Skip to main content

What is SOX Compliance? 2023 SOX Requirements & More

by Chris Brook on Thursday October 26, 2023

Contact Us
Free Demo
Chat

Learn about SOX compliance in Data Protection 101, our series on the fundamentals of data security.

What is SOX Compliance?

SOX compliance is compliance with an act of congress called the Sarbanes-Oxley Act, which sets deadlines for compliance and publishes rules on requirements. Congressmen Paul Sarbanes and Michael Oxley drafted the act with the goal of improving corporate governance and accountability, in light of the financial scandals and corporate fraud that occurred at Enron, WorldCom, and Tyco, among others.

In 2002, the United States Congress passed the Sarbanes-Oxley Act (SOX) to protect shareholders and the general public from accounting errors and fraudulent practices in enterprises, and to improve the accuracy of corporate disclosures.

All public companies now must comply with SOX, both on the financial side and on the IT side. The way in which IT departments store corporate electronic records changed as a result of SOX. While the act does not specify how a business should store records or establish a set of business practices, it does define which records should be stored and the length of time for the storage. To comply with SOX, corporations must save all business records, including electronic records and electronic messages, for “not less than five years.” Consequences for noncompliance include fines or imprisonment, or both.

THREE MANAGEMENT OF ELECTRONIC RECORDS RULES

As a result of SOX, IT departments are responsible for creating and maintaining an archive of corporate records. They seek ways in which to do this that are both cost effective and that are in complete compliance with the requirements of the legislation. Three rules in Section 802 of SOX affect the management of electronic records.

  • First rule: This rule concerns the destruction, alteration, or falsification of records and the resulting penalties.
  • Second rule: A rule that defines the retention period for records storage; best practices suggest corporations securely store all business records using the same guidelines as public accountants.
  • Third rule: This rule outlines the type of business records that need to be stored, including all business records, communications, and electronic communications.

SOX COMPLIANCE AND SECURITY CONTROLS

The best plan of action for SOX compliance is to have the correct security controls and internal control structures in place to ensure that financial data and financial reports are accurate and protected against loss. Developing best practices and relying on the appropriate tools helps businesses automate SOX compliance and reduce SOX management costs.

Data classification tools are commonly used to aid in addressing compliance challenges by automatically spotting and classifying data as soon as it is created and applying persistent classification tags to the data. Solutions that are context aware have the ability to classify and tag electronic health records, cardholder and other financial data, confidential design documents, social security numbers, PHI, PII, and other structured and unstructured data that is regulated.

SECTION 906 OF THE SOX ACT

Section 906 of the SOX Act requires a written statement to be submitted by the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) of publicly-traded companies. This statement is to be submitted with a periodic report, also required by the Act. The content of the written statement, according to section 906 “shall certify that the periodic report containing the financial statements fully complies with the requirements of section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) and that information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer.”

It’s paragraph “(c)” in section 906 where penalties for violations are recorded. These penalties are for either;

1. Knowingly certifying a report that does not “comport” with the requirement of section 906
2. Willfully certifying a report that does not “comport” with the requirement of section 906

The fine for a knowing violation will be “not more” than $1,000,000 or imprisoned “not more” than 10 years in prison, or both. A willful violation is significantly more costly at “not more” than $5,000,000 or 20 years in prison, or both.

DATA PROTECTION AND COMPLIANCE

Data classification enables security teams to more easily monitor and enforce corporate policies for data handling. Depending on the sensitivity of data and its applicable regulations, it may need to be encrypted, compressed, or saved to a different file format. With the correct policies in place, corporations can prevent unauthorized users, even those with administrative rights to the system, from viewing regulated data. The best solutions also prevent data egress through copying to removable storage devices. Another feature of security solutions that are worth the investment is its ability to safeguard shared data. These so-called “masking” features give users access to necessary information while ensuring compliance with regulations.

SOX COMPLIANCE AUDITS

Being in SOX compliance and complying with other regulatory standards is nearly impossible without the correct security solutions in place. Providing evidence of compliance is even worse because evidence must prove to independent auditors written internal controls are in place, communicated, and enforced while supporting non repudiation. The correct security software solution provides the supportable evidence so that all of your compliance efforts are worthwhile.

A software solution for meeting compliance requirements should be able to monitor data, enforce policies, and log every user action. With evidentiary-quality trails, all of the data needed for compliance is in place. Protect your data and your business with a software solution that ensures SOX compliance and rest a little easier when facing external auditors during your next audit.

 

Meet Data Compliance Regulations
with Digital Guardian

See how Digital Guardian enables you to effectively discover, monitor and control sensitive data.

Schedule a Demo

 

Tags:  Data Protection 101

Chris Brook

Chris Brook

Chris Brook is the editor of Digital Guardian’s Data Insider blog. He is a cybersecurity writer with nearly 15 years of experience reporting and writing about information security, attending infosec conferences like Black Hat and RSA, and interviewing hackers and security researchers. Prior to joining Digital Guardian–acquired by Fortra in 2021–he helped launch Threatpost, an independent news site that was a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.

Recommended Resources


The Definitive Guide to DLP

All the essential information you need about DLP in one eBook.

The Ultimate Guide to Data Protection

Everything you need to know about data protection but were afraid to ask.