How to use Alertsec to Enable SOX Compliance for Your Customers

Transcription

1 How to use Alertsec to Enable SOX Compliance for Your Customers Alertsec offers Cloud Managed - Policy Controlled - Security Modules for Ensuring Compliance at the Endpoints

2 Contents Executive Summary... 3 Building... 4 Sarbanes- Oxley Sections and Security... 5 Section 302 Corporate Responsibility for Financial Reports... 5 Section 302.A.4 Establishing & Maintaining Internal Controls... 5 Section 302.A.5 Detecting Security Gaps & Breaches... 6 Section Management Assessment of Internal Controls... 6 Section 404.A Internal Control Effectiveness & Reporting... 6 Section 404.B Internal Control Evaluation & Reporting... 6 Alertsec Features... 7 Summary... 8 References... 8 About Alertsec... 9 Simple, transparent and available to all... 9 Global reach... 9 Tables Table 1 - Section 302.A.4 Requirements... 5 Table 2 - Section 302.A.5 Requirements... 6 Table 3 - Section 404.A Requirements... 6 Table 4 - Section 404.B Requirements... 6 Table 5 - Alertsec Service Compliance Modules

3 Executive Summary The Sarbanes- Oxley (SOX) Act of 2002 was passed in the wake of several large accounting scandals at publicly traded companies. The goal of SOX is to improve corporate governance and accountability and ensure that financial reporting at all public companies is accurate. SOX holds executives directly responsible for the accuracy of disclosed financial information. The consequences for non- compliance can include steep personal fines and even jail time. While SOX is applicable only to public companies, their financial data must be protected as mandated by SOX, even by any accounting firm or other third party that provides financial services to these public companies. Compliance to SOX regulations involves implementing internal controls to ensure and prove the reliability of financial data. Alertsec provides a solid foundation for the implementation of internal controls that are mandated by SOX. Alertsec ensures the integrity of your customers financial data through encryption and by strictly managing user access to protected data. Alertsec also provides audit reports and activity tracking. This solid layer of technical security surrounding customer data is both highly effective and also unobtrusive to users, so it doesn t affect normal business operations within your organization. By minimizing the possibility of data breach or disclosure of information, Alertsec enables your organization to support your customers SOX compliance and SOX reporting requirements. Alertsec features: Protect Safeguard financial data on computers and removable media Comply with SOX requirements through Policy Control and data encryption Manage Deploy to devices and monitor compliance though cloud management tool Figure 1: The Alertsec management and compliance monitoring tool is the simplest to use in the market place 3

4 Building For many small to medium sized public companies, financial services partners may be contracted to handle financial data. Companies providing those financial services must be able to provide proof of their compliance with SOX with respect to protecting their partner s financial data, just as the company does for the data it maintains in- house. Unlike other regulations (such as HIPAA 1 or PCI- DSS 2 ), SOX is not focused on the Confidentiality component of the information security triad: Confidentiality, Integrity and Availability. Instead, SOX compliance focuses on the Integrity of financial data. Data integrity relies on maintaining the security of the data in an auditable manner, so that company executives can be confident about the accuracy and reliability of the data disclosed in their financial reports. The internal controls that you implement to protect customer data will directly support your customers SOX compliance efforts and their confidence when partnering with you. The best way to maintain the integrity of data is to protect the systems where data is accessed, keeping data transparently encrypted 3 and also controlling who can access that data. Alertsec supports SOX compliance by providing a foundation of security and audit capabilities for your endpoint computers, creating a platform upon which you can build a complete compliance solution for your customers financial information. The key is to be able to show how your overall security coverage enables your customers to be compliant, linking the security provided by internal controls to auditing so your customers can evaluate the reliability of the data by determining the security of your systems. SOX does not define specific actions that must be undertaken to ensure compliance. Instead SOX defines the types of controls that need to be in place without specifying the details of how to implement them. This is both good and bad; it provides companies with the flexibility to implement controls that are appropriate for their size, choosing what will work best for them. Yet the flexibility potentially leaves a lot to interpretation by independent auditors. To assist in building a complete story for your customers, you must be able to show how you have maintained their data in a compliant manner. The principle within SOX is that there are known internal controls and that these controls are well- established and auditable. By treating the controls required by SOX as if they were protecting your own data, you can assure customers about the quality of your compliance program when handling their financial data. 1 Health Insurance Portability and Accountability Act 2 Payment Card Industry Data Security Standard 3 Transparent Encryption, also referred to as Real- Time or On- the- fly encryption, is a method used to automatically encrypt or decrypt data as it is loaded or saved 4

5 Sarbanes- Oxley Sections and Security There are two sections of SOX that directly relate to information security: Section Corporate Responsibility for Financial Reports Section Management Assessment of Internal Controls Alertsec provides the functionality for establishing the necessary internal controls for many areas of SOX Sections 302 and 404. The audit records and policy configurations from Alertsec will enable you to show your customers how their compliance programs are being supported. Section 302 Corporate Responsibility for Financial Reports Section 302 details the responsibilities of the signing officers with respect to the financial report. This includes the representation of accurate information, but also specifies that the officers implement, maintain and monitor internal controls to ensure the security and, by extension, the reliability of internal information. Section 302.A.4 Establishing & Maintaining Internal Controls Subsection 302.A.4 is about the responsibilities of the signing officers to establish the internal controls for protecting financial information. The internal controls that are implemented must be auditable and be able to generate reports that can be used to determine the effectiveness of these controls. Part Description Alertsec Support A B C D Signing officers must establish and maintain internal controls Internal controls must provide auditable events that can be reviewed Internal controls must be reviewed (including audit records) within the 90 days prior to a report being issued to ensure the controls are functioning properly It must be possible to generate reports based on the internal controls that can be used to determine the effectiveness of said controls Alertsec provides multiple modules to secure computers against many types of risk, protecting against data breaches as well as ensuring data reliability Alertsec provides audit records for all its services as part of the activity tracking that needs to be monitored Alertsec audit records and configuration settings can be reviewed at any time allowing an administrator to verify the operation of a device at any time Alertsec audit records are easy to read and can be exported in order to generate reports Table 1 - Section 302.A.4 Requirements 5

