Sarbanes-Oxley
and Security
Since its passage, the Sarbanes-Oxley Act of 2002 (SOX) has
engendered spirited debate over the law's implications for corporate
information practices, IT financial reporting, and corporate IT security,
especially with respect to the internal control provisions of Section 404. A
legal review commissioned by the Cyber Security Industry Alliance (CSIA)
concluded that compliance with Section 404 requires publicly traded companies
to employ information security to the extent necessary to ensure the
effectiveness of internal controls for financial reporting.
In reaching this conclusion, it is recognized that, given the
size and complexity of IT systems and networks in most publicly traded
companies, the statutory and administrative materials governing Section 404 may
still lack the detail and specificity regarding IT governance and security that
management and auditors need to guide their compliance efforts.
Companies are now
recognizing the necessity of addressing IT issues relating to
SOX compliance, including proper policies for management of IT
applications, data, and access to data. Businesses need to
archive electronic communications to meet compliance. Access
to reporting tools must be established. Security procedures
must be established for data and reporting
access.
Our professionals
with security and SOX experience are able to provide advice in
the preparations for audits and provide expertise in
establishing appropriate policies and procedures in several
key functional areas:
IT
security
Financial reporting
controls
Data center
controls
IT service
levels
Change management
procedures
Email
compliance.
We can help you establish user access to
applications, reporting, and data, as well as create reports
that will meet audit requirements.
Security
In today’s
real-time, internet based, highly networked computing
environment, security is a key topic for all IT
managers. In addition to protecting the network from
external security threats, such as hackers and intruders,
there are expanding needs to establish the security
authorization level (trusted, privileged) and access for each
user in several areas of the IT infrastructure. Security
and access by user must be defined for each level of the IT
operations, including security for data, the applications, and
the network. Our consultants are knowledgeable and able
to establish security policies and recommendations relative to
these various dimensions of the IT operations and to help
identify any gaps that may be a
risk.
Data
Security
Businesses must
implement log monitoring as well as data replication and email
archival to meet regulations. Some databases offer
data encryption for additional protection. Our professionals are versed in how to establish data
security to meet these regulations.
Application
and network Security
Businesses need to establish base-line
levels of operation for applications and the network, and
monitor systems for unusual levels of activity, typically with
an IT management/network management software solution.Further, many businesses have implemented methods
to detect malicious software and viruses. Our consultants can
team with your IT professionals to define appropriate
controls.
Risk
Assessment & Management
At Strategic IT
Services, our consultants can work with you to evaluate your
risk of non-compliance with Sarbanes-Oxley, your exposure, and
assist you in the development of appropriate plans to mitigate
any risk and help you meet audit
requirements.