SOX, Lies and Security Matters

When it comes to compliance, it’s fairly easy to find out what companies need to do to achieve it. But it’s much harder for companies to find out how they should go about it. The Sarbanes-Oxley Act of 2002 (SOX) is detailed and prescriptive in terms of what controls are needed, especially in section 404 of the act, “Management Assessment of Internal Controls.” This requires that a corporation annually report the following:

  • Management’s responsibility to establish and maintain adequate internal control over financial reporting.
  • The framework used as criteria for evaluating the effectiveness of the company’s internal control over financial reporting.
  • Management’s assessment of the effectiveness of internal company control over financial reporting, and disclosure of any material weaknesses.

Section 404 also requires that external auditors certify the accuracy of these statements, which have been signed by the CEO and CFO of the company.

How to comply
While IT security systems play a vital part in establishing many of these internal controls to meet requirements, SOX doesn’t provide any insight into how a company should go about it, or what types of solutions help deliver those controls. What methods and frameworks can help with this? The Control Objectives for IT (COBIT) is an IT governance model that provides both company and activity-level objectives along with associated controls. And using COBIT, an organization can design a system of security applications and controls to comply with SOX. Here’s a guide to how companies can interpret SOX demands and ensure they meet regulatory compliance using COBIT Objectives, by deploying the right security solutions in the right areas.

Identity management
COBIT suggests that all users should be uniquely identifiable. User identities and access rights should be maintained in a central repository and cost-effective technical and procedural measures should be deployed and kept current to establish user identification, to implement authentication and to enforce access rights. It’s important that an IT solution includes access control. It should also allow for the creation of granular access and authorization rules, and enforce access policies at the perimeter and on the internal network. This also ensures that companies make their systems resistant to tampering.

User account management
A set of user account management procedures are advised to address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges, as well as perform regular management reviews of all accounts and related privileges. Certain management tools allow administrators to create policies, including the mapping and assignment of groups (of users and endpoints) to resources. Solutions can also be configured to provide inline, real-time password policy validations for password length or alphanumeric requirements.

Security testing, surveillance and monitoring
Proactively testing and monitoring the IT security implementation is considered very important by COBIT. A logging and monitoring function will enable early prevention or detection, and subsequent timely reporting, of unusual or abnormal activities that may need to be addressed. Any solution should update, monitor and report of system events and activity, enabling enterprises to gain a holistic view of their security and network activity trends. The consistent presentation of data across the enterprise enables more effective data collection, analysis and response.

Security incident definition
COBIT advises that companies should clearly define and communicate the characteristics of potential security incidents so that they can be properly classified and treated by the incident and problem management process. It’s important to choose a solution that provides comprehensive support for the identification, handling and reporting of security incidents. It is possible to analyse log data in near real-time to identify significant threats across the network, as well as preset software to generate alerts to take appropriate action to mitigate the detected threat.

Malicious software prevention, detection and correction
COBIT argues that putting preventive, detection, and corrective measures in place (especially up-to-date security patches and virus control) across the organisation, protects information systems and technology from malware. Finding a solution that includes integrated, high-performance antivirus technology to detect and eliminate malware from endpoint PCs will help to combat this. Virus detection is based on a combination of signatures, behaviour blockers and heuristic analysis that together enable your network environment to attain one of the industry’s highest detection rates.

Network security
Security techniques and related management procedures are suggested, e.g. firewalls, security appliances, network segmentation or intrusion detection, to authorise access and control information flows from and to networks. Companies should attempt to find a solution from which administrators can centrally manage, approve, view network topology, and verify all external network connections and changes to the firewall configuration.

Exchange of sensitive data
It is vital to only exchange sensitive data over a trusted path or medium with controls to provide authenticity of context, proof of submission, proof of receipt and non-repudiation of origin. Solutions that deliver a high level of data security by providing strong, full-disk encryption for PCs and laptops as well as access control are certainly the best for this objective. They are able to ensure the secure exchange of sensitive data by ensuring the integrity and authenticity of data. Certain sensors also offer inline detection and alerting on defined data structures such as personal identification numbers, personal health information or files marked as confidential.

Performance assessment
COBIT advises periodically reviewing performance against targets, to analyse the cause of any deviations and initiate remedial action to address the underlying causes. It also suggests that companies should develop senior management reports on IT’s contribution to the business and solicit feedback from management. From this, organizations can identify and initiate remedial actions based on performance monitoring, assessment and reporting. It’s wise to find a solution to help with this, giving the company a holistic view of their security and network-activity trends. Consistent presentation of data across the business enables more effective data analysis and response.

Time to comply
SOX section 404 provides a turning point for most IT organizations in their efforts to develop, and document, the IT security controls and processes needed to support financial reporting. Protecting the integrity of information, and controlling access to resources, not only keep the company’s data safe but also fulfill compliance demands. The right security solutions can be leveraged to help fulfill many specific COBIT Control Objectives, to form the foundation for compliance with requirements set out in SOX Section 404. And with these in place, you and your Board can rest a little easier, assured that you have a compliant, robust infrastructure, from the perimeter to the endpoint.