Wed, Jun
4 New Articles

Security Patrol: Is the Sarbanes-Oxley Act Security-Relevant or Not?

Compliance / Privacy
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times
There's much ado about the Sarbanes-Oxley Act (SOX) of 2002 in the IT world. Some feel it has direct ramifications on IT--in particular, on how data is secured. Some feel that it has no effect on IT and data security at all. Where does the truth lie? This article offers the facts about SOX so that you can make intelligent choices for your business.

Why Was the Sarbanes-Oxley (SOX) Act Enacted?

SOX is a direct effort by the United States Congress to prevent publicly held corporations from experiencing an Enron- or WorldCom-like fiasco. In reaction to the numerous failings of Enron and other corporations that were less than forthcoming regarding the truthfulness and accuracy of their financial statements, the bill assigns responsibility and accountability for the accuracy of a company's financial reports. SOX also encourages separation of responsibilities. As a result, many corporations are splitting the positions of president and CEO between two people. In many corporations, these positions have been held by one individual. Two people provide for more checks and balances, thereby avoiding situations in which any one person holds too much decision-making power. SOX also specifically addresses the role of accounting and auditing firms both for SOX compliance and for traditional audits. It also dictates accounting practices and procedures and specifies the ramifications for officers should they fail to comply and for auditing firms should they not follow the terms of the act.

What Areas of Data Security Does SOX Address?

The simple answer to that question is "none." Unlike the Health Insurance Portability and Accountability Act ( HIPAA) and the Gramm-Leach-Bliley Act (GLBA)--two other U.S. government acts that have received lots of attention from the IT security world--SOX does not specifically spell out any data security requirements. Both HIPAA and GLBA are quite explicit in their requirements, but not SOX. If SOX is not explicit on the data security requirements, why are some people claiming that it has IT implications? Most likely, it's because of SOX's original use of the term "internal control." Before the act was finalized, this term was not well-defined, which led people to believe "internal control" meant many things, including auditing every electronic transaction on a computer and securing the database in which the company's data resided. To eliminate this confusion, the term has been re-worded as "internal controls over financial reporting" and is always used within the context of some aspect of financial reporting.

Does This Mean I Don't Have to Worry About SOX?

One topic SOX addresses is the business risk associated with a company's financial data being inaccurate. A complete analysis requires companies to evaluate their processes and procedures, the obvious goal being to ensure that appropriate processes and procedures are in place to be able to validate and verify what's claimed as a company's bottom line. Does managing this business risk and ensuring appropriate processes are in place preclude IT's involvement or preclude the need for data to be secured appropriately? Absolutely not. Are some CFOs going to investigate IT's processes and require adherence to a more restrictive security policy? Probably. If a company's accounting department is already well-organized with well-established processes and procedures, IT will probably be approached sooner rather than later. Does SOX require that IT be involved? Not in so many words. Is it implied? I'd have to say yes.

However, I believe SOX leaves it up to each corporation to determine how it's going to manage its risk--the primary risk being that the company's stated financials don't match reality. Any auditor who performs a SOX audit is going to analyze the company's financial processes and control procedures and ask what processes or procedures have changed since the last audit. As part of the audit, the auditor is also going to analyze the company's risk associated with managing the accuracy of that financial data. I believe that the auditor will accept that a company has mitigated its risk by securing its electronic data so that only users with a "need to know" have access to it. However, I also believe that the auditor will accept that a company has mitigated its risk by purchasing and implementing a robust software accounting package that helps them implement standard accounting practices and uses more complex algorithms, providing more checks and balances to algorithmically ensure the integrity of the financial data.

It appears that it is up to the company to determine how best to mitigate the risk to its financial data and how best to ensure its accuracy. This is because SOX applies to all publicly traded companies--from large to small; therefore, it cannot mandate a specific solution or resolution to mitigate risk. SOX clearly allows businesses to base risk mitigation actions on the size of the company, cost of the solution, and resources required to implement it. In other words, the act recognizes that one solution will not satisfy every company's requirements. I would be cautious about products that claim to help you become SOX "compliant" because, with the exception of discussing generally acceptable accounting principles, SOX does not specifically spell out how to be in compliance. Could these products help you in your company's compliance? Possibly. But only if the people in your company who are responsible for the integrity of your financial data deem, through a business risk analysis, that the product addresses an area of risk.

Will SOX Ever Address Data Security Issues?

