Sarbanes-Oxley (SOX)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> One of the laws that we're going to
00:00
discuss is Sarbanes-Oxley,
00:00
all of these, often are referred to as SOX.
00:00
In this lesson, we're going to talk about
00:00
the origins of Sarbanes-Oxley,
00:00
the types of information and
00:00
industry that are regulated by Sarbanes-Oxley,
00:00
and the implications of SOX in the Cloud.
00:00
Sarbanes-Oxley was passed in
00:00
2002 following the Enron and WorldCom scandals.
00:00
In both these scandals,
00:00
there was massive financial fraud of the shareholders,
00:00
and the companies went bankrupt as a result,
00:00
and the auditing firms that were supposed to be
00:00
testing the controls and detecting fraud within
00:00
these companies also went bankrupt.
00:00
In the wake of these scandals,
00:00
the Sarbanes-Oxley was passed.
00:00
What it does is it improves
00:00
transparency regarding the financials
00:00
of public companies,
00:00
and it also has a number of
00:00
high-level security requirements /
00:00
principles that publicly traded companies must meet,
00:00
and it basically forced
00:00
companies to be more disciplined and more
00:00
transparent around their security process,
00:00
and how they protect financial data.
00:00
It's enforced by the Securities and Exchange
00:00
Commission, and when it comes to the Cloud,
00:00
the specifics to focus on are that data,
00:00
specifically financial data,
00:00
must be securely protected
00:00
to prevent tampering and manipulation,
00:00
we've talked about different controls
00:00
within the Cloud context,
00:00
such as first labeling and knowing
00:00
where data is based on its sensitivity,
00:00
then also employing techniques such as
00:00
encryption to protect data at rest.
00:00
Then there are also data breach report requirements.
00:00
This is very common among various forms of legislation,
00:00
that if there is a breach
00:00
and data-sensitive financial information is disclosed,
00:00
the organization has to
00:00
report that this breach occurred,
00:00
and once they've determined that data
00:00
has been accessed or exfiltrated,
00:00
now, one important thing to note is that the breach
00:00
reporting requirements kick in once a company
00:00
has confirmed that the data has been
00:00
accessed by an unauthorized threat after.
00:00
In many cases, breaches have happened months ago,
00:00
but the company has just detected it,
00:00
and after the investigation process
00:00
reveals that data was accessed,
00:00
only then the breach notification rules enacted.
00:00
Companies that are publicly traded,
00:00
also ensure that they use an auditor to audit
00:00
their SOX controls on an annual basis
00:00
to demonstrate their effectiveness.
00:00
If you have Cloud environment,
00:00
you need to ensure that you have
00:00
audit evidence to demonstrate
00:00
the effectiveness of your control,
00:00
and that you're able to collect
00:00
the population of changes to environments,
00:00
your procedures, and policies,
00:00
and demonstrate that you have kept them up to date,
00:00
that you've shown due diligence to
00:00
continually improve your controls over time.
00:00
These are all things that often will
00:00
come up in the auditing process.
00:00
Alright, quiz question.
00:00
All the following are covered by SOX
00:00
except, number one,
00:00
publicly traded companies, two,
00:00
private companies, or three,
00:00
foreign companies on US exchanges.
00:00
If you said private companies, you are correct,
00:00
although there are some caveats that
00:00
companies that hope to be acquired or go
00:00
public themselves often prepare and ensure that they
00:00
are adhering to controls that
00:00
are comparable to those required by SOX.
00:00
In summary, we talk about the origins importance
00:00
of Sarbanes-Oxley,
00:00
that it emerged in 2002 out of
00:00
these scandals involving WorldCom and Enron.
00:00
Then we talked about
00:00
the implications of SOX in the Cloud,
00:00
ensuring that you know where data is,
00:00
that it's properly protected,
00:00
and that you are ready to audit the Cloud if necessary,
00:00
if you are a publicly traded company.
00:00
All right, I'll see you in the next lesson.
Up Next