E-guide

How to Address SOX Compliance Requirements Expert advice to clear up SOX compliance confusion

Page 1 of 19

In this e-guide

Frameworks to support SOX compliance requirements p.2

Four steps to consolidate SOX data retention and deletion processes p.7

IT security operations take advantage of SOX compliance strategy p.14

About us p.19

E-guide

In this e-guide: Sarbanes Oxley Act (SOX) regulatory compliance was designed to address two main concerns: Lowering the level of enterprise risk to financial scandal and maintaining a consistent level of error-free financial reporting.

However, the steps needed to meet SOX compliance requirements have been confusing to many organizations.

This guide aims to clear up any confusion with clear directions for addressing SOX requirements. Learn:

• How to use IT and security tools within COSO and COBIT frameworks to meet SOX compliance requirements

• 4 steps to meet SOX data compliance mandates

• How SOX compliance best practices can benefit company-wide GRC

Page 2 of 19

In this e-guide

Frameworks to support SOX compliance requirements p.2

Four steps to consolidate SOX data retention and deletion processes p.7

IT security operations take advantage of SOX compliance strategy p.14

About us p.19

E-guide

Frameworks to support SOX compliance requirements

Scott Tiazkun, Independent Analyst

During the last decade, governments and regulatory agencies have created a myriad of business and IT regulatory frameworks that must be considered by almost all companies. Regulations like Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA can have potentially disruptive impacts on enterprise processes like finance and audit as well as IT and security departments.

All have their specific requirements and debatable value but no one regulatory issue has loomed as large over the last decade as Sarbanes-Oxley (SOX). SOX regulatory compliance was designed to address two main concerns: lowering the level of enterprise risk to financial scandal and maintaining a consistent level of error-free financial reporting. However, the steps needed to meet SOX compliance requirements have been confusing to many organizations.

Many enterprises are lacking clear direction that will address SOX requirements from an IT process perspective. Let's look at how enterprises can use IT and security tools within the frameworks of COSO and COBIT to meet SOX compliance requirements.

Page 3 of 19

In this e-guide

Frameworks to support SOX compliance requirements p.2

Four steps to consolidate SOX data retention and deletion processes p.7

IT security operations take advantage of SOX compliance strategy p.14

About us p.19

E-guide

Financial compliance and the IT environment

SOX was a legislative response to the slew of accounting scandals involving large corporations such as Enron and Tyco. The act contains many duties and corresponding penalties for corporate boards and executives. The overarching goal of SOX is to create an environment that enforces standards that ensure accuracy of financial statements filed by publicly traded companies that file a Form 10-K with the Securities and Exchange Commission (SEC).

Sections 302 and 404 are the portions of SOX that need to have the support of both finance and the IT department. These sections require yearly certification of internal controls, as verified by an independent auditor. Lack of security of financial data that results in financial misrepresentation is a violation that could subject an enterprise to fines and can subject responsible parties to imprisonment.

COSO and COBIT

Various organizations and frameworks provide the necessary guidance to comply with SOX requirements. IT departments need to be familiar with content from COSO, COBIT, the Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) to achieve a total SOX regulatory compliance picture.

Specific to IT solutions, COSO groups IT controls into two main types:

1. General Controls: These include controls over access security, data center operations, systems software controls and others.

Page 4 of 19

In this e-guide

Frameworks to support SOX compliance requirements p.2

Four steps to consolidate SOX data retention and deletion processes p.7

IT security operations take advantage of SOX compliance strategy p.14

About us p.19

E-guide

2. Applications Controls: These are controls designed to monitor and control data and transactions and authorizations. These also can include application system interactions and data exchange.

However, COSO is light in guidance when it comes to implementing IT controls. Here is where the COBIT framework helps by providing an applicable standard for IT security and control practices that can impact SOX regulatory compliance efforts. Similar to COSO, it puts controls within the framework of business objectives. COBIT categorizes IT into four main process groups:

1. Planning and Organization: These concern identifying the way IT can best contribute to the achievement of stated business objectives and include key processes like defining a strategic plan, defining the information architecture, ensuring compliance with external requirements and assessing risks.

