Meeting government and industry compliance requirements is one of the top challenges faced by IT professionals. We at Fortra know how security standards and regulations add to your already full workload and can make your job more complicated—especially since compliance requirements are rarely clear or easy to interpret.
This guide is designed to help you make sense of the Public Company Accounting Reform and Investor Act—better known as Sarbanes-Oxley (SOX). Keep reading to see how addressing compliance requirements can improve your cybersecurity posture—and unlock new opportunities for your IT team.
Once, the sole purpose of IT security was to prevent lost, stolen, or corrupted data. But today cybersecurity can have an even greater impact. New technology like mobile devices and cloud applications can make a business more efficient and more profitable, but only if effective security controls are in place to minimize risks.
IT professionals who can meet security and compliance needs while advancing business goals are in a class of their own and we can help you get there, starting with SOX compliance. We’ve included a compliance checklist that highlights security requirements relevant to SOX, helping you determine where to focus your efforts.
Why Is SOX Compliance Important for IT Security?
This 2002 U.S. law was passed in response to the accounting scandals at corporations that became synonymous with fraud and corruption: Enron, WorldCom, and Tyco. The goal of SOX is to hold companies accountable for corporate financial reporting and governance.
IT is part of the equation when accounting and reporting are performed electronically, which is true of virtually all modern businesses. The problem is that SOX is lengthy and vague, and doesn’t reference any specific IT security controls.
Much has been written about SOX by legal and accounting experts, and the Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) have issued hundreds of pages of rules and guidance.
It’s easy to get lost in the weeds, but two facts can help keep SOX compliance in perspective. First, SOX focuses exclusively on the accuracy and integrity of financial reporting. Second, any resources dedicated to SOX serve a higher purpose, since the security controls that help you comply with SOX also help protect your system from cybersecurity threats.
But Remember: SOX Compliant Doesn’t Equal Secure
While SOX compliance contributes to your cybersecurity posture, being compliant is not the same as being secure. Threats evolve much faster than federal laws—including SOX—can be updated. Meeting compliance requirements won’t necessarily keep you ahead of cybercriminals. Security efforts shouldn’t stop once SOX compliance is under control. Implementing a multi-layered defense will help minimize security risks, and this is a wise approach even if it’s not required by any compliance mandate.
Basic Considerations for Navigating Compliance
The specifics of every mandate are different, but some basic controls are repeated across most major compliance mandates:
- Identify or inventory critical data, so you know where it resides and can protect it.
- Monitor and prevent unauthorized changes (file integrity monitoring).
- Measure and analyze risks (vulnerability assessment).
- Detect and prevent malware and viruses.
- Create and enforce a security policy.
- Maintain an audit trail.
These security concepts inform SOX and other compliance mandates. With this knowledge, you’ll have an easier time interpreting the details of a regulation or standard—as well as determining how to meet it.
Getting Started with SOX Compliance
IT security is not the primary goal for SOX, which helps explain why it wasn’t written with an IT audience in mind. Unlike PCI DSS, you won’t find references to internet connections or mobile devices within the text of SOX.
Avoiding specific language means the law changes with the times. It also allows organizations covered by SOX to adopt new technologies that help them meet SOX requirements.
This approach provides flexibility, but it also makes SOX compliance challenging. Cybersecurity and compliance professionals have to translate SOX into IT terms to determine whether their organization is compliant or what steps they need to take to become compliant.
SOX Sections with Clear Implications for IT
Because much of SOX does not affect technology resources, we’ve outlined the two provisions that are most relevant to IT professionals.
Section 302: The CEO and CFO are responsible for reviewing financial reports and must personally certify that the reports are complete and accurate. These corporate officers are also responsible for internal controls, including evaluating internal controls and listing deficiencies of internal controls.
What are internal controls and what does this mean for IT?
Internal controls in this context are processes that assure reliable financial reporting and compliance with laws and policies. Essentially, section 302 requires the CEO and CFO to certify that IT controls are in place to prevent fraudulent changes to electronic financial records.
Section 404: Financial reports must include an internal control report in which management affirms their responsibility for maintaining adequate internal controls. The company must also include an assessment of how effective the internal control process and structure are.
What IT controls are required?
SOX doesn’t specify exactly what controls are necessary or even what this means for IT, but most companies have adopted the COBIT framework to define and document internal controls.
Does this mean companies have to implement COBIT to comply with SOX?
Not exactly. COBIT—Control Objectives for Information and Related Technology—was created by ISACA and it includes roughly 300 generic objectives. Many of these objectives are not relevant to SOX compliance, since SOX is concerned with IT security only as it relates to internal financial auditing controls and the possibility for fraud.
Also, SOX doesn’t expressly require companies to use the COBIT framework. There are other frameworks for documenting internal controls that could suffice, but COBIT has the advantage of linking business goals with IT goals.
COBIT best practices have practically become the de facto standard for SOX compliance. It can serve as a guide that helps your work toward specific, IT-centric goals, which will collectively add up to SOX compliance. Many auditors are familiar with COBIT, so it can serve as a common reference point, no matter what platform your company is on. In addition to achieving SOX compliance, meeting COBIT objectives contributes to your security posture.
