The Sarbanes-Oxley Act (SOX) is one of the most comprehensive compliance acts to ever affect corporate business. Because today most information in a business is stored and sent electronically, the IT department must create an encompassing security policy to ensure that their company is compliant with SOX.
The security policy must govern everything from network security, to access controls, logging, encryption, and alerting. These policies and guidelines must be documented and the IT department must be able to display these documents and show that these policies are in place and being used in the event of an audit.
Because a lot of data today is transferred via email, it naturally plays a very large role in ensuring that your company is compliant with SOX. So much data is transmitted via email network protocols today, yet it remains one of the most insecure realms of the network. This is why IT professionals must pay close attention to how emails are sent and received on their network.
SOX requires that all malicious emails are seized both inbound and outbound on the network and removed before any internal data is compromised rather than just alerting IT staff as violations occur. Email security compliance includes every aspect of your email system and email must remain secure at all points of transmission. This means that emails that contain financial information must be encrypted during transmission to the recipient as well as have access controls in place while the emails reside on a local system for storage.
Anti-spam and anti-phishing systems must be in place and integrated with your email system. The system must be configured to prevent emails detected as malicious from reaching workstations on the network.
Email archiving is also required for Sarbanes-Oxley Act compliance. All emails must be archived so that any email received by the company’s system can be retrieved at a later date. Emails should be archived prior to being received by the client to ensure that information is not deleted or removed from the system before archiving can take place.
It is important that if the Sarbanes-Oxley Act affects your company, then not only should your IT staff become familiar with SOX, but the whole staff should be trained on the basics of what SOX compliance is required of them. As an IT professional, your network security policy should be well documented and enforced.