2. Acquisitions and Implementation: Processes to realize the IT strategy via IT solutions that need to be identified, developed or acquired and integrated into business processes. Key processes include acquiring and maintaining applications software and technology infrastructure and developing and maintaining procedures.

3. Delivery and Support: Processes around the actual processing of data by application systems. Core processes include defining and managing service levels, ensuring continuous service, ensuring systems security and managing data, facilities and operations supporting IT.

4. Monitor and Evaluate: All IT processes that need to be regularly assessed over time for quality and compliance with control

Page 5 of 19

In this e-guide

Frameworks to support SOX compliance requirements p.2

Four steps to consolidate SOX data retention and deletion processes p.7

IT security operations take advantage of SOX compliance strategy p.14

About us p.19

E-guide

requirements, including assessing internal control adequacy and obtaining independent assurance of these controls.

Enterprises will need to consider IT-related controls at all stages of the SOX compliance and IT engagement process, from planning to identification, documentation and testing of significant IT controls on financial processes and supporting applications. At each stage, your work should address each of the four categories of IT processes summarized above. SOX regulatory compliance using COSO

COSO remains the most popular framework for meeting SOX Section 404 requirements, and financial managers and auditors alike have become familiar with COSO and its objectives around controls. Therefore, companies should internally focus on the IT controls, monitoring and information gathering and reporting concepts embedded in COSO. Specifically, in their SOX compliance efforts, enterprises should demonstrate how enterprise IT controls support the COSO framework. The enterprise should deploy IT control competency in the components COSO identifies as "essential" for effective internal control. These areas are: control environment, control activities, monitoring, information and communication and risk assessment.

To support COSO, in deference to SOX compliance requirements, one of several IT general control objectives is that financial reporting systems and subsystems are appropriately secured to prevent unauthorized use, disclosure, modification, damage or loss of data. If these controls are not in place, enterprises run the risk of misleading or incorrect financial reporting,

Page 6 of 19

In this e-guide

Frameworks to support SOX compliance requirements p.2

Four steps to consolidate SOX data retention and deletion processes p.7

IT security operations take advantage of SOX compliance strategy p.14

About us p.19

E-guide

in direct violation of SOX. IT security solutions are needed, in this case to ensure there are controls that support proper authorization, authentication and security monitoring. Deficiencies could negatively impact activities like financial reporting as insufficient controls over transaction authorizations could result in inaccurate financial reporting.

For this type of control objective, specific steps need to be in place such as:

• An approved IT security plan. • Security procedures for authentications/access management of

users to support transactions. • Procedures for requesting, establishing, issuing, suspending and

closing user accounts. • Updating of the IT security plan to reflect changes in the IT

environment. • Controls such as firewalls, intrusion detection and vulnerability

assessments exist and prevent unauthorized access via public networks.

• Controls relating to segregation of duties (SOD) which grant access to systems and data.

Savvy enterprises will realize that IT controls used for compliance efforts like SOX are also useful tools to enhance overall IT governance and operations and financial risk efforts going forward.

Page 7 of 19

In this e-guide

Frameworks to support SOX compliance requirements p.2

Four steps to consolidate SOX data retention and deletion processes p.7

IT security operations take advantage of SOX compliance strategy p.14

About us p.19

E-guide

Four steps to consolidate SOX data retention and deletion processes

Judith M. Myerson, Consultant

The regulations companies must comply with are as varied as the services they provide and the regions they operate in. Large financial institutions in the U.S. must comply with the Sarbanes Oxley Act (as a public company), the Gramm-Leach-Bliley Act (for financial companies), the Payment Card Industry Data Security Standard (for credit service providers), Basel II (if they operate in Europe), SEC Rule 17a-4 (for those in the financial services industry) and local privacy regulations when operating in other countries.

If healthcare providers and payers are customers of the financial institution, the firm must also comply with privacy requirements under the Health Insurance Portability and Accountability Act (HIPAA) to protect patient health information.

Despite the variations -- public versus private, global versus operating only in the Southwest United States -- the foundation of most compliance mandates is data retention. To put it in perspective, let's focus on meeting Sarbanes Oxley Act (SOX) data compliance mandates in four steps.

