Achieving SOX Compliance Through Security Information Management
The regulation mandates strict operating and reporting practices for all publicly traded U.S. companies, foreign filers in US markets, and public accounting firms. The sections of SOX that impact the public company's IT department include:
Section 302 -- Corporate Responsibility for Financial Reports. Public company officers must confirm the reliability of quarterly and annual financial statements. Section 404 -- Management Assessment of Internal Controls. All publicly traded companies must submit an annual report to the SEC on the effectiveness of their internal accounting controls. The independent company auditor must also attest to the accuracy of the report. (While not explicitly defined, IT general controls are included in the scope of Section 404 compliance). Section 409 -- Real-Time Issuer Disclosures. Public companies must stay abreast of and declare material changes in their financial condition or operations within 48 hours. (While not specifically defined, a major breach in information security has the potential to cause a significant deficiency or material weakness in the internal control structure.) The primary focus for SOX compliance has been Section 404. Management must consider the extent to which threats and vulnerabilities in the corporate computing environment can represent a significant deficiency or material weakness in the internal control structure. They must ensure that the systems, services, devices, and data involved in the production of corporate financial records and financial reporting are appropriately isolated, that physical and logical access is appropriately restricted, and that all controls are thoroughly tested and documented on a routine basis.
The SOX Challenge: Improving the Accuracy and Reliability of Financial Reporting Though SOX can positively affect corporate governance by improving the internal control structure, compliance presents significant challenges, particularly for IT organizations. The IT general controls are very closely scrutinized during the annual audit, because virtually all of the company's financial data resides on network servers. IT departments must provide detailed information to internal and external auditors about the IT general controls protecting financial reporting data and processes. Network administrators need the ability to use existing technology to manage and report on access controls related to the target environment, and provide documented evidence of the reliability of those controls.
SOX mandates accountability and requires each organization to examine the effectiveness of their approach to information security. To be effective, an information security solution must demonstrate that IT general controls are managed and monitored over time. The solution should also ensure that all systems, services, devices, data, and every personnel that touches financial data and reporting processes are secured.
Financial information security is a complex task requiring a broad security strategy. Organizations must not only achieve SOX compliance -- but also maintain it continuously.
Publicly traded companies must to do the following in support of Section 404:
Ensure that the IT security administration monitors and logs security activity and identified security violations. Review a sample of problems or incident reports, to consider if the issues were addressed in a timely manner. Determine if the organization's procedures include audit trail facilities for incident tracking. Review a sample of problems recorded on the problem-management system to consider if a proper audit trail exists and is used. Ensure that system-event data are sufficiently retained to provide chronological information and logs to enable the review, examination, and reconstruction of system and data processing. Identify all systems, services, devices, data, and personnel that participate in the production of financial data and financial reporting
Isolate this target environment from the rest of the corporate computing network Restrict physical and logical access to the target Monitor physical and logical access to the target Monitor the target for unusual and/or anomalous activity Create an incident response plan specific to the target Test and review the incident response plan Routinely test controls in place and prepare summary reporting for the internal audit team Though no single software product can enable full Section 404 compliance, the right SIM technology can help public companies efficiently manage the IT general controls. An effective security management solution provides public companies the tools to implement, maintain, and report on information security controls with minimal utilization of resources.
SOX mandates that corporate governance now include the appropriate management of information security. Senior management and even board-level directors now bear personal responsibility for oversight of compliance. Executive management needs to work closely with IT organizations on risk assessment and the implementation of security policies and operations. Overall, a security program that integrates people, policies, process, and technology is the best approach to managing Section 404 compliance.
Register now to read the full report outlining in detail how an effective Security Information Management solution can enable SOX compliance.
Related Tags: sim, security information management, sarbanes oxley, sarbanes oxley compliance, sox compliance
About netForensics
netForensics,a global leader in Security Information Management, provides solutions that enable enterprises and government agencies better respond to security threats and, maintain compliant operations by transforming all security related information into actionable intelligence.
The company's award-winning SIM platform, nFX OSP, solves core SIM problems such as threat identification, event correlation, and incident response, while providing a foundation for broader enterprise security and compliance solutions.
Your Article Search Directory : Find in ArticlesRecent articles in this category:
- Never Undervalue Secure Backups
The Internet can be a very intimidating place. It is full of information, and every day new busi - Lack of Internet Privacy - One Step Away from Identity Theft
Four Reasons to Use Privacy Software Unless you are a spammer, hacker, terrorist, or other such - Site Security Issues Abound
It has happened web wide and it has happened to the best of the best - NASA, DOD, Google, Micros - Online Security: How Secure are You When You Get on the Internet?
Internet technology specialists widely agree that security is becoming the primary concern of th - Software Engineering Standards Providing Industry Integrity
Software engineering is a relatively new career field in technology today in comparison to other - Protect Your E-mail by Obfuscatoin
E-mail harvesting is the process of obtaining lists of e-mail addresses from the internet. This is u - Antispyware Host File - Protect Your Computer Now With This Simple Fix
An antispyware host file is a simple defence mechanism against rogue sites that are out to get you a - What Key Features Make The Best Spyware Removal Programs?
Range Of FeaturesThe best spyware removal programs should combine multiple features so that you get - Online Job Scams and Identity Theft-What Every Job Hunter Needs to Know
There are three main types of common online job scams:1. Phony Job Offers-With this type of scam, In - Spybot Sickness - Spyware Flue
When we talk about spyware symptoms, we talk about both how you get spyware and what the symptoms of
Most viewed articles in this category:
- Parental Control Software - How Will It Help My Family?
Parental Control Software such as Safe Eyes, is a set of tools that allows parents to control what o - Designing IE Exclusive Sites Is Counterproductive And Puts Your Visitors At Risk
Excuse me for being so forthright, but designing a web site exclusively for a specific browser is do - Mind the letters and words in your password.
Radhika Venkata (c).1. Don't choose predictable passwords like asending or desending numbers or lett - Safe Password Tips for Better Computer Security
With so many online accounts to manage, most people tend to use the same password for everything. M - Minimising Credit Card Fraud - For Online Retailers
Well organized criminal organizations steal credit card numbers in many different ways (virus progra - Fraud Prevention Tips
Current areas where mail order, telephone order, and Internet fraud are most prevalent include:* Wes - Money Scams: How to Avoid Getting Ripped Off
Scams take many forms: overseas lotteries, get-rich-quick schemes, work-from-home jobs and hundreds - Protecting Your Websites From Search Engines
There are a great number of scenarios in which you should be protecting your websites from the searc - The Best Internet Privacy Software
Detect, Protect, Dis-infect, Reject, Delete, then - RepeatThe best internet privacy software isn't a - The Most Effective Spyware Removers
There are a number of things you need to look for when you are seeking the most effective spyware re