IT’s Role in Sarbanes-Oxley Compliance
The Sarbanes-Oxley Act of 2002 (SOX), officially the U.S. Public Company Accounting Reform and Investor Protection Act, governs how public companies handle financial reporting. Non-compliance with SOX can result in prison sentences for the company’s executives.
While SOX does not specifically address information security requirements, security has emerged as a key component for compliance. Because enterprises need mechanisms to ensure the confidentiality, integrity and availability of their vital information in order to comply, they require a proactive information security capability in the infrastructure. Security practitioners will be well served to gain knowledge about this legislation and its impact on security requirements for the enterprise infrastructure.
SOX Section 404 Fundamentals
Many in the industry consider Section 404 to be the most critical part of SOX. Section 404 requires an internal control report, which must:
- State the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.
- As of the end of the most recent fiscal year of the issuer, contain an assessment of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
Section 404 requires an annual certification of internal controls, an independent accountant to attest to the report and a quarterly review for necessary updates and changes. This requires the production of a new report that validates the internal controls over the financial reporting process.
SOX Section 404 is leading organizations to invest in an infrastructure that ensures the confidentiality, integrity and availability of information.
Technology and Security Impact
The IT-related business processes that are relevant to Section 404 compliance include:
- Data submission, financial consolidation and financial statement generation.
- Purchase requisition to vendor payment.
- Sales order to customer remittance.
- Asset acquisition to disposal/write-off.
- Project initiation to revenue recognition.
- Inter-company transaction processing.
- Currency translation in financial reporting.
This will result in technology solutions that provide information such as:
- The source of data presented in reports.
- Identification information that binds an individual who changed, entered or modified the financial report data.
- The original classification of information.
- Assurance that tampering has not occurred.
- Processes that the information has gone through to reach the report.
- Roles and authorities of individuals who have had access to the information.
As organizations address Section 404, some areas of security will require particular attention.
Organizations must develop information security policies to establish security priorities and a framework for consistent implementation and configuration of systems and devices on the infrastructure. This results in a clear definition of how IT resources must be configured to make them secure. For example, with the increasing deployment of wireless technology, it is important to create a wireless policy to define the minimal security controls required for all communication over wireless networks. The policy must reflect SOX requirements for controls to access sensitive information. The priority must be to develop specific security policies that are critical to support business strategy and objectives. All members of the workforce must be trained on the policies.
Security Architecture and Infrastructure
The objective of defining a security architecture is to establish multiple layers of defense to prevent external intrusions and attacks. The architecture identifies all entry and exit points from the infrastructure and external networks. It is critical to have strong security controls on the infrastructure to limit access to authorized users only. Further, any attacks on the infrastructure must be disrupted before they successfully target sensitive servers or other systems and applications. The organization must develop a comprehensive security strategy document to establish security priorities for a given time frame. All such security priorities identified must be seriously influenced by SOX legislative requirements for strong internal controls.
Customers, partners, employees and others increasingly access sensitive information from back-end server systems. The challenge is to provide the information required to authorized users in real time. Users may have multiple identities to access enterprise systems and applications, from both internal and external locations. Section 404 requires the organization to ensure accountability of transactions through audits and internal controls. The organization needs to cost-effectively manage the complete life cycle for identities, for both internal and external access.
Encryption and digital signatures provide strong internal controls for data access by users. Sensitive data that is at rest can be encrypted to prevent security violations. For transmission, data may be digitally signed to ensure accountability and integrity, providing confidence that data has not been modified in transit. Both data encryption and transmission effectively address gaps in internal controls for a SOX-impacted business.
The objective of vulnerability management is to discover and mitigate vulnerabilities and lapses in security policies. From a SOX perspective, the capability needs to be deployed to make the IT infrastructure more secure and resilient. The organization needs to conduct a comprehensive and thorough risk analysis, including penetration testing to document gaps that may exist to achieve compliance with the SOX regulation. All identified gaps must be rigorously addressed.
Automated Audit Capabilities
A planned approach to tracking access to sensitive resources needs to be implemented. If security violations occur, it must be possible to determine who accessed what and when. Tracking access and auditing is a resource-intensive task. Care must be taken to not impact the performance of systems, yet maintain the ability to identify critical information about sensitive resources that are accessed.
Security Vendor Solutions
Several security vendors provide solutions to help meet SOX requirements. For example, Symantec’s Manhunt provides network intrusion protection as well as correlation and analysis of security event logs that help organizations assess their risk. Another Symantec solution, the Enterprise Security Manager (ESM), helps organizations monitor IT processes and assess the effectiveness of their internal controls by defining, measuring and reporting on the compliance of information systems with security policies. ESM can generate reports that help organizations demonstrate compliance and assist independent audits.
Microsoft’s Office Solution Accelerator for Sarbanes-Oxley helps create and maintain compliance documentation specifically related to Sections 302 and 404 of the Act. Netegrity’s identity and access management product solutions enable SOX compliance by providing organizations with tighter control over who has access to sensitive information or critical parts of the IT infrastructure. Further, the Netegrity products support a strong audit trail that makes it easier to track and record access to sensitive information. Netegrity’s IAM solutions include SiteMinder (which provides control over what type of authentication is used to protect a resource and how the authentication solution is deployed and managed), TransactionMinder (which ensures tra