The Sarbanes-Oxley Act of 2002, often called SOX, typically brings financial accounting standards to mind, along with a few controversial company names—think Enron, Tyco, WorldCom, etc. The common theme between these companies is irreparable damages to reputations as a result of scandalous financial governance, accountability practices, and a lack of information security standards. The SOX legislation was passed in an effort to protect shareholders in public companies whose accounting data accuracy and transparency, whether intentional or not, may be subject to manipulation.
Data accuracy and security is a high stakes game. Company executives must accept responsibility for the truthfulness and accuracy of financial information about their companies. If the data is found to be manipulated or falsified in any way, the penalties range from delisting on stock exchanges to 20 years behind bars.
InfoSec-focused sections of SOX that IT managers should care about:
- Section 302 – If your business uses electronic transmission of data for accounting, you must ensure high data security standards. Executives must attest to the adherence to those security controls, and bear responsibility for the accuracy of reports.
- Section 404 – An outside firm must audit your adherence to security controls for the monitoring and maintenance of accounting and financial records and information. Then the SEC gets to see the results.
- Section 409 – Investors and the public must be informed as soon as there is a material change to the company’s financial status and ability to operate.
- Section 802 – Altering any data that is of concern to the SEC in any way constitutes a crime, and the punishment will be severe.
- Section 906 – Whoever submits a financial report with inaccurate or falsified data is liable.
Compliance with SOX requirements is an ongoing concern for all enterprises. While IT personnel bear witness to information assurance and the integrity of stored historical records related to the financial status of the company, it is ultimately leadership’s name on the dotted line. To be SOX compliant, seven years of financial records must be accurately stored for the enterprise, company boards, management personnel, and accounting firms.
Q-Compliance is purpose-built to help you streamline and automate complex cybersecurity auditing and compliance requirements like SOX and leverage industry best practices and standards such as the NIST Risk Management Framework and 800-53 controls to help you implement and measure your compliance against SOX.
Q-Compliance automates audits and assessments through alerts to pass or fail controls. If a control fails, a detailed report with actionable information to address the issue is generated. The solution gives the user the ability to upload policy, procedure and file evidence, as well as automatically log human activity—keeping evidence needed for audits all in one place.
The SOX dashboard (as seen above) helps you track how our organization and systems are scoring against each control category, and where you need to improve to pass an audit. The dashboard provides the ability to quickly drill into specific domains to view compliance against the capabilities, practices and processes set forth, and drill into individual controls to see the specific systems, events, and assets that are non-compliant.
Q-Compliance makes keeping up with SOX and maintaining compliance with other standards like NIST 800-53 simple. SOX specific scorecards like the one shown above provide real time answers to your operational status to prepare for and pass audits.
As one satisfied Q customer states: “The Q-Compliance suite makes the jobs of the security, compliance, and policy teams streamlined and saves a ton of time and effort — we needed this for a long time.”