Cloud data storage best practices for SOX compliance: Part 1
With the passage of the Sarbanes-Oxley Act (SOX), the US Congress has finally put laws into effect to require accurate corporate disclosures and stop fraudulent business practices. After the financial issues that transpired at Tyco, WorldCom, and Enron in 2002, Congressmen Paul Sarbanes and Michael Oxley took a step to help increase accountability in corporate governance. They wrote an act that requires all public companies to comply with SOX in both the IT and financial sectors.
The act does not specify how an organisation needs to store records or organise business practices. It does, however, indicate which documents should be stored and for how long. For a business to comply with SOX, it must keep all business records for at least five years including electronic records and messages, says Ian McClarty, president at Phoenix NAP LLC.
Failing to follow this law can result in serious consequences for noncompliance, which include fines or imprisonment, or even both.
Key elements of Sarbanes-Oxley compliance
Sarbanes-Oxley Compliance was one of the most notable steps toward regulating public companies data records. It was signed into law on July 30, 2002, and its sponsors included Sen. Paul Sarbanes (D-MD) and Rep. Michael G. Oxley (R-OH-4).
Developed with the purpose of improving financial reporting and corporate governance transparency, it also helped establish a formal system of internal checks and balances. When it comes to the types of companies that should follow it, SOX compliance is required for:
- Any publicly held U.S. company
- International companies with debt securities or a registered equity with the U.S. Securities and Exchange Commission (SEC)
- All accounting firms or other third party that give financial services to either of the above
Companies that fail to meet the regulatory criteria face formal penalties such as invalidation of D&O insurance policies and elimination from public stock exchange listings or fines. CEO’s and CFO’s under SOX who willfully present an improper compliance certification audit can face up to twenty years in jail and fines of up to $5 million (€4.29 million).
History of Sarbanes-Oxley compliance
When discussing the SOX Act, it is helpful to have some historical context. As a result of a particular set of incidents, the SOX Act rose to help is organisations incorporate compliance with companies priorities and security goals.
Passed on July 30, 2002, after the corporate scandals of Tyco International, Enron, and WorldCom, the Act includes accountability and financial governance with sections that indicate guidelines for data transmission and storage and information security.
Since the IT infrastructure is the primary support for company communications, compliance with SOX obviously should include broad measures for information accountability.
Three rules of electronic record management
After passing the SOX Act, IT departments across the US have become responsible for creating and maintaining corporate record archives.
This has triggered a demand for cost-effective methods and IT solutions that are in complete compliance with legislative requirements. Electronic record management includes alteration, destruction, or falsification of records that can result in penalties.
It also includes suggested best practices on secure storage of business records, as well as the types of business records to keep.
Tools for SOX compliance and security controls
When considering compliance with SOX, the best plan of action is to have the right security controls in place. This not only guarantees the accuracy of your financial data but also helps you protect it from loss.
By creating a set of best practices to follow, you can establish and cherish a security-oriented culture that automates SOX compliance and lessens the cost of SOX management.
A great way to achieve this is to use some of the advanced tools for automatic data classification and search. Context-aware solutions are capable of categorising and tagging cardholder, electronic health records, social security numbers, confidential design documents, PHI, and other types of data that is both structured and unstructured and is regulated.
Of course, this is just a start towards developing a comprehensive security data storage strategy. Reaching this goal would include choosing the right infrastructure and staff, conducting employee training, and implementing the proper processes across all departments.