The Sarbanes-Oxley Act, also known as SOX or Sarbox, protects the public, shareholders, and other stakeholders against public companies’ corporate fraud and financial mismanagement. While the law wasn’t designed to address IT or data security specifically, compliance requires a variety of controls for protecting data and data access. Below is a SOX compliance checklist for information systems security.
1. Choose a framework.
A framework helps you create and follow a systematic approach to SOX compliance. Several industry groups have developed frameworks for complying with the law’s Section 404, which deals with management assessment and internal controls. The two most common frameworks are:
COSO (Committee of Sponsoring Organizations of the Treadway Commission)—a widely accepted framework for establishing internal controls, it identifies five components:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring activities
COBIT (Control Objectives for Information and Related Technologies)—developed by IT governance and security nonprofit ISACA, it groups IT risk control activities into four domains:
- Plan and organize
- Acquire and implement
- Deliver and support
- Monitor and evaluate
2. Assess risks.
Identifying and analyzing internal and external risks is the first step to achieving your SOX compliance objectives. Since risk exposure changes along with factors such as operations, expansions, economic environment, and industry standards, risk assessment is an iterative process.
When assessing risks, some of the questions to ask include:
- What are the risks—for the entire organization as well as for the different components such as divisions and functions—of achieving the compliance objectives?
- What is the likelihood and degree of impact for each risk, as well as potential duration?
- How should the organization respond in the event of each risk?
3. Establish data governance.
SOX includes requirements for public companies’ governance, but it doesn’t address IT or data governance specifically. However, establishing a data governance policy ensures compliance with SOX aspects such as financial data integrity and restricted access.
Consider implementing a data governance framework for guiding data-related decisions. The goal of the framework is to ensure that all your data is secure, available, accurate, and consistent throughout its lifecycle—boosting your compliance not only with SOX but with a host of other regulations.
4. Determine and implement controls.
All the activities on your SOX compliance checklist build up to this critical step—implementing internal controls to protect the integrity of the data that flows into your financial records and your mandatory annual reports.
SOX doesn’t specify what controls companies need for safeguarding their data, so you’ll have to determine which controls help you meet your compliance objectives and address your risks. From an access standpoint, some of the aspects to consider include:
- What type of data do you need to protect?
- Where does this data reside?
- Who owns the data and who can access it?
- Is the access appropriate or too broad?
- Is your access enforcement adequate?
Automating control activities as much as possible ensures they’re consistent while also streamlining your compliance process.
5. Create a least privilege policy.
The concept of least privilege is an identity and access management (IAM) component that reduces your risk of SOX noncompliance by limiting who can access critical data. This model prevents unauthorized access while providing a mechanism for recording, monitoring, and auditing activities that you categorized as privileged.
A privileged access management (PAM) solution enables you to monitor and enforce your least privilege policies, as well as create an audit trail. In the event of a security incident, this trail helps you investigate and mitigate it.
6. Regularly test controls.
Sections 302 and 404 of SOX mandate regular testing of controls to ensure and demonstrate they’re working. Typically, you can achieve this with an internal compliance or management team, who should test controls several times a year.
As part of the annual financial filings, your organization must report its assessment of the controls’ effectiveness, along with any shortcomings.
7. Prepare for the external audit.
Different from an internal audit of your controls, a SOX audit—conducted annually by an external auditor approved by the Public Company Accounting Oversight Board—reviews financial records, statements, and business processes. This includes an audit of your internal controls and the safeguards for preventing data tampering; you must also disclose any security breaches and security failures, along with remediation action.
Categories that fall under the audit’s internal control assessment include:
- Data access
- Data backup
- Data security
- Change management
Preparation for the audits includes documenting not only your internal controls but also your evaluation, testing, and remediation of these controls. Documenting and proving SOX compliance can be a very time-consuming and expensive process. Consider adopting an identity-based governance solution to streamline and automate some of the steps.
Automating SOX compliance with SailPoint.
An identity security leader, SailPoint delivers solutions that simplify compliance with SOX and other regulatory mandates. This includes building preventive controls into identity processes and automating lifecycle management steps. Learn about SailPoint’s Identity Security solution and how we can improve your compliance.
You might also be interested in:
Take control of your cloud platform.
Learn more about SailPoint Identity Security.