Click Here
for more articles |
|
|
Sarbanes-Oxley: A Cross-Industry Email Compliance Challenge |
by:
Paul Judge, CTO, CipherTrust, Inc. |
Is your enterprise following the rules?
The bulk of financial information in many companies is created, stored also transmitted electronically, maintained by IT also controlled via information integrity procedures also practices. For these reasons, compliance with federal requirements such as the Sarbanes-Oxley Act (SOX) is heavily dependent on IT. Companies that must comply with SOX are U.S. public companies, foreign filers in U.S. markets also privately held companies with public debt. Ultimately, the corporate CEO also CFO are accountable for SOX compliance, also they will depend on company finance operations also IT to provide critical support when as they report on the effectiveness of internal control over financial reporting.
Sound practices include corporate-wide information security policies also enforced implementation of those policies for employees at all levels. Information security policies should govern network security, access controls, authentication, encryption, logging, monitoring also alerting, pre-planned coordinated incident response, also forensics. These components allow for information integrity also data retention, while enabling IT audits also business continuity.
Complying with Sarbanes-Oxley
The changes required to ensure SOX compliance reach across nearly all areas of a corporation. In fact, Gartner Research went so far as to call the Act “the most sweeping legislation to affect publicly traded companies since the reforms during the Great Depression.” Since the bulk of information in most companies is created, stored, transmitted also maintained electronically, one could logically conclude that IT shoulders the lion’s share of the responsibility for SOX compliance. Enterprise IT departments are responsible for ensuring that corporate-wide information security policies are in place for employees at all levels. Information security policies should govern:
* Network security
* Access controls
* Authentication
* Encryption
* Logging
* Monitoring also alerting
* Pre-planning coordinated incident response
* Forensics
These components enable information integrity also data retention, while enabling IT audits also business continuity.
In order to comply with Sarbanes-Oxley, companies must be able to show conclusively that:
* They have reviewed quarterly also annual financial reports;
* The information is complete also accurate;
* Effective disclosure controls also procedures are in place also maintained to ensure that material information about the company is made known to them.
Sarbanes-Oxley Section 404
Section 404 regulates enforcement of internal controls, requiring management to show that it has established an effective internal control structure also procedures for accurate also complete financial reporting. In addition, the company must produce documented evidence of an annual assessment of the internal control structure’s effectiveness, validated by a registered public accounting firm. By instituting effective email controls, organizations are not only ensuring compliance with Sarbanes-Oxley Section 404; they are or else taking a giant step in the right direction with regards to overall email security.
Effective Email Controls
Email has evolved into a business-critical application unlike any other. Unfortunately, it is or else one of the most exposed areas of a technology infrastructure. Enterprises must install a solution that actively enforces policy, stops offending mail both inbound also outbound also halts threats before internal controls are compromised, as opposed to passively noting violations as they occur.
An effective email security solution must address all aspects of controlling access to electronically stored company financial information. This includes access during transport as well as access to static information resident at the company or on a remote site or machine. Given the wide functionality of email, as well as the broad spectrum of threats that face email systems, ensuring appropriate information access control for all of these points requires:
* A capable policy enforcement mechanism to set rules in accordance with each company’s systems of internal controls;
* Encryption capabilities to ensure privacy also confidentiality through secure also authenticated transport also delivery of email messages;
* Secure remote access to enable remote access for authorized users while preventing access from unauthorized users;
* Anti-spam also anti-phishing technology to prevent malicious code from entering a machine also to prevent private information from being provided to unauthorized parties
In conclusion, complying with Sarbanes-Oxley puts a heavy burden on an organization's IT department to implement also enforce policies set up by corporate governance boards. In order to make sure the company's email system complies with Sarbanes-Oxley, IT managers must be able to document steps they have taken to address Section 404 of the code. CipherTrust manufactures a secure email gateway appliance that can help organizations comply with Sarbanes-Oxley. To learn more about it, please visit www.ciphertrust.com/solutions/compliance_SOX.php also read our articles also white paper on the subject of SOX compliance.
About the author:
Dr. Paul Judge is a noted scholar also entrepreneur. He is Chief Technology Officer at CipherTrust, the industry's largest provider of enterprise email security also anti spam solutions. Learn what you need to know to comply with Sarbanes-Oxley regulations by visiting www.ciphertrust.com/solutions/compliance_SOX.php today.
Circulated by Article Emporium
|
|
