Skip to main content

DATA SECURITY KNOWLEDGE BASE

What is SOX Compliance?

In 2002, the United States Congress passed the Sarbanes-Oxley Act (SOX) to protect shareholders and the general public from accounting errors and fraudulent practices in enterprises, and to improve the accuracy of corporate disclosures. The act sets deadlines for compliance and publishes rules on requirements. Congressmen Paul Sarbanes and Michael Oxley drafted the act with the goal of improving corporate governance and accountability, in light of the financial scandals that occurred at Enron, WorldCom, and Tyco, among others.

All public companies now must comply with SOX, both on the financial side and on the IT side. The way in which IT departments store corporate electronic records changed as a result of SOX. While the act does not specify how a business should store records or establish a set of business practices, it does define which records should be stored and the length of time for the storage. To comply with SOX, corporations must save all business records, including electronic records and electronic messages, for “not less than five years.” Consequences for noncompliance include fines or imprisonment, or both.

Three Management of Electronic Records Rules

As a result of SOX, IT departments are responsible for creating and maintaining an archive of corporate records. They seek ways in which to do this that are both cost effective and that are in complete compliance with the requirements of the legislation. Three rules in Section 802 of SOX affect the management of electronic records. The first concerns the destruction, alteration, or falsification of records and the resulting penalties. The second defines the retention period for records storage; best practices suggest corporations securely store all business records using the same guidelines as public accountants. The third rule outlines the type of business records that need to be stored, including all business records, communications, and electronic communications.

SOX Compliance and Security Controls

The best plan of action for SOX compliance is to have the correct security controls in place to ensure that financial data is accurate and protected against loss. Developing best practices and relying on the appropriate tools helps businesses automate SOX compliance and reduce SOX management costs.

Data classification tools are commonly used to aid in addressing compliance challenges by automatically spotting and classifying data as soon as it is created and applying persistent classification tags to the data. Solutions that are context aware have the ability to classify and tag electronic health records, cardholder and other financial data, confidential design documents, social security numbers, PHI, PII, and other structured and unstructured data that is regulated.

Data Protection and Compliance

Data classification enables security teams to more easily monitor and enforce corporate policies for data handling. Depending on the sensitivity of data and its applicable regulations, it may need to be encrypted, compressed, or saved to a different file format. With the correct policies in place, corporations can prevent unauthorized users, even those with administrative rights to the system, from viewing regulated data. The best solutions also prevent data egress through copying to removable storage devices. Another feature of security solutions that are worth the investment is its ability to safeguard shared data. These so-called “masking” features give users access to necessary information while ensuring compliance with regulations.

Compliance and Audits

Being in SOX compliance and complying with other regulatory standards is nearly impossible without the correct security solutions in place. Providing evidence of compliance is even worse because evidence must prove written controls are in place, communicated, and enforced while supporting nonrepudiation. The correct security software solution provides the supportable evidence so that all of your compliance efforts are worthwhile.

A software solution for meeting compliance requirements should be able to monitor data, enforce policies, and log every user action. With evidentiary-quality trails, all of the data needed for compliance is in place. Protect your data and your business with a software solution that ensures SOX compliance and rest a little easier during your next audit.