Sarbanes-Oxley Compliance (Source: Pixabay.com)
Sarbanes-Oxley (SOX) requirements are one of the most important compliance challenges that publicly traded corporations face today. SOX has also become one of the main drivers of enterprise technology and information security expenditure. Yet, despite its existence for nearly two decades, many corporate executives remain unsure about what the exact IT requirements for SOX compliance are. And it’s understandable.
SOX is a financial reporting and accounting mandate that has ramifications on technology infrastructure. Even though there’s the act doesn’t explicitly reference encryption or password rules, the role of IT as a facilitator is implied. While it’s the CFO’s role to ensure data accuracy, the CIO, CTO and CISO tackle the data security and integrity question.
Due to the lack of specific guidance on the technologies necessary for SOX compliance, business and IT leaders have often found themselves groping in the dark. For an organization to pass a SOX compliance audit, they must implement a number of IT best practices. We look at some of these.
Table of Contents
1. SSL/TLS Encryption for Web-Enabled Applications
SSL/TLS isn’t an absolutely impregnable defense but it’s certainly the best encryption protection currently available for websites and web-enabled applications. When an SSL/TLS connection is established, the webserver sends the public key to the client browser which the client uses to create a session key with the server.
Whereas rogue sensors and Man-in-the-Middle (MITM) attacks can successfully identify the session and public key, they cannot decrypt the communication if they don’t have the server’s private key.
2. End-Point Protection
Securing enterprise servers with firewalls and antivirus tools is the absolute minimum an organization is expected to do. However, complying with SOX requires that public companies go a step further.
For firewalls, all ports that serve no specific purpose must be blocked. Get rid of any exceptions in your antivirus scanner. Integrate account and financial reporting applications with an overarching enterprise systems management platform that streamlines your ability to quickly set policy, aggressively deploy updates, prevent configuration tampering and rapidly report possible attacks and significant security issues.
SOX regulators and auditors love audit trails and system-generated reports. A management platform that consolidates security events taking place in your end-points can only be a good thing for SOX compliance.
3. Reduce Attack Surface On Systems Accessing Financial Applications
If employees are going to work on the crucial account and financial systems from their computer, simply running the operating system and antivirus updates will not suffice in creating a safe environment for the financial data.
Plenty more has to be done including disabling superfluous services, uninstalling unneeded browser add-ons, using group policy to limit user access and permissions, and aggressively applying security policies.
4. Database Activity Monitoring Tools
SOX is fixated on the integrity and accuracy of financial data. Auditing all activity on tables holding sensitive information is vital.
Consider removing database administrators (DBAs) from database security-related duties. This would prevent a rogue DBA from tampering with financial data and thereafter covering their tracks by altering the audit and monitoring reports along the accounting and financial data workflow.
Instead, database activity monitoring should be automated as much as possible with reports sent to IT security staff and relevant operations and finance managers.
5. Removable Media
Removable media can be the weakest link in a company’s management and protection of financial data. Given the substantial risks that come with placing sensitive data on removable media, their use should be prohibited if possible. Nevertheless, banning removable media won’t always be possible or practical.
If you must allow removable media, ensure you have policy and controls safeguarding any information contained therein. Without that, your business will be falling short of SOX compliance. The good thing is there are third-party low-cost data loss prevention products you could install to automatically check and enforce encryption of data sent to removable media.
When it comes to other major compliance regulations and standards such as GDPR, PCI DSS, and HIPAA, the IT department often builds the foundation for compliance then the rest of the business follows. With SOX, IT comes in after the business has laid the groundwork. Either way, it’s crucial that IT and the business work together if they are to address the SOX challenge satisfactorily.
