Home » Security Bloggers Network » SOX – Not Just for Foxes and Baseball; A Sarbanes-Oxley IT Compliance Primer

SOX – Not Just for Foxes and Baseball; A Sarbanes-Oxley IT Compliance Primer

There are Red Sox, White Sox, and Fox in Socks. At the turn of the century, a new SOX entered our lexicon: The Sarbanes-Oxley Act of 2002. This financial regulation was a response to large corporate misdeeds at the time, most notably Enron misleading its board through poor accounting practices and insufficient financial oversight.

The regulation seeks to ensure accurate and reliable financial reporting for public companies in the United States. But what does financial reporting have to do with cybersecurity and IT compliance?

A lot, as it turns out, now that it’s no longer en vogue to have scribes with long feather quills scribbling out numbers in giant paper books. Financial systems are now ruled by servers, databases, complex ERP applications, and the people who run them, much to the detriment of the quill, ink and abacus peddlers of the world (and much to the benefit of the IT auditors…).

While the bill is far reaching, the section of Sarbanes-Oxley that most affects IT is section 404. It requires “Management Assessment of Internal Controls,” which is a tiny portion of the legislation and a huge part of any audit. Auditors need to know that the controls are actually in place and assure the effectiveness of the controls with regard to the financial systems and processes.

In practical IT terms, this means they want to know that data flowing through the system can’t be tampered with and controls are in place to manage risk to that data.

Some primary control areas are:

• Change Management
• Physical and Logical Access Management
• Disaster Recovery (backups, business continuity planning)
• Automated Processes (scheduled jobs)

Auditors will be concerned with policy and process and they will want to see evidence that they are working effectively. A great example is change management. Companies will need to show (Read more...)