Achieving SOX Compliance Through Security Information Management

Introduction: Brief Overview of SOX The Sarbanes-Oxley Act of 2002, also known as the Public Company Accounting Reform and Investor Protection Act of 2002, and commonly referred to as SOX, is a federal law designed to improve disclosures and closely supervise accounting practices for publicly traded companies and public accounting firms. The legislation, spawned from high profile fraud and scandal dating back to the late 1990s, represents one of the largest reform measures in the history of US business.

The regulation mandates strict operating and reporting practices for all publicly traded U.S. companies, foreign filers in US markets, and public accounting firms. The sections of SOX that impact the public company’s IT department include:

  • Section 302 — Corporate Responsibility for Financial Reports. Public company officers must confirm the reliability of quarterly and annual financial statements.
  • Section 404 — Management Assessment of Internal Controls. All publicly traded companies must submit an annual report to the SEC on the effectiveness of their internal accounting controls. The independent company auditor must also attest to the accuracy of the report. (While not explicitly defined, IT general controls are included in the scope of Section 404 compliance).
  • Section 409 — Real-Time Issuer Disclosures. Public companies must stay abreast of and declare material changes in their financial condition or operations within 48 hours. (While not specifically defined, a major breach in information security has the potential to cause a significant deficiency or material weakness in the internal control structure.)

The primary focus for SOX compliance has been Section 404. Management must consider the extent to which threats and vulnerabilities in the corporate computing environment can represent a significant deficiency or material weakness in the internal control structure. They must ensure that the systems, services, devices, and data involved in the production of corporate financial records and financial reporting are appropriately isolated, that physical and logical access is appropriately restricted, and that all controls are thoroughly tested and documented on a routine basis.

The SOX Challenge: Improving the Accuracy and Reliability of Financial Reporting Though SOX can positively affect corporate governance by improving the internal control structure, compliance presents significant challenges, particularly for IT organizations. The IT general controls are very closely scrutinized during the annual audit, because virtually all of the company’s financial data resides on network servers. IT departments must provide detailed information to internal and external auditors about the IT general controls protecting financial reporting data and processes. Network administrators need the ability to use existing technology to manage and report on access controls related to the target environment, and provide documented evidence of the reliability of those controls.

SOX mandates accountability and requires each organization to examine the effectiveness of their approach to information security. To be effective, an information security solution must demonstrate that IT general controls are managed and monitored over time. The solution should also ensure that all systems, services, devices, data, and every personnel that touches financial data and reporting processes are secured.

Financial information security is a complex task requiring a broad security strategy. Organizations must not only achieve SOX compliance — but also maintain it continuously.

Publicly traded companies must to do the following in support of Section 404:

  • Ensure that the IT security administration monitors and logs security activity and identified security violations.
  • Review a sample of problems or incident reports, to consider if the issues were addressed in a timely manner.
  • Determine if the organization’s procedures include audit trail facilities for incident tracking.
  • Review a sample of problems recorded on the problem-management system to consider if a proper audit trail exists and is used.
  • Ensure that system-event data are sufficiently retained to provide chronological information and logs to enable the review, examination, and reconstruction of system and data processing.

Identify all systems, services, devices, data, and personnel that participate in the production of financial data and financial reporting

  • Isolate this target environment from the rest of the corporate computing network
  • Restrict physical and logical access to the target
  • Monitor physical and logical access to the target
  • Monitor the target for unusual and/or anomalous activity
  • Create an incident response plan specific to the target
  • Test and review the incident response plan
  • Routinely test controls in place and prepare summary reporting for the internal audit team

Though no single software product can enable full Section 404 compliance, the right SIM technology can help public companies efficiently manage the IT general controls. An effective security management solution provides public companies the tools to implement, maintain, and report on information security controls with minimal utilization of resources.

SOX mandates that corporate governance now include the appropriate management of information security. Senior management and even board-level directors now bear personal responsibility for oversight of compliance. Executive management needs to work closely with IT organizations on risk assessment and the implementation of security policies and operations. Overall, a security program that integrates people, policies, process, and technology is the best approach to managing Section 404 compliance.

Register now to read the full report outlining in detail how an effective Security Information Management solution can enable SOX compliance [].