What is Sarbanes-Oxley (SOX) Act Data-at-Rest Security Compliance?

What is Sarbanes-Oxley (SOX) Act Data-at-Rest Security Compliance?

Sections 302 and 304 of the Sarbanes-Oxley (SOX) Act set standards related to data protection, applying to US public companies and accounting firms.


Sarbanes-Oxley Act: Section 404
Sarbanes-Oxley Act section 404 has two major compliance requirements:

  • Management is accountable for establishing and maintaining internal controls and procedures that enable accurate financial reporting and assessing this posture every fiscal year in an internal control report.
  • Public accounting firms that prepare or issue yearly audits must attest to, and report on, this yearly assessment by management.

Sarbanes-Oxley Act: Section 302
Sarbanes-Oxley Act section 302 expands this with compliance requirements to:

  • List all deficiencies in internal controls and information, as well as report any fraud involving internal employees.
  • Detail significant changes in internal controls, or factors that could have a negative impact on internal controls.

The SOX compliance requirement implications for public companies to protect data are:

  • Any financial information needs to be safeguarded and its integrity assured.
  • Specific internal security controls need to be identified that protect this data, auditing must take place, and this security posture re-assessed every year – including any changes or deficiencies as a result of changing conditions.

Related Articles