Compliance Solutions

How IS Decisions can help public corporations comply with Sarbanes Oxley’s (SOX) security regulations

The Sarbanes-Oxley act is designed to combat financial crime, particularly the issues of insider trading and stealing of sensitive data, with culpability placed as it tends to be in a corporate structure – at board level.

Whilst the topic of information security is not specifically discussed within the text of the Sarbanes-Oxley act, the reality is that modern financial reporting systems are heavily dependent on technology and associated controls. Any review of internal controls would not be complete without addressing controls around information security (as stated by the PCAOB).

An insecure system would not be considered a source of reliable financial information.

Meet SOX Compliance with IS Decisions solutions More on the effect of SOX on Information Security

Sarbanes-Oxley Act Compliance Logo

Userlock and FileAudit by IS Decisions can both help you address the requirements of SOX by allowing you to control and monitor system access and identity.

System Access Control & Authorization

« Ensure that only people who are authorized to use the system can access it. »

Do you give all users unique login credentials?

Ensures that nobody can log on to the system without uniquely identifiable credentials.

Do you enforce the secure use of passwords and verify a person is the one claimed?

Strengthens unique network login credentials with context-aware access restrictions and user reminders, which help verify that a person seeking access to the network and the information within is genuinely who they say they are.

Do you restrict users from sharing logins?

Prevents concurrent logins with the same set of user credentials — helping to eradicate dangerous password sharing practices.

Can you attribute session duration and actions on the network to individual users?

Helps administrators verify all users’ identity at any time, making users accountable for any activity — malicious or otherwise.

User Account Management

« Control accounts that are used to access systems that support financial reporting. »

Do you restrict network access on a job-role basis?

Enables the administrator to set granular access rights to different types of employees to ensure that they can only access the information they need to do their job.

Do you review network access for employees who change roles in – or leave - the organisation?

Enables administrators to easily change access rights (permanently or temporarily) for individual users, groups of users, or organisational units.

System Monitoring & Reporting

« Monitor, record and examine security events in information systems including invalid login attempts, requests for inappropriate access and access to specific information. »

Do you monitor access to the network?

Monitors all logon and logoff activity in real time to ensure that the only people who can access vital data are the people who need to. UserLock alerts administrators to any suspicious, disruptive or unusual logins based on time, location and device.

Do you monitor specific actions on files or folders, like copying, moving and deleting?

Monitors all files and folders in real time on your network and records all actions that users take when making modifications. It verifies that users have not altered or destroyed information in an unauthorised manner.

Do you conduct regular security audits or reports?

Records and audits all network logon events, across all session types, from a central system.

Audits all access and changes to files and folders, and immediately alerts administrators to suspicious behaviour.

More on the effect of SOX on information security

Sections 302 and 404 indirectly force the scrutiny of information security controls for SOX compliance.

Section 302 states that the CEO and CFO must assess and report on the effectiveness of internal controls around financial reporting.

Section 404 states that a corporation must assess and report on the effectiveness of its internal controls.

The wording of both is broad and does not provide specific guidance as to which controls must be assessed.

Using COSO and COBIT a specific set of IT control objectives for SOX:

To help further with internal control guidance, PCAOB have selected a framework created by the Committee of Sponsoring Organizations (COSO). COSO provides general guidance such as control environment, risk assessment, control activities, information and communication and monitoring. In addition more specific guidance is provided by Control Objectives for Information and related Technology (COBIT).

Both frameworks complement each other and are often used in tandem for the purposes of compliance with SOX sections 302 and 404. IS Decisions solutions address certain requirements of both frameworks.

COBIT® is a trademark of ISACA registered in the U.S. and other countries.

COBIT Framework is not contained within IS Decisions products.

Find out more for yourself with our FREE 30Day Fully Functional Trials