The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation passed by the U.S. Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures. It came as a result of the large corporate financial scandals in the early 2000s involving Enron, WorldCom, Global Crossing and Arthur Andersen. It also affects any UK companies trading on the US Stock Exchange.
All publicly-traded companies are required to submit an annual report of the effectiveness of their internal accounting controls to the US Securities and Exchange Commission (SEC). Essentially, SOX legislates what used to be IT security best practices. The major provisions of the Sarbanes Oxley Act include criminal and civil penalties. Anyone who knowingly alters, falsifies, destroys, or otherwise tampers with a document or record can be fined and/or imprisoned for up to 20 years.
The need for an Archiver
All relevant audit-related documentation must be retained for a period of at least seven years. This includes contracts, policies, authorizations, verifications, recommendations, performance reviews and financial data.
SOX also addresses the need for companies to effectively manage risk in all its forms including ensuring that data residing on corporate computers is adequately archived and protected from damage or tampering. To comply with these needs, an effective archiving system is required that can be scaled to meet the needs of archiving large amounts of data in a secure manner for long periods of time.
What should I do?
- Sarbannes-Oxley is actually quite broad so it’s not always straightforward to find out what the specific requirements for your company are. Take the time to understand how you need to comply with SOX and retain anything financially related in a secure location.
- Once you understand the legislation, look at how you’re currently storing information, how it is distributed and how secure your network is. SOX states that no information can be altered, manipulated or destroyed, so you will need procedures in place to prevent this.
- You will then need to find a solution that archives your information securely and allows for easy data retrieval. Any solution you choose must be fully compliant so you can see how it will fit into your compliance strategy.
- When you have chosen your archiving solution, watch for any risks of data being corrupted or damaged as it is migrated over to the new system.
- Setting up your archiver is not the end of the story. Compliance is an on-going process so be sure to continuously assess security risks and manage all email content to stay fully compliant. It is always best to identify any risks before they become serious issues.