SOX: Understanding Sarbanes-Oxley

How to bring your network and data into compliance with the Sarbanes Oxley Act of 2002

Background

The Sarbanes-Oxley Act of 2002 also known as the Public Company Accounting Reform and Investor Protection Act of 2002, and commonly called “SOX” or “Sarbox”, is a United States federal law enacted on July 30, 2002 in response to a number of major corporate and accounting scandals.

As of 2006, all public companies are required to submit an annual assessment of the effectiveness of their internal financial auditing controls to the U.S. Securities and Exchange Commission (SEC). Additionally, each company’s external auditors are required to audit and report on the internal control reports of management, in addition to the company’s financial statements

Who Needs To Comply

A YES to any of these questions and SOX Affects Your Company

  • Is your company publicly traded?

The SOX legislation establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms. For compliance with Section 404, public companies with a market capitalization over US $75 million needed to have their financial reporting frameworks operational for their first fiscal year-end report after November 15, 2006, then for all quarterly reports thereafter. For smaller companies, compliance is required for the first fiscal yearend financial report, then for all subsequent quarterly financial reports after July 15, 2006.

  • Is your company private, but planning an initial public offering (IPO)?

SOX does not apply to privately held companies, although those considering filing for an initial public offering (IPO) must demonstrate a SOX compliant framework.

Getting Started With SOX Compliance

COSO FRAMEWORK

  • Risk Assessment. The processes and technologies used in identifying and understanding the areas of risk affecting the completeness and validity of financial reports and other important and sensitive information with impact to financial reporting.
  • Control Environment. This is really the foundation of applying the COSO framework and achieving SOX compliance through it. It comprises the integrity and ethics of an organization end-to-end, management’s philosophy and operating style, the way management assigns authority and responsibility, and organizes and develops its people as well as the attention and direction provided by the board of directors.
  • Control Activities. This includes the approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.
  • Monitoring. Auditing processes and schedules to address the high-risk areas within the IT organization. IT personnel should perform frequent internal audits.
  • Information and Communication.* IT management demonstrating to company management an understanding of what needs to be done to comply with Sarbanes-Oxley and how to get there.

COBIT FRAMEWORK

The IT Governance Institute’s Control Objectives of Information and Related Technology (COBIT) is also used by many companies as a framework supporting IT SOX 404 efforts. However, there are certain aspects of COBIT that are outside the boundaries of Sarbanes-Oxley regulation. COBIT currently delineates 4 main objectives mapping to 34 IT processes and 318 detailed controls. Of these, only about 12 of the control processes are directly beneficial to SOX compliance. Further, in the discussion of Varonis’ Software applicability and benefit toward SOX compliance, we focus on the two most relevant of the 34 control processes: Ensuring Systems Security and Managing the Configuration.

  • Ensure Systems Security – Controls that provide reasonable assurance that financial reporting systems and subsystems are appropriately secured to prevent unauthorized use, disclosure, modification, damage or loss of data.
  • Manage the Configuration – Controls that provide reasonable assurance that all components, as they relate to security, processing and availability, are well protected, would prevent any unauthorized changes, and assist in the verification and recording of the current configuration.

