Keeping IT Secure and Complying with SOX
As public companies scramble to meet the many layers of requirements contained in the Sarbanes-Oxley Act, information security is getting serious attention.
The Public Company Accounting Oversight Board (PCAOB) requires that companies and their auditors must maintain audit records for seven years. SOX carries heavy penalties for companies that destroy, alter or falsify business records, which include e-mail and instant messages. Section 802, for example, calls for fines of up to $1 million and prison terms of up to 20 years “for knowingly deleting an e-mail with the intent to impede, obstruct or influence a current or future federal investigation.”
Security Computing magazine reports that companies are mulling a “delete everything” policy when it comes to e-mail, or an approach that allows some e-mails to be deleted while others are saved.
Some experts are advising companies to save nearly all e-mail as a business record to protect against both federal audits and lawsuits. Many are using a third-party service that can store and retrieve the communications when needed, the magazine reported.
According to the Sarbanes-Oxley Compliance Journal, consistent security controls are needed not only to meet the SOX requirements, but to ensure that IT systems are working properly and are monitored for security violations.
While many organizations are starting to put well-documented IT security policies in place, many are not there yet, instead going through the time-consuming process of gathering the information needed. Some companies are automating IT controls, keeping in mind that controls must be “reasonable, enforceable and auditable,” the SOX Journal reported.
SecurityFocus columnist Mark Rasch wrote in The Register, the UK's biggest technology website, “The better reason to have good controls over IT and IT security, however, is not because it will make you SOX compliant - but because it will make your business more efficient, enable you to better utilize your data, and allow you to trust ALL the data, not just financial reporting data.”