Sarbanes-Oxley: A Cross-Industry Email Compliance Challenge
Is your ... ... the ... bulk of ... ... in many ... is created, stored and ... ... ... by IT and ... via ... ...
Is your enterprise following the rules?The bulk of financial information in many companies is created, stored and transmitted electronically, maintained by IT and controlled via information integrity procedures and practices. For these reasons, compliance with federal requirements such as the Sarbanes-Oxley Act (SOX) is heavily dependent on IT. Companies that must comply with SOX are U.S. public companies, foreign filers in U.S. markets and privately held companies with public debt. Ultimately accountable for SOX compliance are the corporate CEO and CFO, who will depend on company finance operations and IT to provide critical support when they comply with the SOX requirement to report on the effectiveness of internal control over financial reporting. Sound practices include corporate-wide information security policies and enforced implementation of those policies for employees at all levels. Information security policies should govern network security, access controls, authentication, encryption, logging, monitoring and alerting, pre-planned coordinated incident response, and forensics. These components enable information integrity and data retention, while enabling IT audits and business continuity. Complying with Sarbanes-OxleyThe changes required to ensure SOX compliance reach across nearly all areas of a corporation. In fact, Gartner Research went so far as to call the Act “the most sweeping legislation to affect publicly traded companies since the reforms during the Great Depression.” Since the bulk of information in most companies is created, stored, transmitted and maintained electronically, one could logically conclude that IT shoulders a lion’s share of the responsibility for SOX compliance. Enterprise IT departments are responsible for ensuring that sound practices, including corporate-wide information security policies and enforced implementation of those policies, are in place for employees at all levels. Information security policies should govern:
- Network security
- Access controls
- Authentication
- Encryption
- Logging
- Monitoring and alerting
- Pre-planning coordinated incident response
- Forensics
- They have reviewed quarterly and annual financial reports;
- The information is complete and accurate;
- Effective disclosure controls and procedures are in place and maintained to ensure that material information about the company is made known to them.
- A capable policy enforcement mechanism to set rules in accordance with each company’s systems of internal controls;
- Encryption capabilities to ensure privacy and confidentiality through secure and authenticated transport and delivery of email messages;
- Secure remote access to enable remote access for authorized users while preventing access from unauthorized users;
- Anti-spam and anti-phishing technology to prevent malicious code from entering a machine and to prevent private information from being provided to unauthorized parties
- Viruses, worms, and other malicious code
- Internal users and external hackers attacking email systems
- System failures from malicious attacks that can lead to subsequent legal liabilities
- Unintentional or malicious information access or exposure
Source: Free Guest Posting Articles from ArticlesFactory.com
About Article Author

CipherTrust is the leader in anti-spam and email security. Learn more by downloading our free whitepaper, “Contributing to Sarbanes-Oxley Compliance with IronMail” or by visiting www.ciphertrust.com.