Sarbanes-Oxley: A Cross-Industry Email Compliance Challenge

Is your enterprise following the rules?

The bulk of financial information in many companies is created, stored and transmitted electronically, maintained by IT and controlled via information integrity procedures and practices. For these reasons, compliance with federal requirements such as the Sarbanes-Oxley Act (SOX) is heavily dependent on IT. Companies that must comply with SOX are U.S. public companies, foreign filers in U.S. markets and privately held companies with public debt. Ultimately, the corporate CEO and CFO are accountable for SOX compliance, and they will depend on company finance operations and IT to provide critical support when as they report on the effectiveness of internal control over financial reporting.

Sound practices include corporate-wide information security policies and enforced implementation of those policies for employees at all levels. Information security policies should govern network security, access controls, authentication, encryption, logging, monitoring and alerting, pre-planned coordinated incident response, and forensics. These components allow for information integrity and data retention, while enabling IT audits and business continuity.

Complying with Sarbanes-Oxley

The changes required to ensure SOX compliance reach across nearly all areas of a corporation. In fact, Gartner Research went so far as to call the Act "the most sweeping legislation to affect publicly traded companies since the reforms during the Great Depression." Since the bulk of information in most companies is created, stored, transmitted and maintained electronically, one could logically conclude that IT shoulders the lion's share of the responsibility for SOX compliance. Enterprise IT departments are responsible for ensuring that corporate-wide information security policies are in place for employees at all levels. Information security policies should govern:

* Network security
* Access controls
* Authentication
* Encryption
* Logging
* Monitoring and alerting
* Pre-planning coordinated incident response
* Forensics

These components enable information integrity and data retention, while enabling IT audits and business continuity.

In order to comply with Sarbanes-Oxley, companies must be able to show conclusively that:

* They have reviewed quarterly and annual financial reports;
* The information is complete and accurate;
* Effective disclosure controls and procedures are in place and maintained to ensure that material information about the company is made known to them.

Sarbanes-Oxley Section 404

Section 404 regulates enforcement of internal controls, requiring management to show that it has established an effective internal control structure and procedures for accurate and complete financial reporting. In addition, the company must produce documented evidence of an annual assessment of the internal control structure's effectiveness, validated by a registered public accounting firm. By instituting effective email controls, organizations are not only ensuring compliance with Sarbanes-Oxley Section 404; they are also taking a giant step in the right direction with regards to overall email security.

Effective Email Controls

Email has evolved into a business-critical application unlike any other. Unfortunately, it is also one of the most exposed areas of a technology infrastructure. Enterprises must install a solution that actively enforces policy, stops offending mail both inbound and outbound and halts threats before internal controls are compromised, as opposed to passively noting violations as they occur.

An effective email security solution must address all aspects of controlling access to electronically stored company financial information. This includes access during transport as well as access to static information resident at the company or on a remote site or machine. Given the wide functionality of email, as well as the broad spectrum of threats that face email systems, ensuring appropriate information access control for all of these points requires:

* A capable policy enforcement mechanism to set rules in accordance with each company's systems of internal controls;

* Encryption capabilities to ensure privacy and confidentiality through secure and authenticated transport and delivery of email messages;

* Secure remote access to enable remote access for authorized users while preventing access from unauthorized users;

* Anti-spam and anti-phishing technology to prevent malicious code from entering a machine and to prevent private information from being provided to unauthorized parties

In conclusion, complying with Sarbanes-Oxley puts a heavy burden on an organization's IT department to implement and enforce policies set up by corporate governance boards. In order to make sure the company's email system complies with Sarbanes-Oxley, IT managers must be able to document steps they have taken to address Section 404 of the code. CipherTrust manufactures a secure email gateway appliance that can help organizations comply with Sarbanes-Oxley. To learn more about it, please visit www.ciphertrust.com/solutions/compliance_SOX.php and read our articles and white paper on the subject of SOX compliance.

