The Medieval Approach to SOX Compliance

In the world of compliance, record-keeping and maintenance are critical parts of the process. The Sarbanes Oxley Act (SOX) requires organizations to implement controls over the release of information to individuals or organizations outside the company’s network, and implement policies that define how long, and in what manner, electronic communications should be retained.

The ruling does not, however, detail the specific steps organizations should take to comply with these regulations. Rather, it requires companies to implement programs that ensure the secure flow of information, and to be able to document the success and deficiencies of those programs.

Organizations responding to SOX are still, in the beginning of Year 2, trying to determine what data to keep, how long to keep it, when to divulge it and how to guard it.

In addition to the actual retention of records, organizations need their security strategy to guard against three main threats:

  • External attempts to compromise network security through viruses, spyware, phishing and pharming.
  • Internal sabotage from employees consciously divulging or inappropriately storing sensitive information.
  • Internal carelessness or willful disregard for corporate policies (for example, sending out confidential information over email).

    They must also develop and enforce email security rules in order to ensure collection and dissemination of the right information. Finally, they must have systems in place to verify that they are satisfying legal obligations.

    Choosing Your Treasure

    Record retention addresses the rules around retention of documents that are created, sent or received relating to an audit or review. Companies must establish clear email retention policies, and the IT department must ensure that these policies are followed. Unfortunately, few companies have strict guidelines in place, exposing them to legal and regulatory violations.

    The real problem in this case is that companies are uncertain of how to keep email compliant under SOX standards, often choosing to save everything and thereby increasing their risk if litigation ensues.

    Those that follow this path fail to understand an integral aspect of the SOX directive: that retention is not just about archiving the information, but also retrieving specific, relevant information when asked.

    Instead of implementing an absolute record retention strategy, organizations need to carefully consider industry requirements and norms by developing, implementing and enforcing a policy framework that retains documents selectively and consistently. Such a policy could dictate whether to retain or delete an email based on content, making it easier to categorize and index for easier future retrieval.

    By filtering out spam and malicious content, policy controls for inbound and outbound email can reduce the volume of email that compliance scanning, archiving and encryption systems handle. Policy controls can also look for common patterns and combined, pre-determined keywords that suggest a message might require retention.

    Barring the Gate

    Viruses, malicious spyware, phishing and pharming attacks can compromise the most carefully managed network. Such pests shut can down systems or take up precious resources to address and to many, this is the least worrisome.

    Recently these threats have gone beyond mere “virtual graffiti” to something truly damaging — installing a back door or harvesting user names and passwords that can be later be used for access into the network.

    A combination of user education and technology is needed to eliminate this threat. Some anti-virus and anti-spam solutions remove threats as they come in via email. Others detect viruses on external data sources such as CDs, network servers and online downloads.

    To be effective, your data security strategy must take a multi-tiered approach to protecting gateways, servers and desktops.

    Compliance is not just a matter of end-of-quarter reports. You need real-time check-and- balance mechanisms to confirm that technology and procedures are actually protecting data and recognizing security breaches.

    Solutions must alert supervisors immediately of threats affecting the network. In addition, you need a real-time view of the status of every device in the network to ascertain which devices are protected, which need updating, and which, if any, have been attacked. Automatic updates and centralized installation ensure continuous protection.

    The Enemy Within

    Perhaps the most frightening threat is the “enemy within” — those employees who either consciously or unconsciously put the organization at risk.

    The conscious saboteur does it for one of two reasons: an actual attempt to sabotage a company or an arrogant belief that s/he knows which policies are important to follow and when. The “good” employee, on the other hand, is as much a risk to the company through carelessness and lack of knowledge.

    While it’s difficult to thwart a truly committed subversion attempt, you can minimize the damage from both the conscious and unconscious saboteur through effective security policy creation, management and enforcement throughout the organization.

    For example, firewall and access management technologies can limit access to confidential information. However, in this day of ubiquitous email, developing and enforcing email policies to manage the transmission of email and the sensitive information it might contain can serve as a moat between your company and the outside.

    Gateway protection policies should prohibit the distribution of inappropriate content and attachments and restrict unauthorized parties from viewing corporate data.

    In an effort to comply with regulations, organizations are writing policies that specify the format and legal statements that must be part of every email. Policy enforcement at the gateway can be customized to scan email for particular keywords or attachment types and apply formatting and text per company-specified rules. More complex scenarios can be covered through the administration and control of virtually every aspect of an email message.

    Some organizations are capturing the content and header information for each email transmission that comes in and goes out from their email servers. With policy controls in place, detailed transaction logs can provide the information you need to meet internal control documentation requirements.

    The Future Imperative

    To ensure compliance with current and future legislation, organizations must establish a comprehensive IT security strategy for compliance, keeping the following goals in mind:

  • Information security: At the heart of SOX is the need to protect information. Nothing should alter original data, and there must be a clear alert in the event of any attempt to modify or destroy information.
  • Email security: Organizations should maintain the confidentiality of important content; all email should include consistent legal information across recipients; and, to succeed fully, email policy enforcement must ease retrieval and monitoring efforts.
  • Proof of control: Key to satisfying regulations is the ability to prove that compliance efforts are working. Event logs, audit trails, and reporting are critical to meeting this goal.

    No matter which legislative requirements you are striving to meet, you must implement a comprehensive approach to compliance that affects all areas of your business. The combination of a multi-layer security architecture, powerful policy tools and strong vendor support can go a long way to expediting your success and protecting your assets both in the long and short term.

    Gregg Mastoras is a senior security analyst at Sophos and has worked in the technology industry for more than a decade. Prior to joining Sophos, he held various senior management roles in product marketing and product management at Lightbridge, Lucent Technologies, and CSC.