The requirements of SOX compliance focus on establishing a system of checks and balances for corporate financial reporting and are designed to hold executives, accountants, and auditors of public corporations to higher standards. While the requirements for SOX compliance only directly affect public corporations, there has been a trickle-down effect to private companies serving as business associates, consultants, and outsourced service providers. Given this, both public and private companies need to have an understanding of Sarbanes-Oxley compliance to ensure that their daily business practices are aligned with its specific requirements.
Achieving Sarbanes-Oxley compliance is not impossible, but there are a few key elements beyond ethical leadership that are necessary to achieve and maintain it. Public corporations must implement the proper information access controls and possess the appropriate tools to ensure that information is kept secure. These, combined with practical security policies and processes, will go a long way toward keeping corporate executives out of the hot seat with regulatory officials and will also provide value well beyond SOX compliance.
Overview of SOX
The SOX legislation (http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf) was enacted on July 30, 2002 and falls under the umbrella of the U.S. Securities and Exchange Commission (SEC). SOX differs from other recent legislation involving information security and privacy as it revolves around the protection of financial records and helps ensure the accuracy of financial reports as an indirect means for regulating corporate behavior. The requirements set forth for Sarbanes-Oxley compliance apply to all U.S. public companies, foreign filers in U.S. markets, and privately-held companies with public debt.
Sarbanes-Oxley compliance affects multiple business units across the organization, from the CEO and the CFO to the IT and security departments. However, SOX contains various sections that directly affect the IT and information security functions in today’s corporations. To maintain SOX compliance, these departments must implement access and integrity controls on financial information, as well as system monitoring and audit trails -- requirements similar to common risk management processes typically present within most public corporations.
Of the several dozen sections in SOX, Section 404 – Management Assessment of Internal Controls is the one that affects IT and information security the most. In order to establish SOX compliance, an annual internal control report is required to:
- State the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting
- Contain an assessment, as of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures for the issuer for financial reporting
For the purposes of Sarbanes-Oxley compliance, the SEC has defined internal control over financial reporting as it relates to information security to include the maintenance of records and reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of assets related to financial statements.
SOX Compliance and Web Application Security
From a fundamental information security and controls perspective, it is clear that Web application security is crucial to Sarbanes-Oxley compliance. The requirements for SOX compliance apply to any system that processes or maintains financial data. Given that most corporate financial records are stored, accessed, and maintained in electronic format which often have Web-based components, there is a significant correlation between this information and Web applications.
In addition, there is a reporting component required for SOX compliance that ties into Web applications. Web servers, database servers, and often the applications themselves have a logging function that creates audit trails for tracking who, what, and when. These trails not only provide the details necessary for system monitoring and troubleshooting but are often used in a forensics capacity to investigate attacks against Web applications. Audit trails can also assist with and provide documented proof that ongoing Web application security assessments and audits required to achieve Sarbanes-Oxley compliance are taking place.
As with most information security initiatives, the requirements for SOX compliance are policy driven in areas such as:
- User authentication
- Password management
- Access controls
- Input validation
- Exception handling
- Secure data storage and transmission
- Monitoring and alerting
- System hardening
- Change management
- Application development
- Periodic security assessments and audits
If security policies designed to maintain Sarbanes-Oxley compliance are not in place and enforced with adequate business processes and technical controls, Web applications can easily expose financial systems to danger.
Beyond implementing the necessary policies and processes, another important element of Sarbanes-Oxley compliance is to focus on detecting vulnerabilities so they can be fixed before they are discovered and exploited. An information risk assessment looks at all aspects of the information security infrastructure and determines specific information threats, vulnerabilities, and risks. Analyzing Web applications that are critical front-ends to many of today’s corporate financial information systems is a critical part of this assessment, and the ongoing audits required for SOX compliance provide third-party validation that Web application security is where it needs to be in order to protect the integrity of financial information and reporting systems.
Software Products That Can Help
Public corporations have many technological options for supporting the various internal controls needed to achieve Sarbanes-Oxley compliance and protect sensitive systems. However, the problem with relying on traditional network security products like firewalls, intrusion detection systems, and encryption to ensure SOX compliance is that most Web-based attacks can still occur without being detected or responded to effectively. Attackers can be prevented from accessing the network altogether by performing proactive Web application vulnerability assessments.
While manual testing can be a valuable way to find contextual vulnerabilities, it would likely take an unreasonable amount of time to achieve results. Several types of commercial and open-source software tools can help Web developers, QA analysts, and security auditors find and fix Web application vulnerabilities. These tools can help determine initial risks in source code and production systems, as well as perform preventative testing during the software development lifecycle and post-deployment phases. With these tools, Web developers, QA analysts, penetration testers, and security auditors can run full, partial, or customized scans on Web applications or Web services on hosts throughout the enterprise that are associated with Sarbanes-Oxley compliance.
These tools can be used to identify initial risks in source code and production systems, as well as to perform preventative testing for SOX compliance during the software development lifecycle and post-deployment phases. With these tools, Web developers, QA analysts, penetration testers, and security auditors can run full, partial, or customized scans on Web applications or Web services on hosts throughout the enterprise that are associated with the financial reporting process to ensure Sarbanes-Oxley compliance.
In addition, these tools can be used as a starting point for the creation or revision of security standards, policies, and processes that are necessary for SOX compliance. This will help ensure that all the initial time, money, and effort spent to establish Sarbanes-Oxley compliance are smart investments.
When searching for Web application security software tools to help with Sarbanes-Oxley compliance, it’s important to consider the following features:
- Overall ease of use
- Testing flexibility (i.e., manual stepping, automated crawling, or input variations)
- Customizable security policies
- Automatic updates and application patches for new Web vulnerabilities
- Prioritization of discovered Web security vulnerabilities
- Level of reporting (i.e., executive, technical, QA)
- Support for specific software platforms and development languages
- Vendor or open source team reputation and long-term viability
- Costs related to acquiring, using, and supporting the tool
The bottom line is that SOX compliance and information security are not one-time events. Organizations must work diligently and consistently to ensure that Web application weaknesses are found and threats are defended against as quickly as possible. This can only be done effectively with minimal costs by using powerful, integrated design, static analysis, and Web application vulnerability assessment tools. There is no more flexible or useful way of performing security assessments and ongoing audits on Web applications to help prepare the organization for Sarbanes-Oxley compliance than by utilizing the right software tools.
It’s critical to remember that SOX Section 404 and Sarbanes-Oxley compliance are just a piece of the overall puzzle; IT departments won’t (nor should they) control or drive all SOX compliance initiatives. However, they can certainly help the cause of Sarbanes-Oxley compliance by deploying technologies that automate and enforce the necessary internal controls for financial reporting systems.
About Caleb Sima
Caleb Sima is the co-founder of SPI Dynamics, a Web application security products company. He currently serves as the CTO and director of SPI Labs, SPI Dynamics’ R&D security team. Prior to co-founding SPI Dynamics, Caleb was a member of the elite X-Force R&D team at Internet Security Systems, and worked as a security engineer for S1 Corporation. Caleb is a regular speaker and press resource on Web application security testing methods and has contributed to (IN)Secure Magazine, Baseline Magazine and been featured in the Associated Press.
About Kevin Beaver
Kevin Beaver – founder of Atlanta-based Principle Logic, LLC – is an independent information security consultant, author, and speaker. He has over 18 years of experience in IT and specializes in performing information security assessments. Before starting his own information security services business five years ago, Kevin served in various information technology and security companies.
For Further Reading
The generally accepted internal control framework for Sarbanes-Oxley compliance is published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Refer to www.coso.org for more information.
1. U.S. Sarbanes-Oxley Act of 2002, Public Law 107-204, July 30, 2002.
DISCLAIMER: The authors have used their best efforts in the preparation of this whitepaper. The information and opinions provided in this whitepaper do not constitute or substitute for legal or other professional advice. Readers should consult their own legal or other professional advisors for individualized guidance regarding the application of the SOX Act to their particular situations and in connection with other compliance-related concerns.