ISHERIFF COMPLIANCE WHITE PAPER SERIES: SOX: Sarbanes-Oxley Act This white paper examines the Information Technology compliance requirements of the Sarbanes-Oxley Act. It examines the purpose and objectives of specific portions of the Act related to information security, record keeping and auditing. Finally, this paper explores how iSheriff Security as a Service (SaaS) can assist organizations with Sarbanes-Oxley compliance. accuracy and validity of their financial statements and reports. Corporate CEO’s and CFO’s must certify and approve the integrity of their company’s accounts on a quarterly basis. Failure to do so can result in personal fines and/or imprisonment. Introduction The Sarbanes-Oxley Act (SOX) is US federal law, enacted in 2002. It is also known as the Public Company Accounting Reform and Investor Protection Act and the Corporate and Auditing Accountability and Responsibility Act. The purpose behind SOX is to ensure greater accountability and transparency in corporate financial reporting in the wake of major accounting scandals such as Enron and Worldcom. The act addresses public company accounting standards and seeks to enhance public company responsibility to investors. The act also covers wider issues such as the independence of auditors, corporate governance, executive responsibilities, internal record-keeping, accounting controls, and strengthens financial disclosure requirements. Organizations Affected by SOX SOX is a set of 11 titles or regulatory sections that apply to the accounting practices of all US public companies. It places specific additional compliance requirements on public accounting services companies. SOX does not apply to privately held companies. SOX Requirements The requirements of the Sarbanes-Oxley Act range from the individual responsibilities of corporate officers to criminal penalties for non-compliance. SOX is structured in 11 key titles: 1. Public Company Accounting Oversight Board (PCAOB) – establishes the PCAOB and its role to provide independent oversight of public accounting firms. Also sets the process and procedures for compliance audits and SOX compliance. 2. Auditor Independence – establishes rules governing the independence of public company accounts auditors such as reporting requirements, rotation of auditors and how auditors are approved. It also restricts auditors from providing other services to clients such as consulting to avoid a conflict of interests. 3. Corporate Responsibility – places individual responsibility on senior executives for the accuracy and completeness of their financial reports. Corporate officers are responsible for the 4. Enhanced Financial Disclosures – establishes increased reporting requirements for financial transactions; off-balance sheet transactions, pro-forma figures and stock transactions of corporate officers in particular. Also establishes internal control requirements for financial reporting accuracy and mandates audits and reports of those controls. 5. Analyst Conflicts of Interest – introduces measures designed to help restore investor confidence regarding the predictions/reporting of securities analysts by defining a code of conduct for analysts including the mandatory disclosure of an analyst’s conflict of interest. 6. Commission Resources and Authority – sets out the SEC’s (Securities and Exchange Commission) authority to reprimand securities analysts who fail in their SOX obligations. This includes barring analysts from practicing as brokers, advisors or dealers. 7. Studies and Reports – establishes requirements for the SEC and the Comptroller General of the US to undertake studies and investigations into the role of credit rating agencies in the operating of the securities market. 8. Corporate and Criminal Fraud Accountability – lays down specific criminal penalties for financial fraud, such as the manipulation, destruction or alteration of financial records or interference with SEC investigations. 9. White Collar Crime Penalty Enhancements – increases the criminal penalties for white-collar crimes and conspiracies including stronger sentencing guidelines and specifies failure to certify quarterly financial reports as a criminal offense. 10. Corporate Tax Returns – requires the CEO to sign the company tax return. 