SOX Compliance: How IT Helps When You’re Going Public
This article is part of the Twingate Infosec Compliance Series. Written for security ops, IT admins, and anyone tasked with implementing infosec requirements imposed by compliance standards, this series explains common standards and how they relate to information security. This article discusses a law but is not legal advice. Consult a qualified advisor to understand how SOX may apply specifically to your organization.
In the wake of several high profile accounting fraud scandals, including Enron and WorldCom, the Sarbanes-Oxley Act (SOX) was passed in 2002 to “protect investors by improving the accuracy and reliability of corporate disclosures.” SOX is primarily concerned with measures that are designed to ensure the integrity of financial records and financial reporting. Most relevantly from an infosec perspective, companies are required to maintain internal controls to prevent fraud and errors relating to financial records.
SOX applies to all public companies in the U.S. and their wholly-owned subsidiaries, and all non-U.S. public companies that do business in the U.S.
As such, SOX is highly relevant to private companies preparing for an IPO as well, and they typically start SOX readiness projects many months in advance. SOX compliance is a large driver of work as a company prepares to go public.
SOX compliance is mandatory. SOX requires annual audits to be performed by independent auditors (typically accounting firms) to verify a company’s financial statements and opine on whether internal controls meet SOX standards. Results are then reported to the Securities and Exchange Commission (SEC).
Under section 302 of SOX, a company’s principal officers (typically the CEO and CFO) must personally certify financial reports as “complete and accurate” and affirm they’ve reviewed internal controls at least once in the past 90 days. Non-compliance (whether intentional or not) can result in company officers personally facing criminal liability in the form of jail time and monetary penalties. Because of this, SOX compliance has visibility at the highest levels of an organization.
SOX may also require a data breach to be publicly reported, particularly if it resulted from a failure of internal controls or the compromise of financial records.
Typically, the finance department of a company, spearheaded by the CFO, will be primarily responsible for managing and ensuring SOX compliance. Legally speaking, both the CEO and CFO typically bear responsibility for the organization’s compliance with SOX.
Section 404 of SOX requires a company to assess its internal controls and report this assessment to the SEC each year. The assessment must also be evaluated by an independent auditor. Section 404 arguably produces the lion’s share of work when attaining SOX compliance. While information security is not specifically discussed by SOX, and SOX does not prescribe which controls must be assessed, it is generally understood that given the reliance on technology systems to process and maintain financial records, a review of internal controls must cover infosec controls. Technology systems represent a point of vulnerability for potential manipulation, fabrication, or loss of financial records.
Guidance from the Public Company Accounting Oversight Board identifies information technology general controls (ITGC) as foundational, in particular. The guidance is not very prescriptive, but acknowledges that internal controls are not “one-size-fits-all,” giving companies the flexibility to select controls that match the size and complexity of the company.
That said, frameworks such as COBIT can provide a structured approach to establishing internal IT controls. Common control areas include:
- Security policies: Maintaining this documentation is important to set rules and expectations within the organization, and also to provide evidence of such rules and expectations to auditors.
- Access and authentication: Financial systems should only be accessible by authorized personnel, so controls to properly authorize and authenticate appropriate individuals need to be implemented.
- User account management: This area includes controls relating to onboarding and offboarding processes for users, requesting and approving account change requests, and regular reviews of access rights.
- Network security: Securing network infrastructure, such as with firewalls, IDS/IPS, malware detection, encryption, and running penetration testing are all common controls.
- Monitoring: Logs should be kept and monitored for anomalous events that are then actioned as appropriate.
- Segregation of duties: This requires both mapping out a clear delineation of duties, and enforcing them via creation of appropriate access controls and permissions.
- Data backups: This includes both making and testing of backups.
- Physical security: Ensuring tangible security measures are in place to protect from physical and environmental threats.
Companies already should have an infosec program in place when SOX becomes relevant, so IT departments normally don’t start from scratch when attaining SOX compliance. Compliance readiness is more a mix of ensuring that existing security practices are documented and working consistently, and that any control gaps are remediated.
Because preserving the integrity of financial records and other financial data is critical, access management controls are a linchpin in the context of SOX. However, traditional access technologies like corporate VPNs have failed to meet the growing challenge of keeping track of who is allowed to access what, and of who is accessing what. This is because modern businesses are no longer confined to a physical office building: apps, data, servers, and networks have moved to the cloud, and workers commonly work remotely using a variety of devices. VPNs rely on securing a fixed network perimeter that no longer neatly contains everything, and granting access to everything within that perimeter, which is too coarse an approach.
Twingate is a secure access solution that is built on modern Zero Trust principles, enabling companies to implement and enforce least privilege access to private network resources, including financial systems and the data that feeds into them. In relation to SOX, Twingate simplifies and automates the process of implementing modern and secure access controls:
- Identity-First Networking: Twingate’s Identity-First Networking approach attributes every access request to a specific user, device, and context (such as time and location), giving a clear line of sight into who is accessing what and whether they should be allowed to do so.
- Least privilege access: The granularity provided by least privilege access allows true segregation of duties to be implemented between different users.
- Zero Trust: Every request from an end user’s device to a network resource is authenticated and authorized by Twingate. A device is not trusted simply because it has gained access to a network. This model also prevents lateral movement of a malicious actor who is already “on the network” and reduces the blast radius of any damage they can cause.
- Logging and monitoring: Every access request is logged, allowing traffic to be monitored and unusual events to be inspected and acted upon.
- Quick to deploy: Deploying Twingate does not require changes to network infrastructure, so it is simple enough to be deployed in minutes, giving more time for IT admins to focus on other SOX requirements.
- Easy to maintain: Sustaining SOX compliance quarter-after-quarter is a lower maintenance task with Twingate. Because network access controls for the entire enterprise are centralized and managed through one intuitive admin console, periodic tasks like access reviews and onboarding/offboarding users become easier.
- Hide private networks: Twingate hides your network and its internal resources from the public internet. This means fewer servers for attacks to probe and a reduced attack surface area.
Becoming a publicly listed company typically involves a frenzy of activity as teams implement the changes needed to support that transition. Anything that makes that process easier, faster, and more efficient adds value to the business.
Attend a demo session with our team and learn how Twingate can make preparing for an IPO less work and less stressful.