Page 8 of 19

In this e-guide

Frameworks to support SOX compliance requirements p.2

Four steps to consolidate SOX data retention and deletion processes p.7

IT security operations take advantage of SOX compliance strategy p.14

About us p.19

E-guide

Step 1. Identify SOX compliance mandates SOX Section 302 and 404 have the greatest business impact in terms of compliance obligations. Section 302 calls for corporate responsibility for financial reporting and holds the CEO and CFO responsible for ensuring the accuracy of quarterly and annual financial statements. Spreadsheets, documents and emails that were used to arrive at the final financial conclusions are considered records under SOX data retention regulations, and therefore must be maintained.

Before the CEO and CFO sign the company's financial statements, there should be a workflow process in place to manage all financial statements. If serious errors or fraud are discovered in the financial reporting, the company would face severe penalties.

Section 404 requires that annual reports contain information regarding internal controls. The rule places major responsibility on the CFO and the company's external auditors to ensure the effectiveness of internal controls, including policies, processes and company IT systems used for data retention.

Page 9 of 19

In this e-guide

Frameworks to support SOX compliance requirements p.2

Four steps to consolidate SOX data retention and deletion processes p.7

IT security operations take advantage of SOX compliance strategy p.14

About us p.19

E-guide

Step 2. Identify data retention periods for each regulation In this step, we'll examine data retention periods based on recommendations made by David Balovich, founder of professional business credit consulting firm 3JM Company and a well-known expert on document retention and destruction policies set by the American Institute of Architects Austin Chapter.

SOX Act Sections 103 (a) and 801 (a) require public companies and registered public accounting firms to maintain audit work papers for at least seven years.

SOX does not mandate private companies to comply, but under Section 802 private companies will get slapped with fines and face up to twenty years imprisonment for knowingly destroying, altering or falsifying records with the intent to impede or influence a federal investigation.

SOX specifies different data retention dates for different document types. A retention period of seven years is required for:

• Accounts payable ledger • Accounts receivable ledger • Time cards • Product inventory • Payroll records

Page 10 of 19

In this e-guide

Frameworks to support SOX compliance requirements p.2

Four steps to consolidate SOX data retention and deletion processes p.7

IT security operations take advantage of SOX compliance strategy p.14

About us p.19

E-guide

• Tax returns

A retention periods of five years is required for:

• Invoices to customers • Invoices from vendors • Purchase orders

Employment applications must also be retained for three years. There is a permanent retention period for bank statements, contracts and leases, employee payroll records, legal correspondence, training manuals and union agreements. The American Institute of Architects Austin Chapter's document retention and destruction policy references the SOX Act, and Balovich explains that one of the purposes of the policy is to ensure the organization eliminates accidental destruction of records.

A retention period of seven years is required for:

• State sales tax information and returns • Business expense records • Invoices • Bank statements • Earning records • Payroll tax records

Page 11 of 19

In this e-guide

Frameworks to support SOX compliance requirements p.2

Four steps to consolidate SOX data retention and deletion processes p.7

IT security operations take advantage of SOX compliance strategy p.14

About us p.19

E-guide

A data retention period of seven years is required after employment was terminated for records relating to employee promotion, demotion or discharge. A retention period of five years is required for:

• Sales records • State unemployment tax records • Accident records and workers unemployment records • Salary records

A retention period of three years is required for:

• General correspondence • Credit card receipts • Employment records

There is a permanent retention period for Articles of Incorporation, executive/board policies and resolutions, bylaws, chapter charter, state sales returns, financial statements, depreciation schedules, check registers, payroll registers, employment and termination agreements and insurance policies.

Page 12 of 19

In this e-guide

Frameworks to support SOX compliance requirements p.2

Four steps to consolidate SOX data retention and deletion processes p.7

IT security operations take advantage of SOX compliance strategy p.14

About us p.19

E-guide

Step 3. Determine document storage Electronic media -- including CD-ROMs and cartridge tapes -- is the preferred storage method under the SOX data retention mandates. It must preserve the required records in a non-rewritable, non-erasable format as defined in the Security and Exchange Act of 1934 (also known as Rule 240 [171-4]).

