How can network management and log management technologies impact your ability to comply with SOX? Critical financial reporting data is stored and accessed within IT networks and systems making the security and health of the infrastructure is a critical component of the internal controls.
Over the last 5 months, I have had several customers ask "How can network management and log management impact my ability to comply with SOX?"
The Sarbanes-Oxley (SOX) legislation regulates auditing and accountability standards for any U.S. publically-traded organization. These organizations are mandated to set adequate internal controls and procedures to assure the accuracy of their financial reporting in order to their protect shareholders. The auditors as well as the corporations are required to retain records that prove the organization is indeed following their internal controls as stated and keep that audit record for 7 years.
Since this critical data is stored and accessed within IT networks and systems, the security and health of the infrastructure is a critical component of the internal controls. Log monitoring procedures can track and monitor access to financial data within the flow of business operations. Unexpected changes in individual role and group privileges within internal systems can introduce risk to the integrity of their data, especially if this data is rolled up into financial reporting statistics. Any such change should be flagged for investigation and audit. In addition, the audit workpapers and supporting documentation must continue to be actively monitored for any unexpected changes to ensure the continued integrity of the audit data.
If this log data becomes evidence that is used in court, the organization must show proper chain of custody not only of the audit records, but also of log data and prove that the integrity has not been compromised over that 7 year period. Keeping multiple years of your log files in their original file format is a must not only for a forensics investigation but for the legal team to show an accurate representation of what happened in the past. In addition, this data must be encrypted leveraging cryptographic hashing to assure data integrity and prove in a court of law that the data has not been tampered with.
So while log management may not assure your financial reporting numbers are accurate, it will help you confirm to shareholders the integrity and security of that the reporting data within your IT network.