The Sarbanes-Oxley Act was passed by the U.S. Congress in 2002 as a way to protect shareholders and the general public from fraudulent practices and accounting mistakes in enterprises — as well as bolster the accuracy of corporate disclosures. The act establishes guidelines and maintains rules pertaining to requirements. Requirements include auditing existing IT infrastructure. For this reason, it’s important that organizations have proper methods in place for SOX cybersecurity compliance.
Threatcare, an Austin-based cybersecurity SaaS company, enables organizations to verify that they’re secure through proactive cyber defense. Threat simulation should be a standard practice at all companies in business today. The Threatcare Suite has the only cloud-based breach simulation available on the market.
The act was written to improve corporate governance and accountability following a series of financial scandals at large firms including Enron, Tyco, Worldcom, and others.
All publicly-held American firms must comply, along with any international companies that have registered equity or debt services with the U.S. Securities and Exchange Commission (SEC), as well as any accounting firm or third party that provides financial services to either of these.
CEOs and CFOs who willfully submit incorrect certification regarding a SOX compliance can be imprisoned for as many as 20 years, and fined as much as $5 million.
Organizations are utilizing SOX as a means of:
Within the 60-page law, there are two primary sections an IT manager must complete in order to prepare for SOX compliance:
Specifically, they must confirm that they accept personal responsibility for all internal controls and have reviewed these controls in the past 90 days. Included are controls regarding a company’s security infrastructure inasmuch as its accounting and reporting are performed to high security standards.
Overall, a compliance audit seeks to establish how well a firm is managing its internal controls. And while SOX does not specifically mention information security, for practical purposes, an internal control is understood to be any type of protocol dealing with the infrastructure that handles your financial data.