Sarbanes-Oxley (SOX) and the impact on IT security
Sarbanes-Oxley is not directly impacting IT Security requirements. It is far reaching legislation adressing corporate governance and the liabilities of directors and officers. However proper record keeping and accounting and behavior are all part of the legislative requirements and these can create IT Security requirements.
When the Sarbanes-Oxley (SOX) reforms for accounting and reporting were brought in during 2002 in the USA, in the wake of the Enron and Worldcom scandals, few thought that they would have an impact upon requirements for IT security. And even fewer that it would be the most powerful driver for implementing digital signature and encryption technology.
But closer scrutiny of the words reveals the force behind the reforms.
"Meanwhile, the Sarbanes-Oxley reforms designed to crack down on corporate wrongdoing have substantially increased penalties for individuals involved in corporate fraud. Under the Sarbanes Oxley Act the penalty for certifying an annual report that is later proved to be misleading is up to 10 years in prison. If an individual "wilfully" misleads, the penalty can be as much as 20 years in jail." © The Telegraph Group. This text was written, not following the sentencing of Jamie Olis, a middle ranking executive at Dynegy, the energy company, 24 years in jail over his role in a $300m accounting fraud. They were written following the revelation that the Shell company may have misled investors and regulators over the levels of their oil reserves.
The hook is the words, 'certifying an annual report that is later proved to be misleading".'
Today many companies are required to make statements about their IT security practices and regulatory compliance in their annual reports. And that has an impact on their auditors.
"Experience from the US shows that businesses are likely to find thousands of IT holes that need to be filled before they can demonstrate that they meet the US standards for financial reporting, Malcolm Marshall, partner at KPMG, will tell this week's Infosecurity Europe conference. A review of IT systems is fundamental to comply with Sarbanes Oxley, which requires businesses with a US stock market listing to demonstrate best practice in their financial reporting controls. IT directors who do not take a lead in ensuring their businesses are ready for Sarbanes-Oxley risk having cumbersome systems imposed on them by the rest of the business." © Computer Weekly.com Ltd
Exposure is more complicated where an organization is stating that it complies with regulation. Examples include the HIPAA (Health Insurance Portability and Accountability Act) or the GLBA (Gramm Leach Bliley Act) which have requirements that the enterprise takes real steps to preserve confidentiality of customer/patient information.
But even general industry has a responsibility to show that it has preserved the integrity of corporate information and taken steps to protect it from prying eyes when it should not be disclosed.
Companies are going to have to put money behind introducing encryption and digital signature products if they are going to be matching the claims in their annual reports, or their executives could end up repenting at leisure.