Feature-Requirement Map

Requirement CobIT Control Description Varonis Product/Feature
SOX Sections 302 and 404 COSO Components Risk assessment Control activities Information & Communication SOX Sections 302 and 404 COSO Components Risk assessment Control activities Information & Communication Section 302 & 404 outline that a company’s CEO and CFO are directly responsible for the accuracy, documentation and submission of all financial reports as well as the internal control structure to the SEC. In order for an organization to confidently attest to this it must have a clear understanding of where data is stored, who owns it, who is responsible for it (steward) and who is authorized to use it. Varonis DatAdvantage monitors and stores in a searchable format, all aspects of data use for information stored on file servers and Network Attached Storage (NAS) devices. Varonis provides a detailed record of files server contents and how they are used including: filenames, folders, access privileges to files and folders (i.e. a user’s or groups NTFS permissions), data use by username of group name (i.e. create, open, delete, rename), a list of the likely business owners of data. This latter is based on Varonis analysis of legitimate user activity on a given data set.
SOX Sections 302 and 404 COSO Components Control activities Information & Communication Ensure systems security Manage the Configuration SOX requires an Internal Control Report stating that management is responsible for an “adequate” internal control structure, and an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls must also be reported. To accomplish this COBIT recommends security officers report directly to high level management and that the following duties be segregated: data entry, computer operation, network management, system administration, systems development and maintenance, change management, security administration, security audit Varonis helps meet the objectives of these requirements in a number of ways. Varonis recommends the revocation of permissions to data for those users who do not have a business need to the data – this ensures that user access to data is always warranted and driven by least privilege Varonis generates reports showing the history of permission revocations and the percentages by which overly permissive access was reduced Varonis DataPrivilege provides a mechanism via a web-based application by which to monitor, administer (allow/deny) all access requests to unstructured data. Requestors, data owners, technical controllers, financial controllers are all united in communication and action through this system. With regard to requests to access unstructured data on file shares, all actions taken and rationale for them are recorded. Further, a workflow is enforced (i.e. requests to financial folders go straight to the business owner).Via these capabilities, entities can demonstrate ahistorical and sustained enforcement of least privilege access and its effects.
SOX Sections 302 and 404 COSO Components Control activities Information & Communication Ensure Systems Security Manage the Configuration Formal security policies, communication of policies and consistent enforcement of policies are critical to running a secure operation. COBIT recommends organizations develop a “framework policy which establishes the organization’s overall approach to security and internal control to establish and improve the protection of IT resources and integrity of IT systems.” Varonis DataPrivilege helps organizations not only define the policies that govern who can access, and who can grant access to unstructured data, but it also enforces the workflow and the desired action to be taken (i.e. allow, deny, allow for a certain time period). This has a two-fold effect on the consistent and broad communication of the access policy: it unites all of the parties responsible including data owners, SOX compliance officers, auditors, data users AND IT around the same set of information and it allows organizations to continually monitor the access framework in order to make changes and optimize both for SOX compliance and for continuous enforcement of warranted access.
SOX Sections 302 and 404 COSO Components Control activities Monitoring Information and communication Ensure systems security Manage the configuration SOX requires that organizations be able to provide evidence that they are compliant. This requires an ongoing effort to document and measure compliance continuously. Varonis provides highly detailed reports including: data use (i.e. every user’s every file-touch), user activity on sensitive data, changes including security and permissions changes which affect the access privileges to a given file or folder, a detailed record of permissions revocations including the names of users and the data sets for which permissions were revoked. In fact, because DatAdvantage allows any query or complex query of data use within the application to be saved and generated as a report, the amount and types of information that can be furnished for SOX compliance documentation are nearly infinite.
SOX Sections 302 and 404 COSO Components Control activities Monitoring Ensure systems security Manage the configuration Accounting for access (particularly administrative access) to critical systems is an important aspect of SOX compliance. Systems must be configured to capture both administrative and user access, to store the logs for later review and to protect the logs from unauthorized access. Varonis DatAdvantage maintains a detailed history of all objects managed by the Varonis application including users, user groups and by extension administrative accounts within user directories. At any given time users of DatAdvantage can generate reports that show which administrators changed security settings and access permissions to file servers and their contents. The same level of detail is provided for users of data, showing their access history as well as any changes made to security and access control setting of files and folders. Further, alerts and reports are automatically generated for anomalous or overly rigorous activity on important data sets. All of this ensures that access to data in continuously monitored for appropriate use and that organizations have all of the information they need to conduct forensic analysisand process improvement.
SOX Sections 302 and 404 COSO Components Control activities Monitoring Information and communication Ensure Systems Security Manage the Configuration Knowing the state of all critical SOX systems and applications is critical to compliance. Change control allows organizations to demonstrate that their state is understood and under control. As stated above Varonis maintains detailed activity records for all user objects including administrators within active directory and all data objects within file systems. Reports on changes are automatically generated and sent to those parties who have chosen to subscribe for receiving this information via email, to PDA etc. These reports can be generated and sent at user defined frequencies so that the appropriate parties become aware of changes in access controls in a timely fashion that is commensurate with the organization’s communication policies.
SOX Sections 302 and 404 COSO Components Control activities Monitoring Information and communication Ensure Systems Security Manage the Configuration SOX requires organizations to control access to critical financial systems and account for all changes both to financial records and to the underlying systems and applications that support them. COBIT requires appropriate strength controls present to prevent unauthorized (and unaccountable) access to data, applications and systems. Varonis addresses these requirements in two key ways:1. Varonis recommends the revocation of permissions to file share data by explicitly and automatically identifying those persons who have no business need to the data for which they have privilege. Varonis system administrators can “commit” the Varonis recommendations through the application2. Varonis DataPrivilege shifts accountability for data access control from IT to data business owners(which Varonis DatAdvantage will help identify). By administering access control through this application business owners record their rationale and the right parties stay informed of actions taken on data.
SOX Sections 302 and 404 COSO Components Control activities Monitoring Information and communication Ensure Systems Security Manage the Configuration SOX compliance is a continuous process. Auditors look for integration of compliance processes in day-today operations. Varonis understands that unstructured data is growing at rates of 70% or more annually, making SOX compliance, which is an already expensive and arduous proposition, even harder. Varonis has architected a suite robust and complete enough to account for the highly dynamic nature of managing user to data mappings. Further, the company has developed a programmatic and automated means to ensure that access to data is always warranted based on business need-to know and that the monitoring of use is continuous and relevant to maintaining compliance.

Request a demo

Interested in finding out how Varonis can help with your compliance initiatives?

Request a demo

Or contact sales at 877-292-8767