5 IT Best Practices for Sarbanes-Oxley Compliance

5 IT Best Practices for Sarbanes-Oxley Compliance

Sarbanes-Oxley Compliance (Source: Pixabay.com)

Sarbanes-Oxley (SOX) requirements are one of the most important compliance challenges that publicly traded corporations face today. SOX has also become one of the main drivers of enterprise technology and information security expenditure. Yet, despite its existence for nearly two decades, many corporate executives remain unsure about what the exact IT requirements for SOX compliance are. And it’s understandable.

SOX is a financial reporting and accounting mandate that has ramifications on technology infrastructure. Even though there’s the act doesn’t explicitly reference encryption or password rules, the role of IT as a facilitator is implied. While it’s the CFO’s role to ensure data accuracy, the CIO, CTO and CISO tackle the data security and integrity question.

Due to the lack of specific guidance on the technologies necessary for SOX compliance, business and IT leaders have often found themselves groping in the dark. For an organization to pass a SOX compliance audit, they must implement a number of IT best practices. We look at some of these.

1.   SSL/TLS Encryption for Web-Enabled Applications

SSL/TLS isn’t an absolutely impregnable defense but it’s certainly the best encryption protection currently available for websites and web-enabled applications. When an SSL/TLS connection is established, the webserver sends the public key to the client browser which the client uses to create a session key with the server.

READ  Why Do You Need a Criminal Record Check

Whereas rogue sensors and Man-in-the-Middle (MITM) attacks can successfully identify the session and public key, they cannot decrypt the communication if they don’t have the server’s private key.

2.   End-Point Protection

Securing enterprise servers with firewalls and antivirus tools is the absolute minimum an organization is expected to do. However, complying with SOX requires that public companies go a step further.

For firewalls, all ports that serve no specific purpose must be blocked. Get rid of any exceptions in your antivirus scanner. Integrate account and financial reporting applications with an overarching enterprise systems management platform that streamlines your ability to quickly set policy, aggressively deploy updates, prevent configuration tampering and rapidly report possible attacks and significant security issues.

SOX regulators and auditors love audit trails and system-generated reports. A management platform that consolidates security events taking place in your end-points can only be a good thing for SOX compliance.

3.   Reduce Attack Surface On Systems Accessing Financial Applications

If employees are going to work on the crucial account and financial systems from their computer, simply running the operating system and antivirus updates will not suffice in creating a safe environment for the financial data.

Plenty more has to be done including disabling superfluous services, uninstalling unneeded browser add-ons, using group policy to limit user access and permissions, and aggressively applying security policies.

4.   Database Activity Monitoring Tools

SOX is fixated on the integrity and accuracy of financial data. Auditing all activity on tables holding sensitive information is vital.

Consider removing database administrators (DBAs) from database security-related duties. This would prevent a rogue DBA from tampering with financial data and thereafter covering their tracks by altering the audit and monitoring reports along the accounting and financial data workflow.

READ  Do You Qualify for the Personal Injury Lawsuit Loan?

Instead, database activity monitoring should be automated as much as possible with reports sent to IT security staff and relevant operations and finance managers.

5.   Removable Media

Removable media can be the weakest link in a company’s management and protection of financial data. Given the substantial risks that come with placing sensitive data on removable media, their use should be prohibited if possible. Nevertheless, banning removable media won’t always be possible or practical.

If you must allow removable media, ensure you have policy and controls safeguarding any information contained therein. Without that, your business will be falling short of SOX compliance. The good thing is there are third-party low-cost data loss prevention products you could install to automatically check and enforce encryption of data sent to removable media.


When it comes to other major compliance regulations and standards such as GDPR, PCI DSS, and HIPAA, the IT department often builds the foundation for compliance then the rest of the business follows. With SOX, IT comes in after the business has laid the groundwork. Either way, it’s crucial that IT and the business work together if they are to address the SOX challenge satisfactorily.

Incoming search terms:

  • best practices for sox compliance
  • best practicies for sox governance
  • sarbanes oxley and data compiance
  • sarbanes oxley it best practices

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Read previous post:
wear a bracelet
On Which Hand Should You Wear A Bracelet?

Jewellery has always been worn by people to symbolize their status in society and to show off their wealth. Today,...