Good corporate governance depends on the effective management of internal controls and on the availability, confidentiality, and integrity of information within the organization. Corporate reputation, brand preservation, and financial results all depend on the defense of business processes and on compliance with a growing array of legislation and regulation. For companies listed on U.S. exchanges, the Sarbanes-Oxley Act of 2002 (SOX) is of overriding importance.
The network has a fundamentally important role to play in SOX compliance, because it touches every aspect of the extended organization and connects business processes. The old, perimeter-based network security model is inadequate for managing security risks related to financial control information. Listed companies need an end-to-end system-based approach that is integrated, collaborative, and adaptive, one that helps them better manage their network security risk while helping them meet SOX requirements.
In a compliance environment that in addition to SOX contains other overlapping, inconsistent, sometimes untested and often contradictory laws and regulations, organizations must increasingly turn to best-practice solutions that combat their real-world information threats while helping them meet SOX and other regulatory requirements. ISO 17799 is one such framework. The Cisco® Self-Defending Network provides the first line of corporate defense, because it is the foundation for the organization's data, applications, and business processes-the protection of which is a prerequisite for SOX compliance.
Overview of Sarbanes-Oxley
The Sarbanes-Oxley Act of 2002 was passed to ensure that corporate executives are held responsible for establishing, evaluating, and monitoring the effectiveness of internal controls over their financial reporting. To ensure compliance, SOX has provisions that include both criminal and civil penalties for any violations:
• Section 302 requires the CEO and CFO to certify that the financial reports are true and accurate, and that adequate controls exist over financial reporting and disclosure.
• Section 404 describes these controls, requires that certification be reasonable, and requires that outside auditors certify the existence of adequate controls over financial reporting.
• Section 409 requires prompt reporting of any changes in financial condition that might be material to investors.
• Section 802 mandates that companies and their auditors retain accounting documents and work papers for a minimum of seven years.
SOX specifically focuses on the accuracy of a company's financial records and controls around these records related to income, expenses, accounting, liabilities, and so on. Network security is a fundamental component of SOX compliance as a result of Auditing Standard 2 of the Public Company Accounting Oversight Board (the PCAOB), which was created as a result of SOX to define auditing standards. This standard states that senior management is responsible not only for financial information but also for the way that information is generated, accessed, collected, stored, processed, and transmitted.
Who Is Affected By Sox?
Any company that is publicly traded in the United States is subject to SOX, including all their divisions and wholly owned subsidiaries. Also affected is any non-U.S. public multinational company doing business in the United States. Finally, although not mandatory at this time, any private firm may wish to comply with the SOX financial framework requirements in preparation for an initial public offering (IPO), for private funding, or for achieving a "best practices" benchmark.
Solutions
Any solution that addresses the issues raised by SOX requires a layered, integrated approach to security. A controls framework, such as ISO17799, or a process framework, such as CobiT, can provide an organization with a best-practice approach that underpins SOX compliance.
A comprehensive approach to security that protects every aspect of the business is required to meet stringent regulatory standards and protect today's open environments.
The Cisco Self-Defending Network makes use of the network as the platform for security. A highly secure network platform provides a common infrastructure that integrates security throughout all aspects of the network, and it enables collaborative processes to occur between the various security and network elements. It also provides the foundation upon which innovative technologies and advanced security services may be layered to control and contain threats, maintain confidential communications, and secure transactions. Its flexible, cost-effective approach enables customers to deploy security where they need it most to address specific requirements and objectives. Cisco also offers comprehensive network security management and control solution capabilities to help organizations reach their business objectives while managing associated network risks.
The Cisco Self-Defending Network not only provides flexible, in-depth protection but enables:
• Increased revenues and opportunity
• Greater business resiliency and agility
• Improved customer relationships
• Cost-effective enhancement of efficiency while reducing complexity
Security technologies that assist with SOX are deployed throughout the network, thus creating multiple points where risks to the integrity of financial data can be controlled.
Which Cisco Products and Solutions Help Address the SOX Requirements?
• Intrusion Detection and Prevention-Cisco IPS 4200 Series Sensors, Cisco Integrated Services Routers with Security Bundle, Cisco ASA 5500 Series Adaptive Security Appliances, Cisco Catalyst® Security Services Modules
• Logging, Authentication, Access Control-Cisco Secure Access Control Server (ACS), Cisco Security Agent, Cisco Security Mitigation, Analysis and Response System (MARS)