11. Corporate Fraud Accountability – stipulates that corporate fraud and tampering with records are a criminal offense and provides the SEC with greater powers to freeze suspicious transactions for investigation. ISHERIFF COMPLIANCE WHITE PAPER SERIES – SOX: Sarbanes-Oxley Act PAGE 1 Of most relevance to email and Internet security is section 302 (which assigns responsibility for financial reporting) and section 404 (which describes required internal controls) of the Act. Between these two sections of SOX are several requirements directly related to email and Web security policies, including: The ability to audit communications and retrieve messages as needed Efficient message indexing, archiving, and retention The identification and protection of information that must be kept confidential The authentication of individual message senders The confidential transmission of email The protection of email and other servers that store confidential data SOX Compliance Framework iSheriff SaaS provides a rounded solution to help any organization address a range of SOX security requirements, including policybased protection of email and Web communications, blocking malicious code, message indexing and archiving, email authentication and encryption, and confidential data leakage prevention. iSheriff applies a 360 degree solution which enables corporations to: a) Define SOX-specific data security policies. b) Monitor email and Web traffic for confidential data and automatically enforce SOX policies in email and Web usage as well as encrypt, record and archive email communications. c) Detect policy breaches and automatically alert compliance officers. Tracking and logging of message traffic d) Analyze Web and email activity with reports that enable organizations to refine policies and maintain continued compliance with SOX rules over time. The Impact of SOX on Corporate Information Security and Communications SOX is a broad legal framework which places significant compliance obligations and legal penalties on the accuracy of corporate financial reporting and data integrity. It mandates that public companies (particularly those with market capitalization over $75 million) must implement internal controls and procedures to ensure the integrity of information, the accurate retention of communications and ensure the confidentiality of corporate and customer financial information. The SOX legislation is not specific about the precise technical measures companies are expected to implement to comply with these requirements. However, SOX firmly places the onus for data integrity, communication security, record indexing and archiving of pertinent financial transactions on the corporation and executive management in particular. FIGURE 1 – THE ISHERIFF APPROACH TO SOX COMPLIANCE, DATA SECURITY AND RETENTION These requirements are not typical of the general capabilities of corporate financial and communication technology architectures. Thus, corporations require a robust yet flexible technology framework that can automatically enforce a board set of policybased protection measures for data security and retention. iSheriff Security as a Service (SaaS) is a cloud-based Web and Email protection service which complies with SOX regulations for information security and protected archiving. The service provides real-time analysis of email and Web traffic to guard against unauthorized data leakage, malicious code protection, ensures private communication with authenticated individuals and message archiving in accordance with a wide range of SOX requirements. ISHERIFF COMPLIANCE WHITE PAPER SERIES – SOX: Sarbanes-Oxley Act PAGE 2 SOX Compliance with iSheriff The Sarbanes-Oxley Act makes provisions for a wide range of lays out multiple security rules and requirements that covered entities must implement. iSheriff SaaS provides functionality which can meet or surpass all of these requirements: SOX Requirement iSheriff SaaS Ensure email messages originate from a specific person Policy-based authentication ensures that financial data can only be shared with an authorized list of email addresses, domains or IP addresses. In addition, email S/MIME and 128-bit SSL encryption prevents interception of financial data or accidental disclosure to unintended recipients (see Figure 2). iSheriff provides digital signing, encryption and ensures messages have not been tampered with. Provide an audit trail for communications iSheriff logs all inbound and outbound email communications and can index and archive messages based on the context of message content. Ensure messages can be retrieved as needed and in a timely manner. Messages must be retained for up to seven years iSheriff email archiving (see Figure 3) provides automated message indexing and archiving enabling your organization to access and retrieve messages as required from a secure archive. Search for specific messages, report on archived messages and restore lost or corrupted messages as needed. Names, addresses, phone and fax numbers Email addresses, IP addresses or domains Internal financial reporting codes Social Security Numbers Credit card numbers Bank account numbers Any alphanumeric pattern of interest for SOX compliance FIGURE 2 – ISHERIFF EMAIL ENCRYPTION SERVICES ENABLE YOUR ORGANIZATION TO COMMUNICATE PRIVATELY WITH ANY