Sarbanes-Oxley (SOX) is mandatory for most public corporations and focuses on regulating corporate behavior to protect financial audit records. There are three main areas of SOX that affect IT:
- Section 302 -- Corporate Responsibility for Financial Reports: This section requires executives to certify the accuracy of financial reports.
- Section 404 -- Management Assessment of Internal Controls: This section requires executives/auditors to confirm the effectiveness of internal controls.
- Section 802 -- Criminal Penalties for Altering Documents: This section mandates the protection/retention of financial audit records.
The verbiage in these sections is very vague and not IT-specific. In a nutshell, your IT and security infrastructure is affected in that there needs to be various "controls" in place -- firewalls, authentication mechanisms, access controls, ongoing vulnerability assessments, etc. -- to help ensure that financial audit records are adequately protected.
A wise IT/security manager working for a public company would implement as many security best practices as possible such as those found on SearchSecurity.com as well as from NIST, the NSA Gold Standard, the ISO 17799 framework, etc. These actions will help minimize the gray area within the larger gray area called SOX. I would suggest getting your legal counsel involved to determine what the best fit is for your organization.
About the author:
Kevin Beaver is an information security consultant, writer, professional speaker and expert witness with Atlanta-based Principle Logic, LLC. With over 25 years of experience in the industry, Kevin specializes in performing independent security vulnerability assessments of network systems as well as Web and mobile applications. He has authored/co-authored 11 books on information security including the best-selling Hacking For Dummies, The Practical Guide to HIPAA Privacy and Security Compliance and Implementation Strategies for Fulfilling and Maintaining IT Compliance. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website www.principlelogic.com and follow him on Twitter at @kevinbeaver.
FAQ: What is the impact of Sarbanes-Oxley on IT operations?
Examples of Sarbanes-Oxley violations
Some Things SOX Doesn't Say: SOX Myths