WHAT IS THE SARBANES-OXLEY (SOX) ACT?
The Sarbanes-Oxley (SOX) Act was established as Federal law for all publicly held corporations within the United States and establishes extensive civil and criminal penalties (fines/prison time) for noncompliance. The SOX Act has made it mandatory for organizations to make sure that their confidential financial information is accurate and the systems generating the information are reliable. The main driver behind the establishment of SOX is to ensure that verifiable security controls are in place within organizations to protect against the disclosure of confidential financial data, as well as provide detailed insight and tracking of employees that have access to confidential financial data. This helps to detect data tampering, which may be a sign of fraudulent activity.
DO I NEED TO COMPLY WITH SOX?
Your organization MUST comply with SOX if it is:
All publicly-traded companies in the United States, including all wholly-owned subsidiaries, and all publicly-traded non-US companies doing in business in the US are effected.
Private companies that are preparing for their initial public offering (IPO) also need to comply with certain provisions of Sarbanes-Oxley.
How Stealthbits Enables SOX Compliance
Combining user and server activity with baseline conformance and change detection capabilities, Stealthbits’ solutions enables clear visibility into the changes occurring across critical systems, applications, and data stores, in addition to whether or not those changes were authorized according to SOX policy definitions. This known state of SOX compliance can then be actively monitored and protected in real-time to prevent unauthorized changes from occurring, giving a lifecycle approach to SOX compliance.
Stealthbits’ solutions deliver confidence to agencies and organizations by detecting and immediately alerting on any unauthorized or ad hoc change that circumvented established security policies to security and compliance custodians. With an audit trail that is secured and not reliant upon native system logging, IT staff have the ability to provide step by step insight to auditors or assessors during the audit cycle and arm them with detailed reports that demonstrate changes made to their information systems can be detected, corrections verified, and anomalies found, explained, and account for.
Stealthbits SOLUTIONS FOR THE SOX COMPLIANCE FRAMEWORK
Requirement | CobIT Control | Description | Report Mapping | Capability Mapping |
---|---|---|---|---|
SOX Sections 302 and 404 COSO Components
|
EDM01 | Analyze and articulate the requirements for the governance of enterprise IT, and put in place and maintain effective enabling structures, principles, processes and practices, with clarity of responsibilities and authority to achieve the enterprise’s mission, goals and objectives. | Access Auditing Governance |
Data Access Governance |
SOX Sections 302 and 404 COSO Components
|
BAI09 | Manage IT assets through their life cycle to make sure that their use delivers value at optimal cost, they remain operational (fit for purpose), they are accounted for and physically protected, and those assets that are critical to support service capability are reliable and available. Manage software licenses to ensure that the optimal number are acquired, retained and deployed in relation to required business usage, and the software installed is in compliance with license agreements. | Access Auditing Governance |
Data Access Governance Sensitive Data Discovery Data Classification Change & Access Monitoring File Activity Monitoring |
SOX Sections 302 and 404 COSO Components
|
BAI10 | Define and maintain descriptions and relationships between key resources and capabilities required to deliver IT-enabled services, including collecting configuration information, establishing baselines, verifying and auditing configuration information, and updating the configuration repository. | Access Auditing Governance |
Data Access Governance Change & Access Monitoring |
SOX Sections 302 and 404 COSO Components
|
DSS04 | Establish and maintain a plan to enable the business and IT to respond to incidents and disruptions in order to continue operation of critical business processes and required IT services and maintain availability of information at a level acceptable to the enterprise. | Access Auditing Governance |
Data Access Governance Change & Access Monitoring |
SOX Sections 302 and 404 COSO Components
|
MEA02 | Define the actual scope by identifying the enterprise and IT goals for the environment under review, the set of IT processes and resources, and all the relevant auditable entities within the enterprise and external to the enterprise (e.g., service providers), if applicable. | Access Auditing Governance |
Data Access Governance Change & Access Monitoring File Activity Monitoring |
SOX Sections 302 and 404 COSO Components
|
MEA03 | Monitor and report on non-compliance issues and, where necessary, investigate the root cause. | Access Auditing Governance |
Data Access Governance Sensitive Data Discovery Data Classification Change & Access Monitoring File Activity Monitoring |
© 2022 Stealthbits Technologies, Inc.