EMAIL ADDRESS, Ensure the confidentiality of communications with individuals iSheriff Security as a Service provides easy to use security features such as email encryption, policy-based data and file-type controls and real-time confidential data identification to ensure that data is transmitted according to confidentiality procedures and block the unauthorized or noncompliant communication of sensitive information. Adopt a written set of internal control policies for financial reporting data and communications iSheriff enables you to easily adapt written SOX policies into practical, plain-English security rules using an intuitive user interface. Pre-configured, example SOX policies are available to help streamline policy creation, save time and money. iSheriff can automatically secure information or trigger SOX policies based on: WITHOUT SPECIALIZED PRE-REQUISITES OR TRAINING FIGURE 3 – THE ISHERIFF EMAIL ARCHIVING SERVICE ENABLES YOUR ORGANIZATION TO AUTOMATICALLY STORE ALL RELEVANT EMAIL COMMUNICATIONS AND RETRIEVE THEM ON DEMAND FOR SOX AUDITS OR FOR BACKUP IF THE NEED FOR DISASTER RECOVERY ARISES ISHERIFF COMPLIANCE WHITE PAPER SERIES – SOX: Sarbanes-Oxley Act PAGE 3 Beyond SOX - Why iSheriff SaaS is Ideal for Corporations For Web and Email security, iSheriff SaaS offers large enterprises considerable benefits and advantages: A hosted security solution which cleans and secures email and Internet use. o No need to purchase or manage appliances or software – all infrastructure is provided and managed for you. Saves cost, lowers staff overheads and provides a predictable cost structure for budget-conscious managers. o A single vendor for email security, encryption and/or Internet filtering. o Predictable fixed cost structure with the flexibility to let you grow or shrink your user licensing as and when you need it. o No tedious maintenance or administration. Accessible policy tuning and reporting via a secure Web console enables you to manage your security if you wish and view reports anytime, anywhere. Reliable, effective security with real-time, patented content and threat analysis technology from a vendor with over 10 years of proven experience delivering best of breed protection. Eliminates spam and phishing from incoming email - removes offensive unsolicited messages which also contain malicious threats and links to compromised websites and benefit from considerable bandwidth savings. Secure your email and Web connections against viruses, malware and the latest Web 2.0 threats such as botnets and compromised websites. Prevent access to pornographic and offensive Web content with website category filtering which is updated and driven by your usage. SafeSearch enforcement is also provided for search engines such as Google, Yahoo and Bing as well as YouTube - ensures that inappropriate content is not returned by a search. Automatic email archiving to backup your important communications and aid in disaster recovery. Access easy to understand reports on demand and readily measure the cost savings and performance delivered by the services you are paying for. ISHERIFF COMPLIANCE WHITE PAPER SERIES – SOX: Sarbanes-Oxley Act PAGE 4 Free Evaluation iSheriff services can be easily and freely evaluated before committing to any subscription period. Just provide us with some simple details via an online sign-up form and we can have a free 15-day trial of any of the services up and running for you within 24 hours. Full reporting services are provided to help you learn what is going on with your email and Web usage and understand all that iSheriff has to offer. There is no obligation to subscribe and it is quick and easy to disconnect the service if you don’t wish to continue. Sign up today at www.isheriff.com. About iSheriff iSheriff is the first company to provide a proprietary, integrated Security as a Service solution for cloud-based Web and email security featuring a common Web management and reporting console. Our mission is to provide clients with accessible, easy to understand security services that secure their Internet world and enable them to complete their business in safety and privacy – whether their enterprise is large or small. Our security services utilize sophisticated, patented, real-time content analysis technologies developed and refined over the last 10 years to ensure maximum threat protection. Our approach to how we deliver this technology and enable clients to access, manage and report on their email and Web usage is to provide simple, easy to use services. This is key to ensuring that our clients understand and receive the maximum returns and benefits of iSheriff SaaS. Contact iSheriff Contact details are available online at: www.isheriff.com ISHERIFF COMPLIANCE WHITE PAPER SERIES – SOX: Sarbanes-Oxley Act PAGE 5