6 Section 302.A.5 Detecting Security Gaps & Breaches Subsection 302.A.5 is about establishing regular reviews of the internal controls to determine whether there are gaps in the coverage that could lead to unreliable data through the possibility of fraud or even the exposure of company financial data. Any issue with data integrity or fraud must be tracked and disclosed in an audit. Part Description Alertsec Support A Signing officers must report design deficiencies in the internal controls that could impact the reliability of financial data Alertsec provides audit records detailing all protected systems and the status of that protection, pointing out gaps such as devices which have not installed the required software or have software that may be out of date Table 2 - Section 302.A.5 Requirements Section Management Assessment of Internal Controls Section 404 requires that an assessment of the internal controls must be performed and that a report of this assessment must be published as part of the financial report. The report must include the assignment of management responsibility for establishing and maintaining adequate internal control structures and procedures, and an assessment of the effectiveness of those controls. Section 404.A Internal Control Effectiveness & Reporting Part Description Alertsec Support 2 A report must be generated at the end of the fiscal year detailing the effectiveness of the internal controls, including gaps and breaches Alertsec audit records and configuration settings can be reviewed at any time allowing an administrator to verify the operation and effectiveness of the protection on a device at any time Table 3 - Section 404.A Requirements Section 404.B Internal Control Evaluation & Reporting Description Alertsec Support The auditor must report on the assessment of the internal controls made by the officers Alertsec audit records and configuration settings can be reviewed at any time to support a review of internal controls Table 4 - Section 404.B Requirements 6

7 Alertsec Features Alertsec provides compliance security as a service. Instead of requiring the purchase of several individual components and needing to manage them separately. Alertsec provides a single, comprehensive, policy based, cloud- managed package of vital components that work in unison to make your systems secure and compliant with mandated internal controls. The following compliance modules are available: Compliance Module Full Disk Encryption (FDE) Media Encryption/Port Control Compliance Check Anti- Malware/Program Control Firewall Alertsec Auditing Description This ensures that only authorized users can access data on protected computers. A user must provide a valid ID and password before the operating system will boot and any data will automatically be stored encrypted. Media Encryption automatically encrypts any data stored on removable storage media, such as USB sticks and external hard drives, based on policy. Data remains transparent to authorized users. Port control prevents use of unknown/unauthorized media. All endpoints are scanned for compliance with pre- defined security policies that can verify the security software is up to date. Malware detection and prevention using signatures, behavior blockers and heuristic analysis. Policy controlled Program (application) Control can be configured to limit the applications that can be run on the system to only be those that have been explicitly approved. Providing proactive policy based protection, the firewall blocks targeted attacks and stops unwanted traffic, keeping data and systems safe. Audit records for Alertsec Services are centrally recorded for review. From here audit records can be exported for inclusion in SOX reports. Table 5 - Alertsec Service Compliance Modules 7

8 Summary The high- level nature of the requirements specified in SOX gives you the flexibility to design a series of internal controls that best meets the needs of your organization and your customers when considering expertise, available resources and cost. Alertsec can play an important part in your SOX compliance solution by providing a baseline of security and audit capabilities that protect your customers financial information. Implementing Alertsec FDE on the endpoint devices within the company ensures that any copies of customer financial data, such as offline copies for remote work, data in Word documents or Excel spread- sheets, or cached data from applications, are always secured on the endpoint device. Alertsec Media Encryption will enable you to securely utilize removable media to transport customer financial data between systems (such as when large volumes of data need to be backed up or delivered directly to another location, or where secure network transfers are not available or possible). Alertsec Port Control and Application control, combined with anti- malware protection, provide the ability to block access to removable media ports and block unwanted applications in order to prevent any customer financial data from accidentally leaking or being deliberately removed from the device. By ensuring that the data is always encrypted and minimizing the possibility of unsecured access, you can provide assurance about the integrity of your customer s financial data, while audit records ensure you can report on the status of your internal controls. With Alertsec you can ensure that your customers can meet the requirements for evaluating and reporting mandated by Sarbanes- Oxley. References The following selection of websites provide more information about SOX. online.com/ 8

9 About Alertsec Alertsec Inc. was founded in 2007 by Fredrik Lövstedt, co- founder of Pointsec Mobile Technologies, a world leader in encryption and security control software for PC s and mobile devices. Today, Pointsec Full Disk Encryption software is used on more than 30 million laptops around the world. Pointsec was acquired by Check Point Software Technologies Ltd in Simple, transparent and available to all The vision when Alertsec was established was that encryption should be simple, transparent and made available to all. That principle remains at the heart of Alertsec. Alertsec is the easiest way to ensure that any data stored on a laptop is encrypted at all times and kept secure even if the device is lost or stolen. Subscribe and relax! Global reach Today, Alertsec world- wide supports over 500 customers in more than 30 countries. Over 100 US banks have chosen to use Alertsec. Alertsec has offices in Palo Alto, London, Sydney and Stockholm. Alertsec HQ US Alertsec Inc. 470 Ramona Street Palo Alto, CA Tel: