Section 302 of the Sarbanes-Oxley Act requires the CEO and CFO of a public company to personally certify and attest to the accuracy of their companies' financial statements contained in periodic reports. Section 404 requires auditors to certify the underlying controls and processes companies use to reach financial results.
Both sections require proof that a company's reported financial information can be relied on and require companies to invest in procedures that ensure that the information recorded is protected at all times. Companies must ensure that records in digital form are managed with the same care and attention as records in paper form.
Business records must be protected at all times from unauthorised tampering and deletion, more so when a company is involved in audits, investigations, litigation or other formal proceedings. It is therefore of primary importance for IT staff to double-check the level of security within the network to avoid both insider and outsider abuse.
In order to comply with the Sarbanes-Oxley Act, auditors are duty bound to perform some degree of ethical hacking in order to test systems and networks. They could also scrutinise the tools and applications being used by the company to ensure that the data provided is trustworthy and correct.
For more information about the Sarbanes-Oxley Act click here.
Both sections require proof that a company's reported financial information can be relied on and require companies to invest in procedures that ensure that the information recorded is protected at all times. Companies must ensure that records in digital form are managed with the same care and attention as records in paper form.
Business records must be protected at all times from unauthorised tampering and deletion, more so when a company is involved in audits, investigations, litigation or other formal proceedings. It is therefore of primary importance for IT staff to double-check the level of security within the network to avoid both insider and outsider abuse.
In order to comply with the Sarbanes-Oxley Act, auditors are duty bound to perform some degree of ethical hacking in order to test systems and networks. They could also scrutinise the tools and applications being used by the company to ensure that the data provided is trustworthy and correct.
For more information about the Sarbanes-Oxley Act click here.
Notes
- The Sarabanes-Oxly Act only affects certain countries. You may want to check the legal requirements for security auditing for the country from where you operate, which may be different from what is explained above.
- Applies to all publicly traded companies.
- You must have a written security policy.
- You should baseline your current compliance state and be prepared to show progress towards full compliance.
- You need to monitor your logs, and respond to threats. SIEM tools and IPS are commonly inferred from “timely monitoring.”
- SOX references ISO 17799 for implementation specifics.
Solution Features
| > Firewall |
- Required
|
| > IDS / IPS |
- Strongly Recommended
|
| > Centralised Logging |
- Strongly Recommended
|
| >
Baseline / Vulnerability Assessment |
- Required
|
| > Patch Management |
- 24 Hours for Critical Updates
|
| > Network Anti-Spyware Network Anti-Virus |
- Required
|
> Anti-Virus & Spyware Scanning for Web, Mail, FTP… |
- Recommended
|
> Instant Messaging Security IM Rate Limiting, Logging and/or Prevention |
- Recommended
|
> Addresses sections 302 and 404
> Audit-ready ISO 27001 report, out-of-the-box compliance reports.
Secure, protect and control access to sensitive data
> Encryption
Block / Limit access to certain data
Control different levels of access to be configured for different users.
Allow access to secure data when requested
Enterprise Server management tool allows complete control of encryption policy and encryption key issue across the enterprise.
Secure safe storage of personal data
FIPS-140-2 validated and uses industry standard encryption algorithms and methods.
> Firewalls
Segmentation
Firewalls to segment financial systems from other internal systems.
> Data Backup / Protection
Data Backup, Replication, Testing & Recovery
SOX requires a recovery plan be available so information can be recovered from a natural disaster.
Securenet Consulting provides solutions to protect applications and data, to make sure they're available in minutes with minimal data loss.
- Automated failover
- Failback
- Non-disruptive DR testing.
P: +44(0)7714 209927
S: +44(0)1273 329753
| 
info@securenetconsulting.co.uk
|