Achieving Sarbanes-Oxley (SOX) compliance is not impossible, but there are a few key elements beyond ethical leadership that are necessary to achieve and maintain it. Public corporations must implement the proper information access controls and possess the appropriate tools to ensure that information is kept secure. These efforts, combined with practical security policies and processes, will go a long way toward keeping corporate executives out of the hot seat with regulatory officials and will also provide value well beyond SOX compliance.

Overview of SOX

The SOX legislation (http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf) was enacted on July 30, 2002 and falls under the umbrella of the U.S. Securities and Exchange Commission (SEC). SOX differs from other recent legislation involving information security and privacy in that it revolves around the protection of financial records and helps ensure the accuracy of financial reports as an indirect means for regulating corporate behavior. The requirements set forth for SOX compliance apply to all U.S. public companies, foreign filers in U.S. markets, and privately-held companies with public debt.

Of the several dozen sections in SOX, Section 404 -- Management Assessment of Internal Controls -- is the one that affects IT and information security the most. In order to establish SOX compliance, an annual internal control report is required to:

1. state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting
2. contain an assessment, as of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures for the issuer for financial reporting

For the purposes of SOX compliance, the SEC has defined internal control over financial reporting as it relates to information security to include the maintenance of records and reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of assets related to financial statements.

SOX compliance and Web application security

Because most corporate financial records are stored, accessed, and maintained in electronic formats that often have Web-based components, Web application security is crucial to SOX compliance. In addition, there is a reporting component required for SOX compliance that ties into Web applications. Web servers, database servers, and often the applications themselves have a logging function that creates audit trails for tracking who, what, and when. These trails not only provide the details necessary for system monitoring and troubleshooting but are often used in a forensics capacity to investigate attacks against Web applications. Audit trails can also assist with and provide documented proof that ongoing Web application security assessments and audits required to achieve Sarbanes-Oxley compliance are taking place.

As with most information security initiatives, the requirements for SOX compliance are policy driven in areas such as:

• User authentication

• Password management
• Access controls
• Input validation
• Exception handling
• Secure data storage and transmission
• Logging
• Monitoring and alerting
• System hardening
• Change management
• Application development
• Periodic security assessments and audits

If security policies designed to maintain SOX compliance are not in place and enforced with adequate business processes and technical controls, Web applications can easily expose financial systems to danger.

Beyond implementing the necessary policies and processes, another important element of SOX compliance is to

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine