- Managementís responsibility to establish and maintain adequate internal control over financial reporting.
- The framework used as criteria for evaluating the effectiveness of the companyís internal control over financial reporting.
- Managementís assessment of the effectiveness of internal company control over financial reporting, and disclosure of any material weaknesses.
How to comply
While IT security systems play a vital part in establishing many of these internal controls to meet requirements, SOX doesnít provide any insight into how a company should go about it, or what types of solutions help deliver those controls. What methods and frameworks can help with this? The Control Objectives for IT (COBIT) is an IT governance model that provides both company and activity-level objectives along with associated controls. And using COBIT, an organization can design a system of security applications and controls to comply with SOX. Hereís a guide to how companies can interpret SOX demands and ensure they meet regulatory compliance using COBIT Objectives, by deploying the right security solutions in the right areas.
COBIT suggests that all users should be uniquely identifiable. User identities and access rights should be maintained in a central repository and cost-effective technical and procedural measures should be deployed and kept current to establish user identification, to implement authentication and to enforce access rights. Itís important that an IT solution includes access control. It should also allow for the creation of granular access and authorization rules, and enforce access policies at the perimeter and on the internal network. This also ensures that companies make their systems resistant to tampering.
User account management
A set of user account management procedures are advised to address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges, as well as perform regular management reviews of all accounts and related privileges. Certain management tools allow administrators to create policies, including the mapping and assignment of groups (of users and endpoints) to resources. Solutions can also be configured to provide inline, real-time password policy validations for password length or alphanumeric requirements.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.