If you work for a U.S.-based public company or any organization that's affected by the Sarbanes-Oxley Act (SOX), you've probably realized the extent of IT and information security involvement required for compliance -- specifically around SOX section 404. Although section 404 is extremely vague in outlining what's needed for internal controls, it is generally accepted that a broad range of information security controls are necessary; the most critical component being assuring the integrity of financial information. As with most security-related initiatives, these measures must be policy-driven in order to be effective.
Every organization's security policy requirements are based on several variables, perhaps the most important of which is based on the outcome of a risk analysis or ongoing IT security audits. However, there are several security policies that most corporations will need to help with SOX 404 compliance regardless of their size, setup and business processes. These are:
Access controls -- Hardware/software controls regulating who has access to what financial-related information.
Audit trails -- Application, operating system, etc. logs that track who has accessed, modified or deleted financial information.
Computer and media disposal -- Minimum requirements for ensuring financial-related information is wiped before hardware and media leave the company.
Data backup -- Specific backup requirements to ensure financial data is properly protected.
Data integrity controls -- Hardware/software solutions to keep financial information from being inappropriately modified (i.e. IDS/IPS, malware protection, rights management software, application controls to filter input and perform data validation, etc.).
Data retention -- Minimum requirements for holding onto critical financial data, especially supporting documentation, related communications, etc.
Document destruction -- Requirements and steps to be taken (or not taken) when destroying hard copy information.
Information classification -- Outlining how various types of financial information will be classified and protected based on level of sensitivity.
Messaging security -- Minimum requirements for protecting the transmission and storage of messages (e-mail and instant messaging) containing sensitive financial-related information.
Security assessments and audits -- How systems will be continuously tested and audited for security risks.
System authentication -- Hardware/software controls ensuring that users accessing financial information are who they say they are.
System monitoring -- Technologies and processes in place to detect and alert on financial information breaches.
User provisioning -- Specific requirements and processes for adding and removing users who will have access to financial information.
Wireless networks -- Minimum security requirements for wireless systems connecting to corporate networks.
Formatting SOX compliance policies for maximum effectiveness may seem detailed and complex, but there is a simple template approach you can take when writing them. Once your compliance policies have been set, enforcing them is equally important.
Corporations that must comply with SOX are likely to be covered by other regulations as well such as HIPAA and the Gramm-Leach-Bliley Act. If this is the case for you, consider writing higher-level information security policies that can be applied across the board and cover as many regulations as possible. Most regulations have similar requirements and there's certainly no need for duplication. This will save you major time and effort when it comes to managing your security policies long-term. Keeping information security as simple and practical as possible is, nevertheless, what it's all about.
RELATED INFORMATION:
About the author:
Kevin Beaver is founder and principal consultant of Atlanta-based Principle Logic, LLC where he specializes in information security assessments for those who take security seriously and incident response for those who don't. He is author and co-author of several information security books including the The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach), Hacking For Dummies (Wiley), and the upcoming Hacking Wireless Networks For Dummies. Kevin can be reached at kbeaver@principlelogic.com.
