SOX Compliance Management and Compliant Hosting

Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which set new or enhanced standards for all U.S. public company boards, management and public accounting firms. It does not apply to privately held companies. The act contains 11 titles, or sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with those laws. Criminal penalties for violation of SOX is stated as whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration, or in relation to or contemplation of any such matter or case, can be fined, imprisoned or both.

SOX requires strict internal IT controls and processes. It applies to all public companies. The purpose of the SOX Section 404 control audit is to identify “control deficiencies” that could affect the financial reporting of the company. Sarbanes-Oxley recommends regular audits of log files and keeping a record of audit logs for up to seven years: “audit unauthorized access, misuse and fraud, in order to ensure the accuracy of corporate financial and business information” and “maintain financial records for seven years.” The IT Governance Institute's Control Objectives for Information and related Technology (COBIT) is most frequently used to help achieve Sarbanes-Oxley Act compliance, but also to ensure security and availability of IT assets in general. COBIT includes specific control requirements: “change standards and procedures” (AI6.1), “application control and audit ability” (AI2.3), and “network testing, surveillance, monitoring” (DS5.5).

Stone Street Security Event Manager and Stone Street Database Security Manager provide more granular threat detection and can even block suspicious activity in real-time (for example DS5.5 and DS 5.10).