Meeting Sarbanes Oxley Act (SOX) and GLBA Compliance Requirements for Protecting Data-at-Rest
The Sarbanes-Oxley Act of 2002 (SOX), is a United States federal law enacted on 30 July 2002, which sets standards for all US public company boards, management and public accounting firms. The SOX Act affects private companies as well. This helps prevent a company from submitting false financial data to federal auditing agency.
The primary sections of the SOX Act that concern protecting data are SOX Act sections 302 and 404. Data protection compliance requirements in both SOX Act sections 302 and 404 are most concerned with the accuracy and content of required financial reports.
Sarbanes-Oxley Act section 404 has two major compliance requirements:
- Management is accountable for establishing and maintaining internal controls and procedures that enable accurate financial reporting and assessing this posture every fiscal year in an internal control report.
- Public accounting firms that prepare or issue yearly audits must attest to, and report on, this yearly assessment by management.
Sarbanes-Oxley Act section 302 expands this with compliance requirements to:
- List all deficiencies in internal controls and information, as well as report any fraud involving internal employees.
- Detail significant changes in internal controls, or factors that could have a negative impact on internal controls.
Penalties for Non-Compliance
SOX compliance penalties range from being removed from listings to million-dollar fines and jail time. The SOX act states that companies who knowingly submit incorrect financial reporting information for a compliance audit will face these penalties.
Any financial information needs to be safeguarded, and its integrity assured. Specific internal security controls need to be identified that protect this data, auditing must take place, and this security posture re-assessed every year – including any changes or deficiencies as a result of changing conditions.
Benefits of Being SOX Compliant
When a company’s financial reporting data is secure and can pass a Sox compliance audit, they will notice many benefits for the business.
- Organizations notice financial reporting has improved due to SOX compliance initiatives.
- Internal control over financial data reporting has significantly improved.
Spirion provides key portions of the solution to Sarbanes-Oxley compliance problems, providing security controls that enable organizations to discover, classify and monitor all confidential and financial data across widespread heterogeneous infrastructures – these include virtualized environments and cloud implementations.
Spirion provides a solution to help organizations discover, classify, monitor and respond transparently without changes to operational processes and the daily work of healthcare professionals. Spirion provides technical safeguards to automatically identify and classify electronic protected health with an easy-to-deploy, centrally managed solution that integrates with your existing security infrastructure. Spirion’s open APIs allow integrations with your existing DLP tools, encryption software, data-archiving and storage solutions offered by leading technology providers such as Symantec, Intel Security and others to help increase the benefits from existing spend on these data security solutions.
Spirion Key features
Search everywhere and identify with zero false positives
- Reliable discovery results with industry leading accuracy and precision
- Searches local/shared/removable drives, cloud storage, e-mail servers, databases, web servers, SharePoint sites, Windows/Mac/Linux workstations, web sites and file servers.
- Searches within all file types structured and unstructured – Office files, text, images, scanned images, e-mail messages and attachments, archives, deleted files, Outlook archives, and compressed files.
Classify results persistently
- Classifies sensitive data by category and priority to amplify the need for administrators and/or data owners to manage and protect results. Embed classifications directly into files.
Secure unprotected information
- Secures results using a file shredder (based on DoD standard), redaction, encryption, or quarantine to a safe location. Minimizing the chance of security breaches.
Monitor and manage data operations centrally
- Identifies unprotected results as compared to what employees have already secured for trending analysis.
- Notifies data owners automatically
- Empowers employees to sanitize their data environment and monitors their progress with automated alerts and notifications without the extra staff burden.
Make employees part of the process
- Give employees access to classification add-ons in popular collaboration suites such as MS Office and Adobe Acrobat.
Highly scalable, flexible and secure architecture
- Highly scalable, open architecture that accommodates the growth of staff, processes and information across the enterprise.
- Enables organizations to scale and grow by providing the ability to orchestrate administrative and compliance processes consistently and globally.
- Integrates with Active Directory to simplify policy designation and group reporting
- Within an hour start seeing sensitive data results.
- Within a day create an inventory of sensitive data on all systems.
- Within a week implement a data loss prevention strategy for continuous data protection.