No matter how hard it is to find the match, everyone loves clean socks. While we at Qmulos have not yet solved the problem of monitoring that pesky left sock that constantly sneaks off, we have created a way for you to monitor and report on a different “SOX “… Sarbanes-Oxley that is.
The Sarbanes-Oxley Act of 2002, often called SOX, typically brings financial accounting standards to mind. However, it also brings to mind a few controversial company names—think Enron, Tyco, WorldCom, etc. The common theme between these companies is irreparable damages to reputations. Reputation damage occurred as a result of scandalous financial governance, accountability practices, and a lack of information security standards. As a result, Congress passed the SOX legislation in an effort to protect public shareholders from manipulated data.
Data accuracy and security is a high stakes game. Company executives must accept responsibility for the truthfulness and accuracy of financial information about their companies. If data is determined falsified in any way, penalties can range from delisting on exchanges to 20 years behind bars.
InfoSec-focused sections of SOX that IT managers should care about:
- Section 302. – If your business uses electronic transmission of data for accounting, you must ensure high data security standards. Executives must attest to the adherence to those security controls, and bear responsibility for the accuracy of reports.
- Section 404. – An outside firm must audit your adherence to security controls for the monitoring and maintenance of accounting and financial records and information. Then the SEC gets to see the results.
- Section 409. – Investors and the public must be informed as soon as there is a material change to the company’s financial status and ability to operate.
- Section 802. – Altering any data concerning the SEC in any way constitutes a crime, and the punishment will be severe.
- Section 906. – Whoever submits a financial report with inaccurate or falsified data is liable.
Compliance with SOX requirements is an ongoing concern for all enterprises. While IT personnel bear witness to information assurance, it is ultimately leadership’s name on the dotted line. However, the integrity of stored historical records related to the financial status of the company, is easily proven on Q-Compliance. To be SOX compliant, businesses must store seven years of financial records for the enterprise, company boards, management personnel, and accounting firms. That is a lot to ask a security and compliance professional to track and maintain.
Q-Compliance is purpose-built to help you streamline and automate complex cybersecurity auditing and compliance requirements. Not only does this include SOX, but also industry best practices and standards such as the NIST Risk Management Framework and 800-53 controls to help you implement and measure your compliance against SOX.
The SOX Dashboard (seen below)
The dashboard helps you track how our organization and systems are scoring against each control category, and where you need to improve to pass an audit. Additionally, the dashboard provides the ability to quickly drill into specific domains to view compliance against the capabilities, practices and processes set forth, and drill into individual controls to see the specific systems, events, and assets that are non-compliant.
Q-Compliance automates audits and assessments through alerts to pass or fail controls. If a control fails, (like AU-02, seen below) a detailed report with actionable information to address the issue is generated. Furthermore, the solution allows you to upload policy, procedure and file evidence, as well as automatically log human activity. We keep everything needed for audits, all in one place.
As one satisfied Q customer states: “The Q-Compliance suite makes the jobs of the security, compliance, and policy teams streamlined and saves a ton of time and effort — we needed this for a long time.”
