SOX refers to the Sarbanes-Oxley Act, a US law that lays out requirements to ensure the integrity of source data pertaining to financial transactions and disclosures. Introduced in response to the financial scandals of the early 2000s, it aims to help shield investors from fraudulent or misleading financial reports.
So what is this topic doing on a site about cyber threats and security? Here’s the deal, SOX has provisions that are designed to improve data security. Sections 302 and 404, in particular, layout crucial guidelines for data safeguarding, safeguards testing, security breach detection, and proper threat and incident disclosure.
Section 404, which is about the management assessment of internal controls, is said to be the most complicated and expensive SOX provision to implement. It prescribes technical controls and a continuous audit on access protocols to make sure that data reliability is maintained.
While some regard SOX compliance as an unnecessary added burden, others welcome the rules it imposes because they supposedly create advantages particularly when it comes to data security and integrity. However, there are also pundits who say that compliance does not necessarily mean security.
For one, cloud security expert Jay Chaudhry, in a Forbes Technology Council post, asserts that compliance should not be mistaken for security. Citing the cyber-attacks suffered by Capital One, Arizona Beverages, Equifax, and Radisson, Chaudhry argues that even high-profile SOX complaint companies are still prone to mistakes and do not enjoy absolute protection.
Learn more about SOX compliance through the following discussions. Understand its complexities better and know more about its advantages while considering the caveats about its association with improved security.
Achieving SOX compliance is not an extremely difficult objective, but many companies may find it tricky. Some resort to implementing frameworks like ISO/IEC, Control Objectives for Information Technologies (COBIT), and COSO. There are also those that turn to enterprise-ready third-party solutions that make it easy to undertake risk evaluations, audit changes, and configuration validation.
As mentioned, Section 404 is said to be the most onerous provision of SOX. However, a significant part of the compliance requirements also come from Section 302. Here’s a summary of what organizations need to be mindful of.
- Data tampering safeguards (Sec 302.2) – This calls for the adoption of an enterprise resource planning (ERP) system of governance, risk, and compliance (GRC) application to monitor user logins and access to all devices with sensitive information in them. These safeguards should also be able to detect break-in attempts.
- Safeguards for establishing timelines (Sec 302.3) – Through an ERP or GRC system, organizations should be able to timestamp all data in real-time. After which, the data should be secured in a remote location to prevent tampering or loss. Additionally, pertinent logs should be transferred to a secure location and encrypted with MD5 checksum created.
- Verifiable controls for tracking data access (Sec 302.4B) – Also through ERP and GRC, there should be a way to receive data messages from an infinite number of sources. Data transmission should be possible through FTP transfers, file queues, and databases regardless of the framework employed.
- Safeguards testing (Sec 302.4C) – The ERP or GRC system used should be able to generate daily reports via email or RSS to make it easy to verify that the system is operational.
- Periodic safeguards effectiveness reporting (Sec 302.4D) – The ERP or GRC system used should produce different types of reports including reports on critical messages and security alerts.
- Security breach detection (Sec 302.5) – The system must be able to conduct a real-time semantic analysis of the messages to detect a possible security breach. If there are anomalous activities, notifications or alerts should be disseminated through a ticket system.
- Security safeguards disclosure to auditors (Sec 404.A1.1) – Through role-based permissions, the ERP or GRC system should allow auditors to access specific reports or documents without the ability to modify them or reconfigure the system.
- Security breach disclosure to auditors (Sec 404.A2) – Whenever attacks manage to penetrate the safeguards, the ERP or GRC solution should have a real-time ticket-based breach reporting system that can also record the details of the resolution of the security incidents.
- Safeguards failure disclosure to auditors (Sec 404.B) – As stated earlier, the ERP or GRC system should be able to conduct regular safeguards testing. If the tests yield discoveries of failures, there has to be a way to inform the auditor automatically or as soon as possible.
SOX compliance enforcement
Compliance with the Sarbanes-Oxley Act is through independent auditors who perform compliance audits once every year. Companies are given the discretion of choosing the auditor who will conduct the audit for them. They are also responsible for arranging all the meetings or sessions necessary for the audit.
The SOX compliance audit has to be separate from other audits a company goes through. They cannot arrange for a “dual-purpose” audit that integrates SOX compliance procedures with their standard internal audit. This is mandated to avoid conflicts of interest. Also, it is recommended that SOX compliance audits are scheduled with enough time allowance before the publication of annual reports.
SOX compliance advantages
Corporate governance expert Stephen Wagner and enterprise governance consultant Lee Dittmar agree with the common opinion that characterizes Section 404 as the most burdensome element of SOX. This is because the section holds a company’s management responsible for a sound financial reporting structure. Also, Section 404 declares that it is the responsibility of the management to evaluate its effectiveness.
However, in their Harvard Business Review piece, they reveal that some business executives welcome the SOX requirements. “While providing compliance advice to executives, we discovered a small subset who approached Sarbanes-Oxley with something like gratitude,” Wagner and Dittmar wrote.
The authors believe that compliance leaves considerable positive outcomes, which include the following:
- Stronger control environment
- Better documentation
- Bolstered involvement of the audit committee
- Creating and exploiting convergence opportunities
- Process standardization
- Reduced complexities
- Elimination or strengthening of weak links (people and manual processes)
A starting point
There are indeed advantages to being SOX compliant. However, the points raised by cybersecurity experts about SOX standards being relatively low are not incorrect. In the context of the increasingly sophisticated cyber threats and attacks at present, it would be inexpedient to exclusively use SOX compliance as the basis or benchmark of basic data security and integrity.
SOX compliance should be viewed as a starting point, not the ultimate goal for data security and integrity. This is not to say, though, that the SOX requirements are useless or a form of legal vanity. By working to achieve compliance, companies are already making the first crucial steps towards effective financial data security and a more successful return to the typical way of doing business.
Again, SOX compliance is not a cybersecurity warranty or insurance. This law was introduced nearly two decades ago, so it is understandably not in tune with the times. Organizations need to go beyond compliance to protect their sensitive data effectively. Fortunately, there are enterprise-ready solutions available to ensure SOX compliance while adding more measures that reflect the changing threat landscape.