DQS Certification India Private Limited logo afaq-afnor

Security SOX Compliance

What is Security SOX Compliance?

The SOX legislation was enacted on July 30, 2002 and falls under the umbrella of the U.S. Securities and Exchange Commission. SOX differs from other legislation involving information security and privacy, as it revolves around the protection of financial records and helps ensure the accuracy of financial reports as an indirect means for regulating corporate behavior. The requirements set forth for Sarbanes-Oxley compliance apply to all U.S. public companies, foreign filers in U.S. markets and privately held companies with public debt.

Sarbanes-Oxley compliance affects multiple business units across the organization, from the CEO and the CFO to the IT and security departments. However, SOX contains various sections that directly affect the IT and information security functions in today’s corporations. To maintain SOX compliance, these departments must implement access and integrity controls on financial information, as well as system monitoring and audit trails—requirements similar to common risk management processes typically present within most public corporations.

Of the several dozen sections in SOX, Section 404 – Management Assessment of Internal Controls, is the one that affects IT and information security the most. In order to establish SOX compliance, an annual internal control report is required to:

  • state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting
  • contain an assessment, as of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures for the issuer for financial reporting
  • For the purposes of Sarbanes-Oxley compliance, the SEC has defined internal control over financial reporting as it relates to information security to include the maintenance of records and reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of assets related to financial statements.

Objective of Security SOX Compliance

The Sarbanes-Oxley Act of 2002 was designed to reform the reporting, governance and disclosure of public company financial statements. Sarbanes-Oxley (SOX) mandates that public companies demonstrate due diligence in the disclosure of financial information and maintain internal controls and procedures for the communication, storage and protection of that data.

While not explicitly mentioned in the legislation, IT security is a central requirement of Sarbanes-Oxley compliance. SOX require companies to assess any risk associated with information technology or the internal process that may impact the accurate and timely reporting of financial information. Specifically, SOX requirements include:

Section 302: Establishes the responsibilities of the CEO and CFO for establishing and maintaining internal controls.

Section 404: Requires management to assess the effectiveness of internal controls, obtain external validation of those controls, and provide assurances that financial/accounting processes are protected from unauthorized usage.

Section 409: Requires real-time disclosures of material events.

Security SOX Compliance Methodology

We offer comprehensive data security control assessment and implementation, risk assessments, information and data security policy development, and incident response staffing and planning.

Our data security services include:

  1. Data classification
  2. Control assessment and implementation
  3. Identity and access management
  4. Security education and training
  5. Security audits
  6. Risk analysis
  7. Metrics and maturity assessment
  8. Information security policies
  9. Incident response planning
  10. Incident response team formation
  11. Data loss and compromise management and response
  12. Compliance to data safeguard and breach notification laws and regulations

Benefits of Security SOX Compliance

  1. Appropriate controls are in place to prevent unauthorized access via public networks 
  2. Monitoring logging and reporting of security activity 
  3. Authorized software on company IT assets 
  4. System infrastructure is properly configured to prevent unauthorized
  5. Security Incident Response 
  6. Periodic testing and assessment is performed confirming the infrastructure is appropriately configured 

How can DQS help your compliance Efforts?

We can help you in three different ways depending on your need, involvement, time, available IT resources and budget.

OPTION 1: If you are in a hurry to complete the Security SOX Compliance and you don’t have internal resources to completely devote to this project then we can independently complete the project for you. The only involvement required will be providing information about your infrastructure, policies and processes.

OPTION 2: If you have internal staff members who can completely devote their time and Security SOX Compliance knowledge to this project but don’t know the methodology, we will provide a project manger to work with your team and help completing the compliance project.

OPTION 3: If you have all the necessary resources for Security SOX Compliance project but need to save time on documentation, you can use our Security SOX Compliance template documents. These templates will ensure that you gather all the required information before starting the project. The finding and recommendations will be mapped to the SOX regulations.

OPTION 4:  Our Methodology of Assessment is Plan, Audit, Execute and Manage.

Contact us

Please feel free to contact us. We are looking forward to hearing from you!

Rajendra Khare
MD
DQS Certification India Private Limited
Mobile: +91-9810268573
Phone:  +91-11-27025910
e-mail: rkhare@dqsindia.com

Please note: Email communication would be preferred mode of communication.

See Also:

 

YOUR SUCCESS IS OUR GOAL