The Sarbanes-Oxley (SOX) Act of 2002 has served as a primary driver for many companies' security programs, and...
it's arguably the first major legislative act or standard to succeed in getting the attention of the executive suite. A little over a decade since its inception, SOX still drives many compliance and security programs because of the executive-level penalties it carries and its relation to accounting and financial concepts that already occur at the CxO level. Adopting SOX-compliance controls and procedures can improve your organization's overall IT security program, even if your company is not a publicly traded one typically targeted by SOX regulations.
From a technical perspective, SOX security requirements aren't as comprehensive or prescriptive as other standards like the Payment Card Industry Data Security Standard (PCI DSS) or ISO 27001. Set largely by the accounting industry, SOX focuses primarily on fundamental system and user management controls like authentication, access control, logging and monitoring. One could argue that SOX doesn't necessarily ensure the security of data or systems as much as it enforces fundamental best practices for knowing who has access to financial data, how the data originated and whether that information gets modified. Even with what might be termed a limited security scope, SOX still enforces some excellent compliance practices that can serve as an example of how to audit and monitor information systems.
One of the most specific SOX requirements involves monitoring user access to data. This requires mature procedures for user provisioning, de-provisioning and granting privileged access to modify or administer data systems. Nearly every IT security standard includes requirements to monitor and control system and data access, and SOX requires auditors and IT personnel to regularly review practices such as access rights. Under SOX, however, senior-level management is also required to sign-off on those reviews, so SOX-compliant organizations tend to have more mature access control procedures.
The average organization might simply rely on logged/documented procedures for creating and deleting user accounts, while granting "admin level" privileges that can be reviewed when a security event occurs. A SOX-compliant organization will usually perform much more regular (at least monthly) and detailed -- requiring manager approval -- reviews of all user accounts and privileges related to finance systems and data. Most organizations that struggle with SOX compliance have a tough time getting adequate IT participation in these access reviews and approvals due to the time and effort that is usually involved. Establishing such practices, though, is a fundamental way to avoid fairly common security incidents, such as inactive user accounts being used to compromise systems, or users having more access to data than what is appropriate for their roles.
Implementing procedures like these can go beyond SOX compliance by also helping your organization develop better overall good IT hygiene habits, like regular reviews of all log files instead of just those associated with security related events, and more manager- or executive-level accountability for IT decisions. It is also likely that the organization's ability to remain, or become, compliant with other standards like PCI or ISO 27001 will improve if it already has SOX-related controls in place.
The SOX influence on tech development
From a product perspective, SOX has had, and will likely continue to have, both indirect and direct influence on security technologies. Products used for database access monitoring, file integrity monitoring and privileged access management have significantly improved due to mandates stipulated by SOX regulations. Some specific products, such as TripWire's file integrity monitoring tool, became almost the de facto, standard solution during the early days of SOX compliance. SOX continues to help drive the need for, and innovation in, newer families of products, like privileged access management (PAM) that help organizations better track, assign and revoke user rights to systems and data.
SOX compliance is not only beneficial in regards to potentially exposing your organization to advanced security products -- it can help manage procedures for reporting and reviewing security information. By combining security teams' data protection strengths with the audit and accounting teams' reporting strategies to work toward SOX compliance, companies can significantly improve the vetting process for IT security and compliance technologies.
Don't underestimate the SOX visibility factor
In addition to the maturity that SOX can bring to your technical controls and solutions, another noticeable benefit is the relationship that SOX has with the finance and auditing community. Security programs have traditionally struggled to get serious attention from the executive suite because security has been viewed largely as simply an aspect of technology. The fact that SOX is often championed and overseen by the finance and accounting department, however, has helped security and compliance gain immediate traction with business leaders, audit committees and boards of directors.
SOX compliance has also helped show that security's impact on the organization goes beyond just IT departments, and can be useful for forging alliances between security, finance and accounting, and legal teams. Like Enterprise Risk Management (ERM) initiatives -- another concept driven primarily into mainstream business because of legislation -- SOX has increased security and compliance's visibility within organizations. It has also benefitted many security leaders by giving them a voice in the board room, usually via reporting their concerns to audit committees or directly to boards of directors.
SOX might not be the overwhelming driver behind security and compliance efforts that it once was, especially because more visible and comprehensive security standards such as PCI DSS have emerged. However, SOX has always been effective -- and somewhat unique -- in that it has spotlighted both technologies and the underlying procedures needed to manage compliance effectively.
When building a security or compliance program, it is always wise to consider numerous security laws and standards to get a good mix of controls, practices or vertical market influences. Don't overlook the benefits and influence of SOX when you are building your security and compliance programs, because it can possibly provide you aspects like depth of controls, product maturity and organizational traction that other compliance efforts might not.
About the author:
Jeffrey Jenkins is a regulatory compliance, information security and risk management expert and currently the director of cybersecurity at Travelport LTD. Prior to his role with Travelport, Jeffrey served in security executive/leadership roles for a number of private and public sector organizations including Cbeyond, Equifax, The First American Corporation, S1, Georgia's Dept. of Human Resources, and Cobb County Public Schools. Jeff currently holds CISSP, CISA, CISM and CGEIT certifications.
Consolidate SOX data retention and deletion practices
Can automated SoD benefit regulatory compliance processes?