Sarbanes-Oxley (SOX)

Video Activity

Join over 3 million cybersecurity professionals advancing their career

Required fields are marked with an *

View all SSO options

Already have an account? Sign In »

Certified Cloud Security Professional (CCSP)

Course

Time

12 hours 57 minutes

Difficulty

Intermediate

Video Transcription

00:00

>> One of the laws that we're going to

00:00

discuss is Sarbanes-Oxley,

00:00

all of these, often are referred to as SOX.

00:00

In this lesson, we're going to talk about

00:00

the origins of Sarbanes-Oxley,

00:00

the types of information and

00:00

industry that are regulated by Sarbanes-Oxley,

00:00

and the implications of SOX in the Cloud.

00:00

Sarbanes-Oxley was passed in

00:00

2002 following the Enron and WorldCom scandals.

00:00

In both these scandals,

00:00

there was massive financial fraud of the shareholders,

00:00

and the companies went bankrupt as a result,

00:00

and the auditing firms that were supposed to be

00:00

testing the controls and detecting fraud within

00:00

these companies also went bankrupt.

00:00

In the wake of these scandals,

00:00

the Sarbanes-Oxley was passed.

00:00

What it does is it improves

00:00

transparency regarding the financials

00:00

of public companies,

00:00

and it also has a number of

00:00

high-level security requirements /

00:00

principles that publicly traded companies must meet,

00:00

and it basically forced

00:00

companies to be more disciplined and more

00:00

transparent around their security process,

00:00

and how they protect financial data.

00:00

It's enforced by the Securities and Exchange

00:00

Commission, and when it comes to the Cloud,

00:00

the specifics to focus on are that data,

00:00

specifically financial data,

00:00

must be securely protected

00:00

to prevent tampering and manipulation,

00:00

we've talked about different controls

00:00

within the Cloud context,

00:00

such as first labeling and knowing

00:00

where data is based on its sensitivity,

00:00

then also employing techniques such as

00:00

encryption to protect data at rest.

00:00

Then there are also data breach report requirements.

00:00

This is very common among various forms of legislation,

00:00

that if there is a breach

00:00

and data-sensitive financial information is disclosed,

00:00

the organization has to

00:00

report that this breach occurred,

00:00

and once they've determined that data

00:00

has been accessed or exfiltrated,

00:00

now, one important thing to note is that the breach

00:00

reporting requirements kick in once a company

00:00

has confirmed that the data has been

00:00

accessed by an unauthorized threat after.

00:00

In many cases, breaches have happened months ago,

00:00

but the company has just detected it,

00:00

and after the investigation process

00:00

reveals that data was accessed,

00:00

only then the breach notification rules enacted.

00:00

Companies that are publicly traded,

00:00

also ensure that they use an auditor to audit

00:00

their SOX controls on an annual basis

00:00

to demonstrate their effectiveness.

00:00

If you have Cloud environment,

00:00

you need to ensure that you have

00:00

audit evidence to demonstrate

00:00

the effectiveness of your control,

00:00

and that you're able to collect

00:00

the population of changes to environments,

00:00

your procedures, and policies,

00:00

and demonstrate that you have kept them up to date,

00:00

that you've shown due diligence to

00:00

continually improve your controls over time.

00:00

These are all things that often will

00:00

come up in the auditing process.

00:00

Alright, quiz question.

00:00

All the following are covered by SOX

00:00

except, number one,

00:00

publicly traded companies, two,

00:00

private companies, or three,

00:00

foreign companies on US exchanges.

00:00

If you said private companies, you are correct,

00:00

although there are some caveats that

00:00

companies that hope to be acquired or go

00:00

public themselves often prepare and ensure that they

00:00

are adhering to controls that

00:00

are comparable to those required by SOX.

00:00

In summary, we talk about the origins importance

00:00

of Sarbanes-Oxley,

00:00

that it emerged in 2002 out of

00:00

these scandals involving WorldCom and Enron.

00:00

Then we talked about

00:00

the implications of SOX in the Cloud,

00:00

ensuring that you know where data is,

00:00

that it's properly protected,

00:00

and that you are ready to audit the Cloud if necessary,

00:00

if you are a publicly traded company.

00:00

All right, I'll see you in the next lesson.

Up Next

Gramm-Leach-Bliley act (GLBA)

Health Information Portability and Accountability Act (HIPAA)

Payment Card Industry (PCI)

General Data Protection Regulation (GDPR)

General Data Protection Regulation Privacy Principles

View All

Instructed By

Graham Wicas

Instructor