The Sarbanes Oxley Act became law in 2002 in the wake of the Enron financial scandal. Its focus is setting rules for the ways that public organizations and accounting firms should handle corporate governance and financial disclosures – it is not specifically concerned with information security.
However, there are a number of sections of the act which impact information security management including:
- Section 302 which requires the CEO and CFO to certify that the organization’s financial reports are true and accurate, and that the organization has put in place adequate controls over financial reporting and disclosure.
- Section 404 which describes the required controls, and requires outside auditors to certify that the controls exist and are adequate.
- Section 409 which requires publicly traded companies to promptly report any changes in financial condition or reporting that might be material to investors which might (potentially) include, an information security problem.
- Section 802 which requires organizations and their auditors to retain accounting documents and work papers (both paper and electronic) for a minimum of seven years.
Since a problem that results from improperly secured financial data would be as much a violation of the law as any other kind of event, there is an implied requirement that organizations implement sound information security practices.
Compliance with the law from the point of view of information security is often demonstrated by developing management systems that follow one of the well-established security and/or IT management frameworks such as ISO 17799 or COBIT – all of which include security awareness training as a fundamental component.