The Sarbanes-Oxley Act of 2002 also known as the Public Company Accounting Reform and Investor Protection Act of 2002 is mandatory. ALL organizations, large and small, MUST comply.
Corporate responsibility for Financial Activities
Public Company Officers must certify the accuracy of financial statements and must certify that statements fairly present the operations and financialcondition of the issuer.
It also requires material information that is used to generate reports be retained and made available to the public.
This directly affects the IT and security departments because it is
primarily IT systems that generate these periodic reports and which control e-mail, the main method of communication within most organizations.
Management Assessment of Internal Controls
Section 404 is the most pertinent section within SOX to issues surrounding information security. It addresses the necessity of corporate management to be fully accountable for the integrity of all data associated with their financials.
It states that management teams of public companies must establish and maintain adequate “Internal Controls” over their financial reporting systems to safeguard against unauthorized and improper use of financial information.
Internal Controls are defined as “all control methods a company uses to prevent, detect and correct errors and frauds that might get into financial statements”.
Real Time Issuer Disclosure
Public Companies must be aware of, and declare, changes in their financial conditions or operations within 48 hours of material events. All events which could affect a company’s finances, stock price or intellectual property (among otherthings) must be captured, documented with a process that can be audited and reported in a rapid fashion.
This includes operational risk with IT systems such as:
• Major or extended system outages
• Loss of critical data
• Security breaches
• Intellectual Property and Digital Rights Management issues
• Major computer virus and worm attacks