SOX Cybersecurity Compliance
The Sarbanes-Oxley Act was passed by the U.S. Congress in 2002 as a way to protect shareholders and the general public from fraudulent practices and accounting mistakes in enterprises — as well as bolster the accuracy of corporate disclosures. The act establishes guidelines and maintains rules pertaining to requirements. Requirements include auditing existing IT infrastructure. For this reason, it’s important that organizations have proper methods in place for SOX cybersecurity compliance.
Threatcare, an Austin-based cybersecurity SaaS company, enables organizations to verify that they’re secure through proactive cyber defense. Threat simulation should be a standard practice at all companies in business today. Violet, Threatcare’s BAS technology platform (breach and attack simulation), is the only cloud-based breach simulation available on the market.
The act was written to improve corporate governance and accountability following a series of financial scandals at large firms including Enron, Tyco, Worldcom and others.
All publicly-held American firms must comply, along with any international companies that have registered equity or debt services with the U.S. Securities and Exchange Commission (SEC), as well as any accounting firm or third party that provides financial services to either of these.
CEOs and CFOs who willfully submit incorrect certification regarding a SOX compliance can be imprisoned for as many as 20 years, and fined as much as $5 million.
Organizations are utilizing SOX as a means of:
- Auditing existing IT infrastructure and identifying any inefficiencies, redundancies and superfluous controls;
- Streamlining reporting requirements and adding auditing processes to bolster productivity and cut down on costs;
- Managing risks to data security more effectively and quickly, should their be a breach.
Within the 60-page law, there are two primary sections an IT manager must complete in order to prepare for SOX compliance:
- Section 302: SOX Section 302 relates to a company’s financial reporting. The act requires a company”s CEO and CFO to personally certify that all records are complete and accurate.
Specifically, they must confirm that they accept personal responsibility for all internal controls and have reviewed these controls in the past 90 days. Included are controls regarding a company’s security infrastructure inasmuch as its accounting and reporting is performed to high security standards.
- Section 404: This section mandates further requirements for the monitoring and maintenance of internal controls that are related to the company’s accounting and financials. Businesses are required under this provision to have a yearly audit of these controls that are performed by an outside firm.
Overall, a compliance audit seeks to establish how well a firm is managing its internal controls. And while SOX does not specifically mention information security, for practical purposes, an internal control is understood to be any type of protocol dealing with the infrastructure that handles your financial data.