Under SOX, the business must ensure that an email:

• Be tamper-proof, permanent-word protected, encrypted and read-only.

• Follow the policies of the business on how email is archived, what the data retention period is, and how email is protected.

• Be audited by a third party. • Be fully indexed and searchable.

Under Section 802, if documents cannot be converted or are not economically feasible to convert to an electronic format (e.g. too large to fit onto a CD-ROM), you need to secure the original and hard copies in locked cabinets or vaults. When documents reach retention expiration dates, they should be destroyed. Section 802 rules state that any employee who knows the company is under investigation, or suspects it might be, must stop all document destruction and alteration immediately.

Page 13 of 19

In this e-guide

Frameworks to support SOX compliance requirements p.2

Four steps to consolidate SOX data retention and deletion processes p.7

IT security operations take advantage of SOX compliance strategy p.14

About us p.19

E-guide

Step 4. Implement data retention policy To handle multiple data retention dates, my recommendation is to consolidate these dates into a corporate or organizational data retention policy. The policy should include:

• Review dates to check the impact of organizational changes and who is responsible for meeting the data retention requirements.

• Document and email archiving policies. • Email alerts when any system has been compromised. • Notifications on impending non-compliance.

Next article

Page 14 of 19

In this e-guide

Frameworks to support SOX compliance requirements p.2

Four steps to consolidate SOX data retention and deletion processes p.7

IT security operations take advantage of SOX compliance strategy p.14

About us p.19

E-guide

IT security operations take advantage of SOX compliance strategy

Jeff Jenkins, Director of Cybersecurity - Travelport LTD

The Sarbanes-Oxley (SOX) Act of 2002 has served as a primary driver for many companies' security programs, and it's arguably the first major legislative act or standard to succeed in getting the attention of the executive suite. A little over a decade since its inception, SOX still drives many compliance and security programs because of the executive-level penalties it carries and its relation to accounting and financial concepts that already occur at the CxO level. Adopting SOX-compliance controls and procedures can improve your organization's overall IT security program, even if your company is not a publicly traded one typically targeted by SOX regulations.

From a technical perspective, SOX security requirements aren't as comprehensive or prescriptive as other standards like the Payment Card Industry Data Security Standard (PCI DSS) or ISO 27001. Set largely by the accounting industry, SOX focuses primarily on fundamental system and user management controls like authentication, access control, logging and monitoring. One could argue that SOX doesn't necessarily ensure the security of data or systems as much as it enforces fundamental best practices for knowing who has access to financial data, how the data originated and whether that information gets modified. Even with what might be termed a limited security scope, SOX still enforces some excellent

Page 15 of 19

In this e-guide

Frameworks to support SOX compliance requirements p.2

Four steps to consolidate SOX data retention and deletion processes p.7

IT security operations take advantage of SOX compliance strategy p.14

About us p.19

E-guide

compliance practices that can serve as an example of how to audit and monitor information systems.

One of the most specific SOX requirements involves monitoring user access to data. This requires mature procedures for user provisioning, de-provisioning and granting privileged access to modify or administer data systems. Nearly every IT security standard includes requirements to monitor and control system and data access, and SOX requires auditors and IT personnel to regularly review practices such as access rights. Under SOX, however, senior-level management is also required to sign-off on those reviews, so SOX-compliant organizations tend to have more mature access control procedures.

The average organization might simply rely on logged/documented procedures for creating and deleting user accounts, while granting "admin level" privileges that can be reviewed when a security event occurs. A SOX-compliant organization will usually perform much more regular (at least monthly) and detailed -- requiring manager approval -- reviews of all user accounts and privileges related to finance systems and data. Most organizations that struggle with SOX compliance have a tough time getting adequate IT participation in these access reviews and approvals due to the time and effort that is usually involved. Establishing such practices, though, is a fundamental way to avoid fairly common security incidents, such as inactive user accounts being used to compromise systems, or users having more access to data than what is appropriate for their roles.

