
Let's start with the Sarbanes-Oxley Act of 2002. This hastily crafted legislation requires more control around business processes that have a material impact or could have a material impact on the corporate financial statements.
Obviously, there is not a lot on the ESPN web sites that could have a material impact on Disney's financials. But the problem lies in Section 404 of the legislation, which states
Management Assessment Of Internal Controls
(a) RULES REQUIRED- The Commission shall prescribe rules requiring each annual report required by section 13 of the Securities Exchange Act of 1934 (15 U.S.C. 78m) to contain an internal control report, which shall--
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure (emphasis added) and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
(b) INTERNAL CONTROL EVALUATION AND REPORTING- With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.
The key section is 404(a)(1) concerning the establishment and maintenance "of an adequate internal control structure," This is where information technology auditors have been having a field day, especially when it comes to general IT controls. And while many smaller organizations could kind of push this under the rug, the visibility of ESPN makes it difficult to ignore.
The general IT controls applicable here address segregation of duties, and the hard and fast rule for large IT organizations that developers never have access to production code or production systems. This is so malicious code cannot be inserted into the system.
It is also a control put in place to ensure that unauthorized personnel do not have access tom information such as credit card information and other personally identifiable private information that can be misused, stolen, or otherwise compromised.
So while this prank was fairly innocuous, it exposed at least the appearance that ESPN does not have a strong IT governance structure in place, and that their processes and procedures need to be revisited, reviewed, and adjusted.
And let's not think ESPN is alone with these problems. I have spoken to another major sports body about security holes in their public facing systems more than once in the past few years. Yet, they have done nothing to close them.
ESPN should not follow that organization's example. ESPN should take as an opportunity to sit back and do a control self-assessment, identify weaknesses, and make their processes stronger. It may take time and resources up front, but is nothing compared to the damage that can be done if something more serious happened with or on their information systems.
If The Big Lead takes the time to quote someone as saying:
"I do love nerd humor and obscure video game references. At the same time you cant be pulling sh** like this in production, there’s a time and a place and espn’s home page isn’t it.”
and Deadspin is all over the story, you really know it is not a problem you can easily blow off.
You can read more about information technology governance on our sister site, The Business Controls Caddy.
You can also read the blog of Keith Lam, the ESPN employee who was charged with removing the offfending code from their systems.
About The Author
Christopher Byrne is the managing editor of Eye on Sports Media and The Business Controls Caddy, and is a Certified Information Systems Auditor (CISA). He works with large and small organizations to examine their business and information technology process controls to identify weakness and implement cost-effective controls to enable business get a stronger return on their technology investments. He has written numerous articles for business and technology trade magazines, been a member of the editorial advisory board of Corporate Compliance Solutions Advisor Magazine, and speaks about information technology process controls at conferences in the United States and abroad. He can be reached via e-mail at cbyrne at thecayugagroup.com (replace the " at " with "@").
Posted April 28, 2009