Solutions

Security Operations

Log Management and Forensics

Configuration Auditing

Compliance and GRC

Regulations

PCI

COBIT

FISMA

ISO 27002

NIST SP 800-53

Sarbanes-Oxley

Regulations - Sarbanes-Oxley

The Sarbanes-Oxley Act (SOX) is a U.S. federal law enacted in 2002 to help prevent corporate accounting scandals by requiring publicly-traded companies to meet a set of consistent accounting and auditing requirements. In response to recent accounting scandals such as those at Enron, Tyco International and WorldCom, SOX establishes an accounting oversight board and mandates the following for public companies and public accounting firms:

  • New internal financial controls

  • Enhanced auditor independence to prevent conflicts of interest

  • Executive responsibility for financial accuracy and reporting integrity

SOX provides significant non-compliance penalties for publicly-traded companies and public accounting firms. Although privately-held companies are currently exempt from this regulation, many organizations are implementing SOX controls in anticipation of further, more universal legislation. In addition, many other countries such as Japan have either enacted a law similar to SOX or are considering one.

The Business Challenge
Sections 302 and 404 of SOX—sometimes referred to as the “IT sections”—require an internal control framework and reporting procedure to ensure:

  • Accurate financial disclosure

  • Periodic evaluation of internal control effectiveness

  • An internal financial control report

  • Management affirmation of their responsibility for all of the above

Implementing, documenting and testing internal financial controls, especially those that tie directly to technology, require an enormous effort. To assess effectiveness, the actual flow of transactions through the financial reporting system must be captured and analyzed to identify points at which material financial misstatements could potentially arise. Data collection and analysis must consider access control, system configuration and many other aspects of financial reporting systems. If necessary, remediation must be addressed—quickly, efficiently and effectively.

Once the data is collected, another major challenge arises: the timely processing of volumes of data. Processing includes the correlation, analysis and reporting of data. If analysis fell to a few IT security analysts, or even an entire team, timely response to important security or compliance risks would be nearly impossible. Thus, to round out effective support of all the SOX controls, automation is essential.

The eIQ Solution
Control frameworks—formalized systems for implementing and measuring IT procedures— can provide organizations with specific standards for meeting the complex regulatory requirements of standards like SOX. Specifically, the Control Objectives for Information and Related Technology (COBIT) framework, recommended by the U.S. Securities and Exchange Commission, has been readily adopted by many corporations to help establish and maintain SOX Sections 302 and 304 controls.

While over three hundred control objectives comprise the entire COBIT framework, the Public Company Accounting Oversight Board has identified a smaller subset of twelve IT control objectives that are within the scope of SOX. To support each of these SOX-related control objectives, eIQ’s SecureVue security, risk and audit management platform combines enterprise security management (ESM) and IT governance, risk and compliance (GRC). By collecting, archiving, correlating and analyzing log, vulnerability, configuration, asset, performance and network behavioral anomaly data, SecureVue merges the complex monitoring, testing and auditing demands of SOX and other standards into a single solution. The automated end-to-end correlation of data—alongside built-in analytics—renders processing an easily manageable task.

SecureVue’s comprehensive compliance library—containing over 5,000 technical and functional controls—enables organizations to define, monitor and measure SOX compliance. The platform’s wizard-based policy mapping also allows organizations to add and modify regulations and best practices to address a broad range of unique business drivers, including internal practices, service level agreements and business partner requirements.

The following SOX monitoring support chart compares SecureVue’s integrated platform against traditional security information management (SIM) and IT GRC solutions:

SOX Requirements Traditional SIM Traditional
IT GRC

1. Acquire and maintain application software

2. Acquire and maintain technology infrastructure

3. Enable operations

4. Install and accredit solutions and changes

5. Manage changes

6. Define and manage service levels

7. Manage third-party services

8. Ensure systems security

9. Manage the configuration

10. Manage problems and incidents

11. Manage data

12. Manage the physical environment and operations

Supported  Partial Support  Not Supported

For More Information
SecureVue Solution
A Guide to the Sarbanes-Oxley Act Website
Sarbanes-Oxley Compliance Journal Website

Solutions | Products | Customers | Partners | Support  | News | Company | Privacy | Legal | Sitemap

Copyright © 2001-2009 eIQnetworks®, Inc. All rights reserved.