What is SOX compliance?

The United States Congress passed the Sarbanes-Oxley Act, also known as SOX, in 2002. SOX compliance protocols were developed to protect the public from fraudulent or erroneous practices by business entities. By implementing SOX financial security controls, organizations can protect their sensitive data from theft and cyberattacks.

What are SOX requirements?

The following SOX compliance requirements are applicable to IT organizations:

A. Corporate responsibility for financial reports: If your organization is public, it is mandatory to report its financial situation in a regular, timely manner to the Security Exchange Commission (SEC). The company's CFO and CEO must authenticate each financial report and they will be held accountable for the content in the report. This is a major SOX compliance requirement according to SOX compliance requirement section 302.

B. Assessing internal controls: Every organization must develop an internal control process, and both management and external auditors must assess how effective the process is and determine possible flaws in the process that could lead to a SOX violation. This control is mandated by SOX compliance requirement section 404.

C. Maintaining transparency: The organization's officials must inform their investors and the public if there is a major change in the organization's financial situation and its ability to operate. This control is mandated by SOX compliance requirement section 409.

What SOX compliance means for your IT department?

During a SOX compliance IT audit, your organization's IT department must prove its adherence to SOX compliance standards by providing documentation that shows how the organization has met the mandated financial transparency and data security thresholds.

While documenting, make sure your organization's IT department is familiar with the security controls, access privilege, and log management standards required for the financial records across the organization.

SOX compliance audit

  • IT security: Ensure that proper controls are in place to prevent data breaches, and have tools ready to remediate incidents should they occur. Invest in services and equipment that will monitor and protect your financial database.
  • Access controls: Prevent unauthorized users from viewing sensitive financial information utilizing physical and electronic controls. This includes keeping servers and data centers in secure locations, implementing effective password controls, and other measures.
  • Data backup: Maintain backup systems to protect sensitive data. Data centers containing backed-up data, including those stored off-site or by a third party are also subject to the same SOX compliance requirements as those hosted on-site.
  • Change management: Add new users and computers, update and install new software, and make any changes to databases or other data infrastructure components. This involves maintaining records of what was changed, when it was changed, and who changed it.

SOX penalties

  • Company officials or others who make any change that conceals truthful information, or includes a false statement, are subject to fines or imprisonment for up to 20 years.
  • Company officials who prepare a false financial report are subject to fines up to $5 million or imprisonment for up to 20 years.

How Network Configuration Manager helps your company to be SOX compliant

ManageEngine Network Configuration Manager provides SOX compliance policies by default. You can apply these policies to your IT devices and check if any device is violating the policy. Network Configuration Manager also allows you to see all the rule violations and helps you fix them. You can also download SOX compliance reports and submit those reports during audits. This enables you to improve the overall security of your company's financial data, be SOX compliant, and avoid huge penalties.

FAQ

1. Who is personally liable if there is a compliance violation?

The company's CFO and CEO will be liable if there is a compliance violation. They will be subject to penalties or imprisonment in case of a violation.

2. We accidentally revealed nonpublic financial information inappropriately across our network. Is that a SOX violation?

It is a SOX violation. If nonpublic information is inappropriately disclosed on your network, you must rapidly execute a response program to identify the extent of the exposure, assess the effect on the corporation and its customers, and notify all affected parties.

Our compliance and configuration management software, Network Configuration Manager, provides remediation configlets which immediately help fix violations.

3. We use Cisco devices in our network and the only way to protect a Cisco device is through plain text passwords. Will that be enough?

A plain text password is not secure since it makes your device vulnerable to data breaches and attacks. Attackers can obtain financial information and other data by leveraging plain text passwords to break in to your network.

Network Configuration Manager helps identify passwords that are in plain text and allows you to encrypt them using configlets.