Implementing procedures like these can go beyond SOX compliance by also helping your organization develop better overall good IT hygiene habits, like

Page 16 of 19

In this e-guide

Frameworks to support SOX compliance requirements p.2

Four steps to consolidate SOX data retention and deletion processes p.7

IT security operations take advantage of SOX compliance strategy p.14

About us p.19

E-guide

regular reviews of all log files instead of just those associated with security related events, and more manager- or executive-level accountability for IT decisions. It is also likely that the organization's ability to remain, or become, compliant with other standards like PCI or ISO 27001 will improve if it already has SOX-related controls in place.

The SOX influence on tech development From a product perspective, SOX has had, and will likely continue to have, both indirect and direct influence on security technologies. Products used for database access monitoring, file integrity monitoring and privileged access management have significantly improved due to mandates stipulated by SOX regulations. Some specific products, such as TripWire's file integrity monitoring tool, became almost the de facto, standard solution during the early days of SOX compliance. SOX continues to help drive the need for, and innovation in, newer families of products, like privileged access management (PAM) that help organizations better track, assign and revoke user rights to systems and data.

SOX compliance is not only beneficial in regards to potentially exposing your organization to advanced security products -- it can help manage procedures for reporting and reviewing security information. By combining security teams' data protection strengths with the audit and accounting teams' reporting strategies to work toward SOX compliance, companies can significantly improve the vetting process for IT security and compliance technologies.

Page 17 of 19

In this e-guide

Frameworks to support SOX compliance requirements p.2

Four steps to consolidate SOX data retention and deletion processes p.7

IT security operations take advantage of SOX compliance strategy p.14

About us p.19

E-guide

Don't underestimate the SOX visibility factor In addition to the maturity that SOX can bring to your technical controls and solutions, another noticeable benefit is the relationship that SOX has with the finance and auditing community. Security programs have traditionally struggled to get serious attention from the executive suite because security has been viewed largely as simply an aspect of technology. The fact that SOX is often championed and overseen by the finance and accounting department, however, has helped security and compliance gain immediate traction with business leaders, audit committees and boards of directors.

SOX compliance has also helped show that security's impact on the organization goes beyond just IT departments, and can be useful for forging alliances between security, finance and accounting, and legal teams. Like Enterprise Risk Management (ERM) initiatives -- another concept driven primarily into mainstream business because of legislation -- SOX has increased security and compliance's visibility within organizations. It has also benefitted many security leaders by giving them a voice in the board room, usually via reporting their concerns to audit committees or directly to boards of directors.

SOX might not be the overwhelming driver behind security and compliance efforts that it once was, especially because more visible and comprehensive security standards such as PCI DSS have emerged. However, SOX has always been effective -- and somewhat unique -- in that it has spotlighted both technologies and the underlying procedures needed to manage compliance effectively.

Page 18 of 19

In this e-guide

Frameworks to support SOX compliance requirements p.2

Four steps to consolidate SOX data retention and deletion processes p.7

IT security operations take advantage of SOX compliance strategy p.14

About us p.19

E-guide

When building a security or compliance program, it is always wise to consider numerous security laws and standards to get a good mix of controls, practices or vertical market influences. Don't overlook the benefits and influence of SOX when you are building your security and compliance programs, because it can possibly provide you aspects like depth of controls, product maturity and organizational traction that other compliance efforts might not.

Next article

Page 19 of 19

In this e-guide

Frameworks to support SOX compliance requirements p.2

Four steps to consolidate SOX data retention and deletion processes p.7

IT security operations take advantage of SOX compliance strategy p.14

About us p.19

E-guide

About SearchFinancialSecurity IT security pros turn to SearchFinancialSecurity.com for the information they require to keep their corporate data, systems and assets secure.

Get in-depth technical advice and learning materials related to the strategies, technologies and business processes associated with ensuring security in high-risk financial environments.

Nowhere else will you find such a highly targeted combination of resources specifically dedicated to the success of today's IT-security professionals.

For further reading, visit us at http://SearchFinancialSecurity.com/ Images; Fotalia

© 2017 TechTarget. No part of this publication may be transmitted or reproduced in any form or by any means without written permission from the publisher.