SOX compliance, while similar in some respects to both HIPAA and PCI, represents one of the most rigorous compliance standards currently applied to US companies. It is rigorous because it has to be.SOX—referring to the Sarbanes-Oxley Act of 2002—is a financial compliance standard that was developed in the wake of an economic crisis. Specifically, it was in response to the revelation that former energy giant Enron had manipulated its internal accounting in order to appear more profitable. This scandal represented one of the catalysts for the first economic recession of the 21st Century.
SOX has a very broad scope, but from an information security perspective, its dictates are fairly simple. Lock down financial information—encrypt financial data, make sure that only those authorized to see it have access to it, and record the event whenever someone accesses or changes it.
With that said, the potential cost of a lapse in SOX compliance is much larger than either a HIPAA or a PCI breach. Both stolen card numbers and medical records must be sold through intermediaries—attackers seldom monetize their loot directly in these cases. The spoils from a breach in SOX compliance, however, take the form of SSNs, account numbers, and encryption keys—and the results of such a breach could potentially threaten entire economies.
Where do we see Enterprises Fail at SOX Compliance?
From an information security perspective, there are two areas where companies aren’t well prepared—access and key management. The key to mastering these areas involves a separation of duties. In other words, the people who have access to crucial information should not be the individuals with the ability to manipulate it.
1. Key Management
For example, a customer might submit a large document full of account numbers. Under SOX, this kind of record needs to be preserved, unaltered, for five years. Furthermore, there needs to be a verifiable audit trail that denotes who has accessed that document, as well as where and when. All of this needs to be done, in order to prevent fraud.
Encryption is by far and away the best method to prevent unauthorized parties from reading or editing an encrypted document. What is encrypted, however, must need to be decrypted, and therein lies the problem. The person with access to an organization’s stockpile of encryption keys may also have access to their encrypted documents. They might know which keys go with which documents, and they might have bad intentions. All of this, of course, completely undermines the purpose of having SOX compliance to begin with.
2. Access Control
Access control represents another big fail within enterprises. A good example here is something like a payroll processing application. This app has to be connected to at least three bank accounts—a bank’s account, a corporate account, and an employee’s own bank account. There’s a great deal of information that’s required to authenticate transactions between these three accounts—and the people who input this information can’t be the same people who authorize these transactions.
Efficiency vs. SOX Compliance
Separation of duties isn’t an obvious concept. From a process-oriented point of view, it is the height of inefficiency. Allowing the same people to both accept and process sensitive data would be likely to increase processing speed dramatically—at the cost of a similar dramatic increase in the potential for fraud. How do you balance security and productivity?
At Safe-T, we know that people will often neglect the security of others’ data if it means they can do their jobs faster. How do you square the necessity of compliance with the knowledge that some people will inevitably ignore it? With Safe-T Box, that uncertainty is removed. Our Secure Data Exchange Broker is designed to ensure separation of duties by ensuring that your personnel are authorized to access financial documents before they’re sent. Safe-T Box can also automatically apply encryption to secure documents, and generate an audit trail regarding their access and distribution.
For more information about how Safe-T Box enables administrators to walk the tightrope between efficiency and compliance, check out our SOX Compliance Matrix today!