| Is your enterprise following the rules? | | | | * Monitoring and alerting |
| The bulk of financial information in many companies is | | | | * Pre-planning coordinated incident response |
| created, stored and transmitted electronically, | | | | * Forensics |
| maintained by IT and controlled via information integrity | | | | These components enable information integrity and |
| procedures and practices. For these reasons, | | | | data retention, while enabling IT audits and business |
| compliance with federal requirements such as the | | | | continuity. |
| Sarbanes-Oxley Act (SOX) is heavily dependent on IT. | | | | In order to comply with Sarbanes-Oxley, companies |
| Companies that must comply with SOX are U.S. public | | | | must be able to show conclusively that: |
| companies, foreign filers in U.S. markets and privately | | | | * They have reviewed quarterly and annual financial |
| held companies with public debt. Ultimately, the | | | | reports; |
| corporate CEO and CFO are accountable for SOX | | | | * The information is complete and accurate; |
| compliance, and they will depend on company finance | | | | * Effective disclosure controls and procedures are in |
| operations and IT to provide critical support when as | | | | place and maintained to ensure that material |
| they report on the effectiveness of internal control | | | | information about the company is made known to |
| over financial reporting. | | | | them. |
| Sound practices include corporate-wide information | | | | Sarbanes-Oxley Section 404 |
| security policies and enforced implementation of those | | | | Section 404 regulates enforcement of internal controls, |
| policies for employees at all levels. Information security | | | | requiring management to show that it has established |
| policies should govern network security, access | | | | an effective internal control structure and procedures |
| controls, authentication, encryption, logging, monitoring | | | | for accurate and complete financial reporting. In |
| and alerting, pre-planned coordinated incident response, | | | | addition, the company must produce documented |
| and forensics. These components allow for information | | | | evidence of an annual assessment of the internal |
| integrity and data retention, while enabling IT audits and | | | | control structure's effectiveness, validated by a |
| business continuity. | | | | registered public accounting firm. By instituting effective |
| Complying with Sarbanes-Oxley | | | | email controls, organizations are not only ensuring |
| The changes required to ensure SOX compliance | | | | compliance with Sarbanes-Oxley Section 404; they |
| reach across nearly all areas of a corporation. In fact, | | | | are also taking a giant step in the right direction with |
| Gartner Research went so far as to call the Act "the | | | | regards to overall email security. |
| most sweeping legislation to affect publicly traded | | | | Effective Email Controls |
| companies since the reforms during the Great | | | | Email has evolved into a business-critical application |
| Depression." Since the bulk of information in most | | | | unlike any other. Unfortunately, it is also one of the |
| companies is created, stored, transmitted and | | | | most exposed areas of a technology infrastructure. |
| maintained electronically, one could logically conclude | | | | Enterprises must install a solution that actively enforces |
| that IT shoulders the lion's share of the responsibility for | | | | policy, stops offending mail both inbound and outbound |
| SOX compliance. Enterprise IT departments are | | | | and halts threats before internal controls are |
| responsible for ensuring that corporate-wide | | | | compromised, as opposed to passively noting |
| information security policies are in place for employees | | | | violations as they occur. |
| at all levels. Information security policies should govern: | | | | An effective email security solution must address all |
| * Network security | | | | aspects of controlling access to electronically stored |
| * Access controls | | | | company financial information. This includes access |
| * Authentication | | | | during transport as well as access to static information |
| * Encryption | | | | resident at the company or on a remote site or |
| * Logging | | | | machine. |