How to comply with Sarbanes Oxley (SOX) security regulations
Userlock and FileAudit can both help you address the requirements of SOX by allowing you to control and monitor system access and identity.
The Sarbanes-Oxley act is designed to combat financial crime, particularly the issues of insider trading and stealing of sensitive data, with culpability placed as it tends to be in a corporate structure — at board level.
While the topic of information security is not specifically discussed within the text of the Sarbanes-Oxley act, the reality is that modern financial reporting systems are heavily dependent on technology and associated controls. Any review of internal controls would not be complete without addressing controls around information security (as stated by the PCAOB).
An insecure system would not be considered a source of reliable financial information.
The Sarbanes Oxley (SOX) act applies to any business or information related to a business listed on a US Stock Exchange (e.g. NYSE, NASDAQ). Subsequently it’s a significant part of corporate finance culture across the globe.
Of course this responsibility at board level trickles down, becoming a burden for corporate finance and IT departments. But it does mean the requirements for strong identity authentication, controls and reporting are great, as are the fines if an auditor finds you non-compliant.
The SOX act of 2002 also created the Public Company Accounting Oversight Board (PCAOB) to guide auditors as they assess company’s compliance with SOX. Their statement underlines that IT general controls form the foundation for many other types of financial reporting controls and therefore must be addressed by SOX.
Userlock and FileAudit by IS Decisions can both help you address SOX requirements by allowing you to control and monitor system access and identity.
"Ensure that only people who are authorized to use the system can access it."
Sarbanes-Oxley Standards | IS Decisions Solution | Feature |
---|---|---|
Do you give all users unique login credentials? | UserLock | Ensures that nobody can log on to the system without uniquely identifiable credentials. |
Do you enforce the secure use of passwords and verify a person is the one claimed? | UserLock | Strengthens unique network login credentials with context-aware access restrictions and user reminders, which help verify that a person seeking access to the network and the information within is genuinely who they say they are. |
Do you restrict users from sharing logins? | UserLock | Prevents concurrent logins with the same set of user credentials — helping to eradicate dangerous password sharing practices. |
Can you attribute session duration and actions on the network to individual users? | UserLock | Helps administrators verify all users’ identity at any time, making users accountable for any activity — malicious or otherwise. |
"Control accounts that are used to access systems that support financial reporting."
Sarbanes-Oxley Standards | IS Decisions Solution | Feature |
---|---|---|
Do you restrict network access on a job-role basis? | UserLock | Enables the administrator to set granular access rights to different types of employees to ensure that they can only access the information they need to do their job. |
Do you review network access for employees who change roles in - or leave - the organisation? | UserLock | Enables administrators to easily change access rights (permanently or temporarily) for individual users, groups of users, or organisational units. |
"Monitor, record and examine security events in information systems including invalid login attempts, requests for inappropriate access and access to specific information."
Sarbanes-Oxley Standards | IS Decisions Solution | Feature |
---|---|---|
Do you monitor access to the network? | UserLock | Monitors all logon and logoff activity in real time to ensure that the only people who can access vital data are the people who need to. UserLock alerts administrators to any suspicious, disruptive or unusual logins based on time, location and device. |
Do you monitor specific actions on files or folders, like copying, moving and deleting? | FileAudit | Monitors all files and folders in real time on your network and records all actions that users take when making modifications. It verifies that users have not altered or destroyed information in an unauthorised manner. |
Do you conduct regular security audits or reports? | UserLock FileAudit | Records and audits all network logon events, across all session types, from a central system. Audits all access and changes to files and folders, and immediately alerts administrators to suspicious behaviour. |
Sections 302 and 404 indirectly force the scrutiny of information security controls for SOX compliance.
Section 302 states that the CEO and CFO must assess and report on the effectiveness of internal controls around financial reporting.
Section 404 states that a corporation must assess and report on the effectiveness of its internal controls.
The wording of both is broad and does not provide specific guidance as to which controls must be assessed.
To help further with internal control guidance, PCAOB have selected a framework created by the Committee of Sponsoring Organizations (COSO). COSO provides general guidance such as control environment, risk assessment, control activities, information and communication and monitoring. In addition more specific guidance is provided by Control Objectives for Information and related Technology (COBIT).
Both frameworks complement each other and are often used in tandem for the purposes of compliance with SOX sections 302 and 404. IS Decisions solutions address certain requirements of both frameworks.
COBIT® is a trademark of ISACA registered in the U.S. and other countries.
COBIT Framework is not contained within IS Decisions products.