What is Sarbanes-Oxley (SOX) Act Data-at-Rest Security Compliance?
Sections 302 and 304 of the Sarbanes-Oxley (SOX) Act set standards related to data protection, applying to US public companies and accounting firms.
Sarbanes-Oxley Act: Section 404
Sarbanes-Oxley Act section 404 has two major compliance requirements:
- Management is accountable for establishing and maintaining internal controls and procedures that enable accurate financial reporting and assessing this posture every fiscal year in an internal control report.
- Public accounting firms that prepare or issue yearly audits must attest to, and report on, this yearly assessment by management.
Sarbanes-Oxley Act: Section 302
Sarbanes-Oxley Act section 302 expands this with compliance requirements to:
- List all deficiencies in internal controls and information, as well as report any fraud involving internal employees.
- Detail significant changes in internal controls, or factors that could have a negative impact on internal controls.
The SOX compliance requirement implications for public companies to protect data are:
- Any financial information needs to be safeguarded and its integrity assured.
- Specific internal security controls need to be identified that protect this data, auditing must take place, and this security posture re-assessed every year – including any changes or deficiencies as a result of changing conditions.