Sarbanes-Oxley Compliance

The Sarbanes-Oxley Act of 2002 protects investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws. One of the most significant provisions within Sarbanes-Oxley is the criminal and civil penalties that place executive management and the board of directors "in the line of fire." Specifically, under Section 404 of the Sarbanes-Oxley Act, executives need to certify and demonstrate that they have established and are maintaining an adequate internal control structure and procedures for financial reporting.

Objectives to meet Sarbanes-Oxley compliance
Sarbanes-Oxley (SOX) requires a new level of corporate governance and accountability. As a result, the vital role security information and event management (SIEM) plays in establishing and maintaining internal controls has never been greater. Companies must institute log monitoring and vulnerability assessments as a critical part of their IT internal control systems. Both domestic and international publicly-traded companies must comply with Sarbanes-Oxley. If you are a covered entity, you must have methods to maintain audit trails and to log possible altering of electronic records. OpenService has mapped best practices and reports to help organizations comply with audits under Sarbanes-Oxley Section 404.

To address the requirements of section 404, companies must be able to address the following objectives:

	Access Control monitors attempts to access the company’s financial reporting system or the data that feeds the system.
	Configuration Control monitors the configuration, policies, and software installed on systems covered by Sarbanes-Oxley and all systems connected to that system.
	Malicious Software Detection capabilities collect and report malicious activities caused by viruses or other malicious code from a wide variety of sources with centralized analysis.
	Policy Enforcement verifies that all users are complying with regulations to reduce the chance of accidental exposure of sensitive information.
	User Monitoring and Management creates a complete audit of the activities of non-employees with access to private data and takes steps to minimize the risk from compromised accounts.
	Environment & Transmission Security involves the ongoing monitoring of the environment to ensure that security threats are detected and corrected as quickly as possible through proactive measure such as VA scans.

To achieve and maintain compliance in those areas, companies must use the following product capabilities provided by the OpenService solution InfoCenter:

	Collect data in a non-filtered fashion that is preserved in an efficient and protected manner using Security Log Manager, a component of InfoCenter.
	Efficiently generate the summary and detailed reports spanning the data-retention periods mandated by Sarbanes-Oxley using the reporting component of InfoCenter.
	Forensic Analysis of systems’ correct policies and system settings to provide a debug-level view of all changes and the effect they have on the environment using InfoCenter correlations.
	Establish Incident Management capabilities for close monitoring and correction of violations to make sure they are recorded, escalated, and corrected in a timely and through manner using the alert monitoring capabilities of InfoCenter.

These functions ensure that the administrative, physical, and technical control demanded by SOX regulations are maintained. OpenService solutions address all of the technical standards required.