Sarbanes-Oxley Act of 2002

The Sarbanes-Oxley Act of 2002 passed by U.S. Congress to protect investors from the possibility of fraudulent accounting activities by corporations through improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws. Sarbanes-Oxley under Section 404 needs chief executives to certify and demonstrate that they have established and are maintaining an adequate internal control structure and procedures for financial reporting. One of the most significant provisions within Sarbanes-Oxley is the criminal and civil penalties that place executive management and the board of directors in the “hot seat”.

Objectives to meet Sarbanes-Oxley compliance

As a result of Sarbanes-Oxley the corporations require a new level of corporate governance and accountability. The vital role security information and event management plays in establishing and maintaining internal controls have never been greater. Companies must institute log monitoring and vulnerability assessments as a critical part of their IT control systems. Both domestic and international publicly-traded companies must comply with Sarbanes-Oxley. If you are a covered entity you must have methods to maintain audit trails and to log possible altering of electronic records.

To address the requirements of section 404, companies must be able to address the following objectives:

Access Control requires companies to monitor and maintain records of both successful and unsuccessful attempts to access their financial reporting system or the data that feeds the system, including files, directories, database records and applications. In order to capture both successful and unsuccessful login attempts, companies must deploy measures to capture data generated across the enterprise. 

Configuration Control requires companies to verify that all production systems covered by Sarbanes-Oxley and all other systems that have access to that system have a known configuration and that changes are made only be authorized personnel. They must also verify that security and updates are applied quickly and that there is no unapproved and/or unauthorized, user installed software on monitored systems.  

Malicious Software Detection requires companies to have capabilities to collect and report malicious activities caused by viruses or other malicious code from a wide variety of sources with centralized analysis. This includes the consolidation of redundant detection events into incidents and anomaly detection to detect when Malicious Code levels are above the baseline for the environment.  

Policy Enforcement requires companies to ensure that the security and compliance policies are being met and adhered to with automated reports demonstrating compliance. They must also verify that users are observing guidelines for required or prohibited activity to reduce the chance of accidental exposure of sensitive information. 

User Monitoring and Management requires companies to create a complete audit of activities of users with access to private data and verify that users are observing guidelines for required or prohibited activity to reduce the chance of accidental exposure of sensitive information. It also requires companies to ensure that the necessary steps are taken to minimize the risk from compromised accounts.  

Environment & Transmission Security requires companies to monitor their environments on an ongoing basis to ensure that security threats are detected and corrected as quickly as possible through proactive measures. Additional monitoring is required to ensure that the transmission of sensitive data is secured and done with the proper encryption levels.

Contact us for more information

 

           Home         About Us          Services          Solutions          Careers          Contact

Copyright © 2021 AMZNET LLC. All rights reserved