Sarbanes-Oxley: A Cross-Industry Email Compliance Challenge by
CipherTrust
Is your enterprise following the rules?
The bulk of financial information in many companies is created, stored and
transmitted electronically, maintained by IT and controlled via information
integrity procedures and practices. For these reasons, compliance with federal
requirements such as the Sarbanes-Oxley Act (SOX) is heavily dependent on IT.
Companies that must comply with SOX are U.S. public companies, foreign filers
in U.S. markets and privately held companies with public debt. Ultimately
accountable for SOX compliance are the corporate CEO and CFO, who will depend
on company finance operations and IT to provide critical support when they
comply with the SOX requirement to report on the effectiveness of internal
control over financial reporting.
Sound practices include corporate-wide information security policies and
enforced implementation of those policies for employees at all levels.
Information security policies should govern network security, access controls,
authentication, encryption, logging, monitoring and alerting, pre-planned
coordinated incident response, and forensics. These components enable
information integrity and data retention, while enabling IT audits and business
continuity.
Complying with Sarbanes-Oxley The changes required to ensure SOX
compliance reach across nearly all areas of a corporation. In fact, Gartner
Research went so far as to call the Act "the most sweeping legislation to
affect publicly traded companies since the reforms during the Great
Depression." Since the bulk of information in most companies is created,
stored, transmitted and maintained electronically, one could logically conclude
that IT shoulders a lion's share of the responsibility for SOX compliance.
Enterprise IT departments are responsible for ensuring that sound practices,
including corporate-wide information security policies and enforced
implementation of those policies, are in place for employees at all levels.
Information security policies should govern:
-
Network security
-
Access controls
-
Authentication
-
Encryption
-
Logging
-
Monitoring and alerting
-
Pre-planning coordinated incident response
-
Forensics
These components enable information integrity and data retention, while
enabling IT audits and business continuity.
In order to comply with Sarbanes-Oxley, companies must be able to show
conclusively that:
-
They have reviewed quarterly and annual financial reports;
-
The information is complete and accurate;
-
Effective disclosure controls and procedures are in place and maintained to
ensure that material information about the company is made known to them.
Sarbanes-Oxley Section 404 Section 404 regulates enforcement of internal
controls, requiring management to show that it has established an effective
internal control structure and procedures for accurate and complete financial
reporting. In addition, the company must produce documented evidence of an
annual assessment of the internal control structure's effectiveness, validated
by a registered public accounting firm. By instituting effective email
controls, organizations are not only ensuring compliance with Sarbanes-Oxley
Section 404; they are also taking a giant step in the right direction with
regards to overall email security.
Effective Email Controls Email has evolved into a business-critical
application unlike any other. Unfortunately, it is also one of the most exposed
areas of a technology infrastructure. Enterprises must install a solution that
actively enforces policy, stops offending mail both inbound and outbound and
halts threats before internal controls are compromised, as opposed to passively
noting violations as they occur.
An effective email security solution must address all aspects of controlling
access to electronically stored company financial information. This includes
access during transport as well as access to static information resident at the
company or on a remote site or machine. Given the wide functionality of email,
as well as the broad spectrum of threats that face email systems, ensuring
appropriate information access control for all of these points requires:
-
A capable policy enforcement mechanism to set rules in accordance with each
company's systems of internal controls;
-
Encryption capabilities to ensure privacy and confidentiality through secure
and authenticated transport and delivery of email messages;
-
Secure remote access to enable remote access for authorized users while
preventing access from unauthorized users;
-
Anti-spam and anti-phishing technology to prevent malicious code from entering
a machine and to prevent private information from being provided to
unauthorized parties
For years, corporations addressed their various email security needs through a
mixture of third-party software "solutions" designed to address specific areas
of vulnerability. Today, however, this approach is ineffective. New amorphous
threats adapt to even the latest security technology, helping hackers and
spammers stay a step ahead of most stand-alone protective measures. System
administrators remain in a reactionary mode, waiting for the next attack and
hoping their mixed bag of security software is up to the test. The new
challenges posed to email security demand a new approach that protects
enterprises from all types of malicious attacks. Enter CipherTrust's IronMail.
IronMail and Sarbanes-Oxley IronMail has been created to protect
organizations from both known and unknown email security attacks. IronMail
offers automatic or manual updates to protect against both known and newly
discovered email security threats and vulnerabilities, and the comprehensive
messaging security provided by IronMail assists organizations in key areas of
maintaining effective internal controls. Specific financial information threats
and vulnerabilities protected by IronMail include:
-
Viruses, worms, and other malicious code
-
Internal users and external hackers attacking email systems
-
System failures from malicious attacks that can lead to subsequent legal
liabilities
-
Unintentional or malicious information access or exposure
IronMail provides a comprehensive solution to the Sarbanes-Oxley information
integrity requirements as they relate to protecting corporate financial
information that is transmitted and stored via email. Everything from message
privacy/encryption to email firewall and intrusion protection to content
filtering is included in the IronMail solution.
Take the Next Step Learn more about how IronMail helps organizations
ensure Sarbanes-Oxley compliance by visiting www.ciphertrust.com
or requesting CipherTrust's free whitepaper, "Contributing
to Sarbanes-Oxley Compliance with IronMail".
About the Author
CipherTrust is the leader in anti-spam and email security. Learn more by
downloading our free whitepaper, "Contributing
to Sarbanes-Oxley Compliance with IronMail" or by visiting
www.ciphertrust.com.
|
