The Sarbanes-Oxley Act of 2002 was passed by the United States Congress with the goal of providing security for consumers and the general public against corporations acting maliciously or carelessly. The general requirements of SOX compliance are geared towards ensuring that companies are transparent when it comes to financial reporting and that there are more official rules in place to prevent fraud.
Adhering to SOX compliance requirements is not only the law, it is also best practice for a more ethical and secure operation. Implementing SOX financial security controls, aside from being the right thing to do, also has the added benefit of helping to defend against data security threats and attacks.
What is SOX Compliance? A Definition
The Sarbanes-Oxley Act and was introduced in the USA in 2002. Congressmen Paul Sarbanes and Michael Oxley put the compliance act together to improve corporate governance and accountability. This was done as a response to some of the large financial scandals that had taken place over the previous years.
The details of SOX compliance are complex. SOX compliance refers to annual audits that take place within public companies, within which they are bound by law to show evidence of accurate, secured financial reporting.
Public companies are required to comply with SOX both financially and in IT. IT departments found themselves affected by SOX as the Act changed the way that corporate electronic records were stored and handled. SOX internal security controls require data security practices and processes and complete visibility over interactions with financial records over time.
Non-compliance with SOX is serious, often resulting in large fines or potentially imprisonment.
Who Must Comply with SOX Compliance?
All publicly traded companies in the USA must comply with SOX, as well as any wholly-owned subsidiaries and foreign companies that are both publicly traded and do business with the USA. Any accounting firms that are auditing companies bound by SOX compliance are also, by proxy, obliged to comply.
Other companies, including private ones and non-profits, generally do not have to comply with SOX, although adhering to it anyway is good business practice. There are other reasons, beside good business sense, to comply with SOX even if you are not publicly traded. SOX does have some articles that state if any company knowingly destroys or falsifies financial data they could face punishment under the Act.
Companies that are planning on going public, perhaps via an IPO (Initial Public Offering) should prepare to be bound by SOX.
SOX Compliance Requirements
SOX requires that all financial reports include an Internal Controls Report. This report should show that the company’s financial data is accurate (a 5% variance is permitted) and that appropriate and adequate controls are in place to ensure that the data is secure.
Financial reports at the end of every year are also a requirement.
SOX audits are to be carried out by external auditors within which controls, policies and procedures are all to be reviewed during a Section 404 audit.
Section 404 audits will also involve looking into staff, potentially even conducting interviews, to ensure that job descriptions match duties, and that the required training on how to handle financial data has taken place.
SOX sections 302, 404 and 409 require that strict auditing, logging and monitoring take place across all internal controls, network and database activity, login activity, account activity, user activity and information access.
SOX audits often require the use of frameworks like COBIT to audit internal controls and procedures. You must make sure that any log collection, auditing, and monitoring solutions are able to provide a complete audit trail of access to and interactions with sensitive data.
SOX IT Audits
Auditing the company’s internal security controls is often the largest, most complex and time-consuming part of a SOX compliance audit. This is because internal controls include all of the company’s IT assets, such as computers, hardware, software and all the other electronic devices that can access financial data.
SOX IT audits are focused on the following key areas:
IT Security: Companies need to ensure that they have a way to locate where sensitive data is, see who has access to it and monitor user interactions with it. Should an incident occur, the company needs to be able to take action to remediate it in an effective and timely manner. To do this adequately, it’s likely you will need strict policies and procedures combined with auditing and monitoring technology.
Access Controls: Ensure that only the right people have access to sensitive financial information, both physically and electronically, by limiting access and implementing controls on access. This could be securing servers behind biometric doors, implementing password policies and more.
Data Backup: Ensure that data is backed up so that, in the event of an incident, data loss is minimalized. Any data center containing backed up data is also bound by SOX.
Change Management: Whenever your IT environment changes, such as new employees, new computers, updated software and more, records are kept of the changes and the appropriate security is maintained.
SOX Compliance Checklist
There is no one size fits all checklist for SOX compliance, as each organization looks different. However, some general guidelines are as follows:
Review & monitor access controls
Ensure that you regularly review and monitor access controls and get real-time alerts following permission changes that could affect access to sensitive financial information. Ensure that you track anomalous logon attempts, and any tampering of financial records. As always, strictly adhere to the Principal of Least Privilege (PoLP).
Ensure that all of your systems are up to date, including (and especially) your logging and monitoring software.
Ensure that any alerts you receive through your SOX audit solution are dealt with immediately and investigated appropriately.
Classify your sensitive data
Ensure that you regularly classify your sensitive financial data and know whenever financial data is created.
Monitor user behavior
Ensure you are monitoring user behavior and can spot anomalies that may lead to breaches in SOX compliance. For example, users should not be copying financial data to unsecured locations.
Maintain a SOX compliance status report
Maintain a regular and up to date SOX compliance status report. This will help you produce the required information in the event of a SOX audit.
Be transparent with the auditors
Grant SOX auditors access to the systems and data they need to do their job. Send activity reports directly to the auditors via email or some other method. Any technical difficulties relating to the security measures applied to financial data should be reported to the auditors.
Ensure that all employees, old and new, are regularly trained on how best to handle financial data, including the SOX requirements.
Define breach notification procedures
Report security incidents and breaches in a timely manner and with as much detail as possible.
Maintain historical data
Keep an immutable record of all events surrounding data breaches and other security incidents. This will enable the security team to conduct a forensic investigation and demonstrate this knowledge to the auditors.
Prevent data loss
Have a robust data loss prevention strategy in place, which includes taking regular backups, monitoring suspicious file and folder activity and outbound network traffic.
Benefits of SOX Compliance
SOX compliance provides companies with a way of improving their data security whilst simultaneously helping to restore public confidence in big business. Stockholders are happy that financial reporting is regulated and predictable, and it makes it easier for businesses to raise capital.
Companies adhering to SOX compliance will find that their ability to detect and react to security threats is greatly improved, which means that they are less likely to suffer devastating data breaches.
The amount of inter-departmental communication that SOX compliance requires can also help to improve company culture and drive growth and collaboration.
SOX Compliance for Data Protection
We have touched upon it a few times, but it bears repeating. SOX compliance is a great way to improve data protection and reduce your chances of falling victim to a data breach.
This is because, to comply with SOX, you will effectively have to model your security on the Data-Centric Audit and Protection model. This model requires you to understand where your sensitive data is, who has access to it, and what users are doing with it.