Just because SOX does not currently address either IT or data security, does that mean it never will? No. Acts can be modified. And if there is too much confusion about this issue, it's likely that the act will be modified to address IT and/or data security. But like the final ruling for HIPAA, it's almost guaranteed that the requirements will be general in nature and not dictate a specific solution or product. The ruling must acknowledge that companies are using literally every operating system possible and that not all solutions are available on all platforms. For example, two of the requirements could be that there must be accountability for users' work and that all users must be authenticated. In OS/400 terms, this would mean that users cannot share the same user ID and password (accountability) and that they must be able to prove that they are who they say they are (authentication) via a valid user ID and password, a network authentication mechanism (such as Kerberos), a one-time use password, or a digital certificate. As you can see, even in OS/400 terms, you would have choices for the actual implementation.

If You Want to Be Proactive

Is it inappropriate for you, as an IT professional, to want to apply the intent of SOX to your environment? Not at all. I think it is wise to be proactive. You should determine whether your company's financial data is secured from prying eyes, whether it is backed up regularly, and whether changes to critical files are journaled. Other security "best practices" can be found in ISO standard BS7799. While not all that popular in the United States, BS7799 started out as a British standard and has become widely accepted throughout Europe and Asia as the security standard to be followed.

If you aren't into researching an ISO standard and how it applies to your shop, here are some suggestions:
If you don't have a security policy, now's the time to develop one. A well-written security policy assigns responsibility for various actions and clearly spells out what is acceptable behavior (and what is not).

  • Move the responsibility for determining who can access data (financial and otherwise) from IT to the data owner. IT should be the custodian and implementer of the data owner's policies. It should not be making the policy.
  • Implement the concept of "least privilege." That is, give users access only to data and applications that they have a direct need for. For example, say that you have an AR (Accounts Receivable) or AP (Accounts Payable) application running on your system. With few exceptions, why should anyone outside of the accounting department need access to this financial data? The accounting department can be given explicit authority to the application libraries, and individual exceptions can also be given explicit authority. Then, the libraries containing the application can be secured by setting them to *PUBLIC *EXCLUDE, preventing the rest of the company--those without a "need to know"--from accessing this financial information.
  • Turn on OS/400 auditing to track and record what has occurred on the system.
  • Journal the critical data files to capture details of each change made to the file.
  • Ensure all financial and other critical data is backed up regularly or is available through data replication or a high-availability solution.

For More Information

Before you get swept up in the SOX furor over its implications on IT, I encourage you to do some research of your own. I've found the explanations of the act at the Sarbanes-Oxley Web site to be very insightful and helpful in clarifying the issues and the intent of the act. The Corporate Governance Online Web site provides timely news regarding the act and has a good document that discusses FAQs regarding "internal controls." And if you'd like some good bedtime reading, you can download the Sarbanes-Oxley Act itself.

Now that you know a bit more about Sarbanes-Oxley, I hope that you feel better prepared to determine whether SOX will have an impact on your IT organization.

Carol Woodbury is co-founder of SkyView Partners, a firm specializing in security consulting and services and developers of the soon-to-be released software, SkyView Risk Assessor for OS/400. Carol has over 12 years in the security industry, 10 of those working for IBM's Enterprise Server Group as the AS/400 Security Architect and Chief Engineering Manager of Security Technology. Look for Carol’s second book, Experts’ Guide to OS/400 Security, to be released later this fall. Carol can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..

Carol Woodbury


Carol Woodbury is IBM i Security SME and Senior Advisor to Kisco Systems, a firm focused on providing IBM i security solutions. Carol has over 30 years’ experience with IBM i security, starting her career as Security Team Leader and Chief Engineering Manager for iSeries Security at IBM in Rochester, MN. Since leaving IBM, she has co-founded two companies: SkyView Partners and DXR Security. Her practical experience and her intimate knowledge of the system combine for a unique viewpoint and experience level that cannot be matched.

Carol is known worldwide as an author and award-winning speaker on security technology, specializing in IBM i security topics. She has written seven books on IBM i security, including her two current books, IBM i Security Administration and Compliance, 3rd Edition and Mastering IBM i Security, A Modern, Step-by-Step Approach. Carol has been named an IBM Champion since 2018 and holds her CISSP and CRISC security certifications.

MC Press books written by Carol Woodbury available now on the MC Press Bookstore.

IBM i Security Administration and Compliance: Third Edition
Don't miss the newest edition by the industry’s #1 IBM i security expert.
List Price $71.95

Now On Sale

Mastering IBM i Security Mastering IBM i Security
Get the must-have guide by the industry’s #1 security authority.
List Price $49.95

Now On Sale



Support MC Press Online

$0.00 Raised:

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: