SOX Compliance

advertisement
ISHERIFF COMPLIANCE WHITE PAPER SERIES:
SOX: Sarbanes-Oxley Act
This white paper examines the Information Technology compliance requirements of the Sarbanes-Oxley Act.
It examines the purpose and objectives of specific portions of the Act related to information security, record
keeping and auditing. Finally, this paper explores how iSheriff Security as a Service (SaaS) can assist
organizations with Sarbanes-Oxley compliance.
accuracy and validity of their financial statements and reports.
Corporate CEO’s and CFO’s must certify and approve the
integrity of their company’s accounts on a quarterly basis.
Failure to do so can result in personal fines and/or
imprisonment.
Introduction
The Sarbanes-Oxley Act (SOX) is US federal law, enacted in 2002. It
is also known as the Public Company Accounting Reform and
Investor Protection Act and the Corporate and Auditing
Accountability and Responsibility Act.
The purpose behind SOX is to ensure greater accountability and
transparency in corporate financial reporting in the wake of major
accounting scandals such as Enron and Worldcom. The act
addresses public company accounting standards and seeks to
enhance public company responsibility to investors.
The act also covers wider issues such as the independence of
auditors, corporate governance, executive responsibilities,
internal record-keeping, accounting controls, and strengthens
financial disclosure requirements.
Organizations Affected by SOX
SOX is a set of 11 titles or regulatory sections that apply to the
accounting practices of all US public companies. It places specific
additional compliance requirements on public accounting services
companies. SOX does not apply to privately held companies.
SOX Requirements
The requirements of the Sarbanes-Oxley Act range from the
individual responsibilities of corporate officers to criminal
penalties for non-compliance. SOX is structured in 11 key titles:
1. Public Company Accounting Oversight Board (PCAOB) –
establishes the PCAOB and its role to provide independent
oversight of public accounting firms. Also sets the process and
procedures for compliance audits and SOX compliance.
2. Auditor Independence – establishes rules governing the
independence of public company accounts auditors such as
reporting requirements, rotation of auditors and how auditors
are approved. It also restricts auditors from providing other
services to clients such as consulting to avoid a conflict of
interests.
3. Corporate Responsibility – places individual responsibility on
senior executives for the accuracy and completeness of their
financial reports. Corporate officers are responsible for the
4. Enhanced Financial Disclosures – establishes increased
reporting requirements for financial transactions; off-balance
sheet transactions, pro-forma figures and stock transactions of
corporate officers in particular. Also establishes internal
control requirements for financial reporting accuracy and
mandates audits and reports of those controls.
5. Analyst Conflicts of Interest – introduces measures designed
to help restore investor confidence regarding the
predictions/reporting of securities analysts by defining a code
of conduct for analysts including the mandatory disclosure of
an analyst’s conflict of interest.
6. Commission Resources and Authority – sets out the SEC’s
(Securities and Exchange Commission) authority to reprimand
securities analysts who fail in their SOX obligations. This
includes barring analysts from practicing as brokers, advisors
or dealers.
7. Studies and Reports – establishes requirements for the SEC
and the Comptroller General of the US to undertake studies
and investigations into the role of credit rating agencies in the
operating of the securities market.
8. Corporate and Criminal Fraud Accountability – lays down
specific criminal penalties for financial fraud, such as the
manipulation, destruction or alteration of financial records or
interference with SEC investigations.
9. White Collar Crime Penalty Enhancements – increases the
criminal penalties for white-collar crimes and conspiracies
including stronger sentencing guidelines and specifies failure
to certify quarterly financial reports as a criminal offense.
10. Corporate Tax Returns – requires the CEO to sign the
company tax return.
11. Corporate Fraud Accountability – stipulates that corporate
fraud and tampering with records are a criminal offense and
provides the SEC with greater powers to freeze suspicious
transactions for investigation.
ISHERIFF COMPLIANCE WHITE PAPER SERIES – SOX: Sarbanes-Oxley Act
PAGE 1
Of most relevance to email and Internet security is section 302
(which assigns responsibility for financial reporting) and section
404 (which describes required internal controls) of the Act.
Between these two sections of SOX are several requirements
directly related to email and Web security policies, including:

