Sarbanes-Oxley Act
Quite often referred to as SOX, this legislation was enacted in the wake of a number of large, high-profile corporate failures. The Act imposes much tighter corporate governance and financial transparency. For example, there are draconian powers requiring executives of US corporations to demonstrate that adequate internal controls and procedures for financial reporting are in place.
A significant portion of the regulation focuses on the integrity of computer systems that underpin much corporate decision-making and disclosure to shareholders. Those who are covered by the Act must have methods to maintain audit trails and to log the possible altering of electronic records. Here's a short checklist:
- Access control to monitor attempts to access the company's financial reporting system or the data that feeds the system.
- Configuration control to monitor the configuration, policies and software installed on systems covered by the Act, and all other systems with access.
- Malicious software detection to collect and report malicious activities caused by viruses or other malicious code from a wide variety of sources - with centralised analysis.
- Policy enforcement to verify that all users are complying with regulations to reduce the chance of accidental exposure of sensitive information.
- User monitoring and management to create a complete audit of the activities of non-employees with access to private data, and take steps to minimise the risk from compromised accounts.
- and transmission security involving the ongoing monitoring of the environment to ensure that security threats are detected and corrected as quickly as possible through proactive measure such as virus attack scans. Additional monitoring is required to ensure that the transmission of sensitive data is secured and undertaken with appropriate encryption levels.
As can be imagined, companies have found the cost of compliance to be significant, with BP citing $18 million for its US operation. While this is purely US legislation, it impacts on companies operating in the US and subsidiaries of US companies operating abroad. Many speculate that it will not be too long before the EU enacts similar legislation. No doubt the trigger will be a high profile event in a major EU country along the lines of those in the US that prompted SOX.