As the regulatory landscape grows more complicated, organizations need to understand which regulations apply to them and what their obligations are under each regulation. In many cases, a failure to understand the details of a regulation can do more harm than good. For example, the EU’s General Data Protection Regulation (GDPR) is designed to protect the personal data of EU citizens, but it has been demonstrated that an attacker could use an organization’s misunderstandings about the details of the regulation to steal sensitive data.
In the United States, one of the most far-reaching regulations is the Sarbanes-Oxley Act (SOX). Every public company in the US is required to maintain SOX compliance, and the intention of the law is to prevent incidents like the Enron scandal by forcing organizations to maintain complete and transparent records of their financial dealings.
Introduction To SOX Requirements
The requirements for achieving and maintaining SOX compliance are fairly straightforward. The intention of the law is to protect a public company’s shareholders from being misled or defrauded by preventing organizations from modifying or destroying records that point to accounting errors or fraudulent practices.
The main portion of SOX that relates to electronic records storage is Section 802. This section includes three requirements for electronic records storage:
- A prohibition against the destruction, alternation, or falsification of records
- A mandatory 5 year retention period for all records
- A list of the types of data that must be retained by an organization under SOX
Under SOX, organizations are required to have a periodic report submitted by the Chief Executive Officer (CEO) and Chief Financial Officer (CFO) that describes the current financial status and operations of the organization. If the CEO and/or CFO “knowingly” or “willfully” certifies a falsified report they can be subject to financial penalties (up to $1 million or $5 million for “knowing” or “willful” violations) and jail time (10 or 20 years in prison respectively).
In order for a CEO or CFO to certify that a report is correct, they need access to data demonstrating whether or not it is. Since the report describes the financial status of the company and describes all of its operations, this requires the organization to have full visibility into all of the records that it is required to retain as part of achieving and maintaining compliance with the SOX law.
Data Visibility And SOX
Compliance with SOX and other regulations forces organizations to walk a narrow line. Many regulations are designed to restrict the ways that an organization collects, processes, and stores sensitive data. In general, regulations like the GDPR are happier if an organization chooses not to store certain types of data. However, under the requirements of SOX, an organization is required to retain particular forms of records for five years.
For data that is covered under both SOX and data privacy regulations, US companies need to have the ability to have full visibility into sensitive data and its use. Ensuring SOX compliance requires knowing that record data is still in the organization’s possession and has not been modified, while complying with data privacy regulations means that organizations need to ensure that no party has unauthorized access to any data containing sensitive information that is protected under a regulation (health information, payment card information, etc.)
As organizations’ networks and attack surfaces become more complex, the difficulty of achieving comprehensive and continuous visibility into protected data can become more complicated. Data scattered across multiple public and private clouds and on-premises data centers must be centrally tracked in order for an organization to certify compliance with the regulation.
Managing Regulatory Compliance
Manually managing compliance with SOX and data privacy regulations is quickly becoming impossible as the volume and complexity of protected data grows. However, modern file and database security solutions have the ability to help increase the visibility and security of sensitive and protected data.
One feature to look for in a data security solution is the ability to perform automated database discovery and vulnerability assessments. These solutions should have the ability to recognize protected types of data and automatically classify them based upon security needs. Backups and potentially unauthorized copies of databases can be an easy target for attackers and are unlikely to be compliant with an organization’s cybersecurity policies and procedures. With a data security solution capable of finding these data stores and assessing their security, an organization has the ability to assess the business need for copies and either delete them or add them to the security plan as needed.
Another valuable feature of data security solutions is the ability to monitor how users access and interact with sensitive, protected data. The SOX law requires organizations to certify that protected types of data have not been modified. The best way to reliably certify this is to have an access and modification log for applicable records which shows that no unauthorized changes have been made.
Finally, a solution designed to help achieve SOX and data privacy regulation compliance requires the ability to monitor user behavior and permissions. In many cases, a compromised account with sufficiently elevated privileges can bypass security protections that an organization has put in place by overruling them.
An organization should implement least privilege by limiting user accounts to the minimum necessary set of privileges and monitor for use of unusual or elevated privileges to protect sensitive data from attack.