The ability to audit communications and retrieve messages
as needed

Efficient message indexing, archiving, and retention

The identification and protection of information that must
be kept confidential

The authentication of individual message senders

The confidential transmission of email

The protection of email and other servers that store
confidential data

SOX Compliance Framework
iSheriff SaaS provides a rounded solution to help any organization
address a range of SOX security requirements, including policybased protection of email and Web communications, blocking
malicious code, message indexing and archiving, email
authentication and encryption, and confidential data leakage
prevention.
iSheriff applies a 360 degree solution which enables corporations
to:
a) Define SOX-specific data security policies.
b) Monitor email and Web traffic for confidential data and
automatically enforce SOX policies in email and Web
usage as well as encrypt, record and archive email
communications.
c) Detect policy breaches and automatically alert compliance
officers.
Tracking and logging of message traffic
d) Analyze Web and email activity with reports that enable
organizations to refine policies and maintain continued
compliance with SOX rules over time.
The Impact of SOX on Corporate
Information Security and Communications
SOX is a broad legal framework which places significant
compliance obligations and legal penalties on the accuracy of
corporate financial reporting and data integrity.
It mandates that public companies (particularly those with market
capitalization over $75 million) must implement internal controls
and procedures to ensure the integrity of information, the
accurate retention of communications and ensure the
confidentiality of corporate and customer financial information.
The SOX legislation is not specific about the precise technical
measures companies are expected to implement to comply with
these requirements. However, SOX firmly places the onus for data
integrity, communication security, record indexing and archiving
of pertinent financial transactions on the corporation and
executive management in particular.
FIGURE 1 – THE ISHERIFF APPROACH TO SOX COMPLIANCE, DATA SECURITY
AND RETENTION
These requirements are not typical of the general capabilities of
corporate financial and communication technology architectures.
Thus, corporations require a robust yet flexible technology
framework that can automatically enforce a board set of policybased protection measures for data security and retention.
iSheriff Security as a Service (SaaS) is a cloud-based Web and
Email protection service which complies with SOX regulations for
information security and protected archiving.
The service provides real-time analysis of email and Web traffic to
guard against unauthorized data leakage, malicious code
protection, ensures private communication with authenticated
individuals and message archiving in accordance with a wide
range of SOX requirements.
ISHERIFF COMPLIANCE WHITE PAPER SERIES – SOX: Sarbanes-Oxley Act
PAGE 2
SOX Compliance with iSheriff

The Sarbanes-Oxley Act makes provisions for a wide range of lays
out multiple security rules and requirements that covered entities
must implement. iSheriff SaaS provides functionality which can
meet or surpass all of these requirements:

SOX Requirement
iSheriff SaaS
Ensure email messages
originate from a
specific person
Policy-based authentication ensures
that financial data can only be shared
with an authorized list of email
addresses, domains or IP addresses. In
addition, email S/MIME and 128-bit SSL
encryption prevents interception of
financial data or accidental disclosure
to unintended recipients (see Figure 2).
iSheriff provides digital signing,
encryption and ensures messages have
not been tampered with.
Provide an audit trail
for communications
iSheriff logs all inbound and outbound
email communications and can index
and archive messages based on the
context of message content.
Ensure messages can
be retrieved as needed
and in a timely manner.
Messages must be
retained for up to
seven years
iSheriff email archiving (see Figure 3)
provides automated message indexing
and archiving enabling your
organization to access and retrieve
messages as required from a secure
archive. Search for specific messages,
report on archived messages and
restore lost or corrupted messages as
needed.





Names, addresses, phone and fax
numbers
Email addresses, IP addresses or
domains
Internal financial reporting codes
Social Security Numbers
Credit card numbers
Bank account numbers
Any alphanumeric pattern of
interest for SOX compliance
FIGURE 2 – ISHERIFF EMAIL ENCRYPTION SERVICES ENABLE YOUR
ORGANIZATION TO COMMUNICATE PRIVATELY WITH ANY EMAIL ADDRESS,
Ensure the
confidentiality of
communications with
individuals
iSheriff Security as a Service provides
easy to use security features such as
email encryption, policy-based data and
file-type controls and real-time
confidential data identification to
ensure that data is transmitted
according to confidentiality procedures
and block the unauthorized or noncompliant communication of sensitive
information.
Adopt a written set of
internal control policies
for financial reporting
data and
communications
iSheriff enables you to easily adapt
written SOX policies into practical,
plain-English security rules using an
intuitive user interface. Pre-configured,
example SOX policies are available to
help streamline policy creation, save
time and money. iSheriff can
automatically secure information or
trigger SOX policies based on:
WITHOUT SPECIALIZED PRE-REQUISITES OR TRAINING
FIGURE 3 – THE ISHERIFF EMAIL ARCHIVING SERVICE ENABLES YOUR
ORGANIZATION TO AUTOMATICALLY STORE ALL RELEVANT EMAIL
COMMUNICATIONS AND RETRIEVE THEM ON DEMAND FOR SOX AUDITS OR FOR
BACKUP IF THE NEED FOR DISASTER RECOVERY ARISES
ISHERIFF COMPLIANCE WHITE PAPER SERIES – SOX: Sarbanes-Oxley Act
PAGE 3
Beyond SOX - Why iSheriff SaaS is Ideal for
Corporations
For Web and Email security, iSheriff SaaS offers large enterprises
considerable benefits and advantages:

A hosted security solution which cleans and secures email and
Internet use.
o No need to purchase or manage appliances or software –
all infrastructure is provided and managed for you. Saves
cost, lowers staff overheads and provides a predictable
cost structure for budget-conscious managers.
o A single vendor for email security, encryption and/or
Internet filtering.
o Predictable fixed cost structure with the flexibility to let
you grow or shrink your user licensing as and when you
need it.
o No tedious maintenance or administration.

Accessible policy tuning and reporting via a secure Web
console enables you to manage your security if you wish and
view reports anytime, anywhere.

Reliable, effective security with real-time, patented content
and threat analysis technology from a vendor with over 10
years of proven experience delivering best of breed
protection.

Eliminates spam and phishing from incoming email - removes
offensive unsolicited messages which also contain malicious
threats and links to compromised websites and benefit from
considerable bandwidth savings.

Secure your email and Web connections against viruses,
malware and the latest Web 2.0 threats such as botnets and
compromised websites.

Prevent access to pornographic and offensive Web content
with website category filtering which is updated and driven by
your usage. SafeSearch enforcement is also provided for
search engines such as Google, Yahoo and Bing as well as
YouTube - ensures that inappropriate content is not returned
by a search.

Automatic email archiving to backup your important
communications and aid in disaster recovery.

Access easy to understand reports on demand and readily
measure the cost savings and performance delivered by the
services you are paying for.
ISHERIFF COMPLIANCE WHITE PAPER SERIES – SOX: Sarbanes-Oxley Act
PAGE 4
Free Evaluation
iSheriff services can be easily and freely evaluated before
committing to any subscription period. Just provide us with some
simple details via an online sign-up form and we can have a free
15-day trial of any of the services up and running for you within
24 hours. Full reporting services are provided to help you learn
what is going on with your email and Web usage and understand
all that iSheriff has to offer. There is no obligation to subscribe
and it is quick and easy to disconnect the service if you don’t wish
to continue. Sign up today at www.isheriff.com.
About iSheriff
iSheriff is the first company to provide a proprietary, integrated
Security as a Service solution for cloud-based Web and email
security featuring a common Web management and reporting
console. Our mission is to provide clients with accessible, easy to
understand security services that secure their Internet world and
enable them to complete their business in safety and privacy –
whether their enterprise is large or small.
Our security services utilize sophisticated, patented, real-time
content analysis technologies developed and refined over the last
10 years to ensure maximum threat protection. Our approach to
how we deliver this technology and enable clients to access,
manage and report on their email and Web usage is to provide
simple, easy to use services. This is key to ensuring that our clients
understand and receive the maximum returns and benefits of
iSheriff SaaS.
Contact iSheriff
Contact details are available online at:
www.isheriff.com
ISHERIFF COMPLIANCE WHITE PAPER SERIES – SOX: Sarbanes-Oxley Act
PAGE 5
Download