If your organization decides to use COBIT to meet SOX requirements, how you apply COBIT best practices will be determined by your IT environment’s unique characteristics. There is no one-size-fits-all path to SOX compliance.
What Organizations Does SOX Apply To?
It’s widely known that SOX covers publicly held companies, but some SOX provisions also apply to private companies and the accounting firms that provide services to businesses covered by SOX. For example, both public and private companies are barred from intentionally destroying or changing documents with the intent to influence a federal investigation. In some circumstances, SOX also applies to private companies with employee stock ownership plans.
Publicly traded non-U.S. companies that have registered equity or debt security with the SEC must also comply with SOX.
Even when it isn’t legally required, compliance with SOX and other corporate governance best practices offer advantages for companies. Inadequate corporate governance practices can hurt a company’s ability to obtain loans, attract investors, or go public in the future. Following SOX requirements can protect a company from litigation and make an acquisition by a publicly traded company much easier.
Penalties for SOX Non-Compliance
A person who intentionally changes, destroys, or conceals records with the intent to obstruct a federal investigation faces 20 years in prison or $5 million in fines or both. Executives who submit inaccurate certifications can face 10 years in prison and fines of $1 million. The company itself might be removed from public stock exchange listings.
Because of these severe penalties, SOX compliance is critical to IT professionals and executives alike. If you apply SOX security controls (listed in the checklist below), you’ll have the documentation necessary to prove financial records have been properly maintained and are trustworthy.
SOX Checklist for the IT Professional
This checklist focuses on the COBIT objectives that—for most systems—are critical to achieving SOX compliance. It’s not legal advice, but this list will help you identify the strengths and weaknesses of your security controls as they relate to SOX compliance.
| COBIT Control | What’s Required | Status (Complete, In Progress, etc.) |
| Risk Assessment | Establish a general risk assessment approach, defining boundaries and methodologies with regard to security risk and vulnerabilities. Identify vulnerabilities and tools to control them. | |
| Use and Monitoring of System Utilities | Implement policies for using, monitoring, and evaluating the use of system utilities. Clearly define responsibilities for using sensitive software utilities, and monitor and log the use of these utilities. | |
| Manage Security Measures | Manage IT security such that security measures are in line with business requirements, including:
| |
| Identification, Authentication, and Access | Restrict access to IT resources by implementing adequate identification, authentication, and authorization mechanisms. Such mechanisms should prevent unauthorized access to IT resources. Procedures should also be in place to keep authentication and access mechanisms effective, such as regular password changes. | |
| Security of Online Access to Data | In an online environment, implement procedures consistent with the security policy that provides access security controls based on an individual’s need to view, add, change, and delete data. | |
| Review of User Accounts | Establish a control process to review and confirm access rights periodically. Compare IT resources with recorded accountability to reduce the risk of errors, fraud, misuse, or unauthorized alteration. | |
| Security Surveillance | Ensure security activity is logged and any indication of imminent security violation is reported immediately to all who may be concerned and is acted upon in a timely manner. | |
| Violation of Security Activity Reports | Ensure that violation and security activity is logged, reported, reviewed, and appropriately escalated on a regular basis, so that incidents involving unauthorized activity can be identified and resolved. Access to security and other logs should be granted based upon the principle of least privilege or need to know. | |
| Protection of Security Functions | Protect all security-related hardware and software against tampering to maintain their integrity against disclosure of secret keys. | |
| Malicious Software Prevention, Detection, and Correction | Establish a framework of adequate preventative, detective, and corrective control measures with respect to viruses and malware. Procedures should also include occurrence response and reporting. | |
| Unauthorized Software | Develop and enforce clear policies restricting the use of personal and unlicensed software. Use virus detection and remediation software. Check PCs for unauthorized software and periodically review the requirements of software and hardware license agreements. | |
| Problem Management System | Define and implement a problem management system to ensure all incidents, problems, and errors are recorded, analyzed, and resolved in a timely manner. Emergency procedures should be tested, documented, approved, and reported. Incident reports should be established in the case of significant problems. | |
| Problem Escalation | Define and implement a problem escalation process to ensure identified problems are solved in the most efficient way and in a timely manner. Ensure these priorities are appropriately set. Document the escalation process for the activation of the IT continuity plan. | |
| Problem Tracking and Audit Trail | Ensure the problem management system provides adequate audit trail facilities that allow tracing from incident to underlying cause and back. It should work closely with change management, availability management, and configuration management. |
Evaluate Your Compliance Efforts
Take the next step toward SOX compliance by checking your security settings. Fortra has the most comprehensive suite of IBM i security solutions on the market, and our Security Scan is a free application that audits common security metrics on IBM i. You’ll learn where your system security is strong and where vulnerabilities put you at risk for compliance violations. Set up your personal consultation today.
Or, learn more about how Fortra can assist you with SOX compliance on AIX, Linux, IBM i, and Windows.