Last week, we discussed about the importance of ISO 27001, today we bring you another important compliance check.
The Sarbanes–Oxley Act of 2002, also known as the “Public Company Accounting Reform and Investor Protection Act” and “Corporate and Auditing Accountability and Responsibility Act” and more commonly called Sarbanes–Oxley, Sarbox or SOX, is a Federal law for all publicly held USA corporations, and establishes extensive civil and criminal penalties for non-compliance.
Purpose of SOX
The main intention of SOX is to establish verifiable security controls to protect against disclosure of confidential data, and tracking of personnel to detect data tampering that may be fraud related. The central purpose of the act is to reduce fraud, build public confidence and trust, and protect data that may affect companies and shareholders.
COBIT and ISO 27000 Support
Sarbanes-Oxley makes multiple references to “internal control” of data. To meet this requirement, companies must establish rules and guidelines by which the organization is controlled and audited.
There are many acceptable techniques for establishing this type of governance; one of the most popular methods of establishing “internal control” is to implement the “COBIT Framework”, created by ISACA. COBIT (Control Objectives for Information and Related Technology) is an extensive set of guidelines and tools that describe processes and organizational requirements needed to promote security and create good governance capable of satisfying SOX requirements. The framework consists of its own standards, as well as many other standards, including ISO/IEC 27000.
ISACA is an international professional association focused on IT Governance. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves. The ISACA standards will provide access to the full COBIT standard which will include the control objectives, the guidelines of Audit and the materials for helping to implement COBIT in the enterprise. Though it is useful, but COBIT’s control objectives aren’t directly and universally applicable to SOX, so you’ll have to look closely at each control objective in the SOX context, but many will be appropriate. COBIT control objectives refer somewhat broadly to policies that the standard requires rather than specify policies directly. The policy authors can determine if their policies achieve the stated goals by assembling the list of policies referred to by COBIT and understanding why the policy must exist.
Important Sections Of SOX
This act consists of multiple sections, all of which require compliance by a company. The two principle sections that relate to security are Section 302 and Section 404, summarized below:
• Section 302: This section pertains to ‘Corporate Responsibility for Financial Reports’. It intends to safeguard against faulty financial reporting. As part of this section, companies must safeguard their data responsibly so as to ensure that financial reports are not based upon faulty data, tampered data, or data that may be highly inaccurate.
• Section 404: This section pertains to ‘Management Assessment of Internal Controls’. It requires the safeguards stated in Section 302 (as well as other sections) to be externally verifiable by independent auditors, so that independent auditors may disclose to shareholders and the public possible security breaches that affect company finances. Specifically, this section guarantees that the security of data cannot be hidden from auditors, and security breaches must be reported.
Policies Aspects in Business Context
The main feature of writing policy is that those should not only be technically correct but also be applicable to the business. In short, all your policies should adhere to the size of the organization in the market with technology and employees. When you will be drafting a policy for your organization, you need to make sure that policies recommended by ISO 27000 and COBIT make sense in your context. As for instance, in case of smaller organizations, there may be enough transparency in the creation of account and changes to the access controls but in larger organizations, there has to be a long chain of approvals in multiple departments.