Mythics Blog

Sarbanes-Oxley Act (SOX) Compliance: Requirements for IT Security

Posted on April 25, 2013 by Sean Wang

Tags: Mythics Consulting, Security, Sarbanes-Oxley

Sarbanes-Oxley Act (SOX) set up new and enhanced standards that public companies must follow. However, the impact is not just on the company board, management and accounting firms. The following three mandates really have the work cut out for IT security:

  • No destruction, alteration or falsification of records;
  • Five year retention period for records; and,
  • Retention of all business records and communications.

These mandates put requirements on all three aspects of security: availability, confidentiality and integrity. To ensure SOX compliance, there are many security controls that should be put in place to protect the records. Of those, the following areas are of particular importance:

Access Controls: To prevent destruction, alteration or falsification of records, strict access controls must be put in place to limit access, especially archived records. These should control who have access to the records and what they can do to the records.

Auditing and Audit Management: There must be detailed auditing trails on who access the records and when, and what activities are performed on the records. As with the business records, the audit logs themselves should also be protected and kept for five years. There should be management tools to generate reports from the audit records for easy identification of activities.

Encryption and Digital Signatures: This will add another layer of protection and assurance in addition to access controls and audit trails. If the encrypted records cannot be read, there is less chance that they will be altered. And if they are indeed modified, digital signatures will connect the alterations to the person who did it.

Backup and Archive: To ensure all the records are kept for five years and be readily available when requested, there should be a cost-effective backup and archive solution.

So, start your SOX compliance process by establishing sound security policies and acquiring the right tools to ensure the accuracy and reliability of your business records.

Comments

  • ! No comments yet

Leave a Comment