The Sarbanes Oxley Act of 2002, named after the sponsors of the Sarbanes Oxley Act Ñ US Senator Paul Sarbanes (D-MD) and Rep. Mike Oxley (R-Ohio) Ñ was passed in response to a number of major corporate and accounting scandals which had resulted in a decline of public trust in accounting and reporting practices. The SOX Rules and Regulations provide guidance to corporations for financial and accounting disclosure information. The standard is wide reaching and covers every aspect of financial responsibility and reporting structures within an organization. In June 2003, the Securities and Exchange Commission ("SEC") implemented Section 404 of the Sarbanes-Oxley Act, requiring issuers to include in their annual reports an assessment of the company's internal control over financial reporting as well as an auditor's report on that assessment.
The specifics are summarized in section 404.3 and read as follows: “A process designed by, or under the supervision of, the registrant's principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
The SOX requirements ultimately rely upon large histories of data concerning user- or role- based system usage, which must be available for deep forensic analysis. The Sarbanes Oxley requirements focus on ‘internal controls’ requirements, and most of what is required is non-technical. However, two of the SOX requirements Ñ the requirements in SOX rule 302 and 404 Ñ are aligned with a company’s reporting structure. Although rules 302 and 404 mainly focus on financial reporting, a migration towards IT and security reporting is occurring as new internal controls procedures are being implemented. These new rules require corporate managers to produce annual reports detailing internal controls and procedures. Obviously, with the ongoing shift towards technology reporting, there is an opportunity to leverage the technologies of NitroSecurity to facilitate these regulatory requirements.
Requirements 302, 304, 306, 308, 404, 409, and 802 require the continuous monitoring of database activity, especially high risk activities including privileged user behavior, direct access to sensitive data stores, user privilege escalation, failed login and failed database operations. Any system controls that can impact the ability to faithfully report financial status must also be monitored. The ability to report all activity, and to determine what actually happened to specific data, is also a requirement.
These requirements can be addressed with NitroView DBM's database monitoring capability, NitroView ELM's compliant log storage and reporting, and by NitroView ESM's real-time analysis and reporting capabilities
ISO 17799 requires that you monitor and report on activity such as foreign domain activity, password events (i.e., activity across the trusted network perimeter), Control of operational software, system test data, and ultimately the control of all financial data and human resources data — including the control of system audit data and collected data, and proof that controls have not been bypassed.
NitroView DBM is able to monitor for administrative and user activity, including any adjustments to database auditing and configuration, and because NitroView DBM is network-based, it is inaccessible to database administrators. NitroView ESM is able to correlate database events from the DBM with network flow activity, firewall alerts, and other relevant security data to quickly determine if accessed data is being transferred across trusted boundaries.
|
Log in