Dr. Paul Judge is a noted scholar and entrepreneur. He is Chief Technology Officer at CipherTrust, the industry's largest provider of enterprise email security and anti spam solutions. Learn what you need to know to comply with Sarbanes-Oxley regulations by visiting http://www.ciphertrust.com/solutions/compliance_SOX.php today.

Enews 2.0

Top immigration official outlines security database changes Chicago Tribune, United States - 8 hours ago AP CHICAGO - A top US Immigration official says it's necessary to increase fees to fund a security database that tracks foreign students. ... Video: ICE Agents Raid Meat Packing Plant AssociatedPress Iowa immigration raid is largest in US history Arizona Republic Undercover worker aided agents Waterloo Cedar Falls Courier Kansas City Star - New York Times all 671 news articles

Mock attack defeats lab security San Jose Mercury News,  USA - 3 hours ago By SCOTT LINDLAW AP Writer SAN FRANCISCO—Mock terrorists defeated security personnel in a recent drill at Lawrence Livermore National Laboratory, ...

Malaysia Star

'Iran will not give up enrichment' Jerusalem Post, Israel - 1 hour ago Iranian President Mahmoud Ahmadinejad "is quite prepared, as is the rest of the leadership, to ignore the various security council resolutions that require ... Iran Won't Negotiate Its Lawful Atomic Energy Rights Bernama US: Iran proposals not to settle woes PRESS TV 5+1 should revise views on Iran: MP Tehran Times IranMania News - Antiwar.com all 254 news articles

Canoe.ca

Harper Must Answer Canadians’ Questions on National Security Liberal.ca (press release), Canada - 7 hours ago Prime Minister Stephen Harper must assure Canadians that all possible security checks were followed with regard to the latest gaffe of Minister of Foreign ... Security Check On Port Workers Tighter Than That For Cabinet Members AHN Port workers and their spouses face more scrutiny than cabinet ... Globe and Mail Bloc calls for Bernier security probe Toronto Star The Canadian Press - Globe and Mail all 371 news articles

AFP	US: Security Council should address Lebanon fighting AFP - 3 hours ago ABOARD AIR FORCE ONE (AFP) — The United States is expecting the UN Security Council to take action next week on the issue of unrest in Lebanon, ...

Javno.hr

US expects little from Iran on world problems AFP - 5 hours ago Iran must in any case yield to UN Security Council resolutions, which demand it halt the enrichment of uranium, McCormack added. ... Iran says puts package of proposals to EU's Solana Reuters UK Iran will not halt uranium enrichment: envoy Tehran Times US declines to help present nuclear deal to Iran International Herald Tribune The Associated Press - AFP all 154 news articles

Security Officer Seattle Times, United States - 4 hours ago The role of the Medical Center Security Officer is to assure a safe and secure environment for the patients, visitors, staff and property of Swedish Medical ...

Eruces gains US patent for security software Bizjournals.com, NC - 8 hours ago A Lenexa-based software company has garnered its first US patent for its data security software. The US Patent and Trademark Office granted Eruces Inc. a ... ERUCES Awarded US Patent for its Cryptographic Key Management Emediawire (press release) all 9 news articles

Citizen

Security Council strongly condemns rebel attack near Khartoum International Herald Tribune, France - 3 hours ago AP UNITED NATIONS: The UN Security Council on Tuesday strongly condemned the rebel attack near Khartoum, warning against any retaliation and urging Sudan ... UN Security Council condemns rebel attack on Khartoum Xinhua Security Council condemns JEM attack against Sudan’s govt Sudan Tribune Security Council slates weekend attacks by Darfur rebels near ... UN News Centre Monsters and Critics.com - International Herald Tribune all 2,353 news articles

Seagate Secure(TM) Self-Encrypting Laptop Hard Drives Earn ... FOXBusiness - 14 hours ago NSTISSP No.11 defines requirements for a wide variety of products that "satisfy a diversity of security requirements to include providing confidentiality ... Wave Q1 2008 Revenues Rose 32% to $1.7 Million on Continued Growth ... Business Wire (press release) all 14 news articles