SOX, security standards and building a compliance framework

This article provides a brief introduction to dealing with the challenges that face IT security in complying with SOX.

About Compliance School

In Compliance School, guest instructor Richard Mackey shows you exactly what you need to do to meet regulations'...

ongoing demands and arms you with actionable items to ensure your business remains continuously compliant. Best of all you can attend any of the following on-demand lessons when it's most convenient for you:

Compliance with the Sarbanes-Oxley Act (SOX) is a major part of today's corporate culture. The threat of non-compliance, its financial headaches, and worse yet, the spectre of legal penalties to the highest levels of a corporation, appear to have achieved one of the Act's goals. Organizations take compliance very seriously.

Not surprisingly, this pressure on corporate executives flows downhill and projects a significant burden on finance departments and IT. However, while corporate finance groups may have a relatively easy time understanding the checks, balances and documentation required to prove accurate accounting, they do not typically understand the impact of IT controls on these activities. Worse yet, the rank and file of IT departments typically do not deeply involve themselves in corporate business practices, instead focusing on the operation of systems rather than their role in accurate reporting. The disjoint nature of the two disciplines is counter to the requirements of SOX. Both IT and corporate finance need to work together to ensure and demonstrate that financial, corporate and technological controls work effectively to provide accurate financial reporting.

One of the most important elements of SOX compliance is providing evidence that the financial applications and supporting systems and services are adequately secured to ensure that financial reports can be trusted. This places a special burden on IT security departments. They need to understand which systems, services and processes need to be controlled, which aspects of security are most critical to compliance and what it takes to demonstrate that their company is in compliance.

This article provides a brief introduction to dealing with the challenges that face IT security, including:

This was last published in February 2006

Dig Deeper on Security audit, compliance and standards