Other Regulations GLBA HIPAA PCI DSS ISO 27002 SAS No 70 21 CFR Part 11 Sarbanes Oxley		Sarbanes Oxley What is it? Commonly called SOX or Sarbox, the Sarbanes-Oxley Act of 2002 establishes enhanced standards for all US public company boards, management and public accounting firms. The Act contains 11 titles with two key provisions:  SOX Section 302: Internal Control Certification Section 302 mandates a set of internal procedures designed to ensure accurate financial disclosure.   SOX Section 404: Assessment of Internal Control Section 404 requires management and external auditor to report on the adequacy of the company's internal control over financial reporting. This is the most costly and resource consuming part.  Impact of Section 404 on IT Information technology controls that address financial risks are within the scope of Section 404 assessment. CIOs are typically responsible for the IT organization and IT personnel involved. The SEC identifies COSO as the framework for achieving compliance and defines 5 components of internal control, which help support the requirements set forth in the Sarbanes Oxley legislation, as follow:  Risk Assessment - IT must assess and understand the areas of risk affecting the completeness and validity of the financial reports. The company's system and level at use must be examined for accuracy of existing documentation.    Control Environment - A control environment sets the tone and influence the control consciousness of its people, providing discipline and structure. Factors in the control includes but not limit to integrity, ethical values, competence, management philosophy, segregation of authority and responsibility, development, and operation style.    Control Activities - Policies and procedures must be in place to manage directives carried out and activities occur throughout the organization, such as approvals, authorizations, verifications, reconciliations, reviews of operating performance, and security of assets. In an IT environment, control activities include general controls, e.g. program changes, access to programs or computer operations, and application controls.    Monitoring - Auditing processes and schedules should be developed to address high-risk areas within the IT organization. IT personnel must perform frequent internal audits, including personnel outside of the organization. Management is held responsible for the understanding and outcome of these audits.   Information and Communication - Proactively identify and address areas of risk in a timely and accurate manner.     Compliance Solution Any compliance solution must help the IT organization address these measurements within SOX:   DS5.4 Users account management DS5.6 Security incident definition DS5.11 Exchange of sensitive data ME 1.4 Performance assessment ME 1.5 Board and Executive reporting Such solution must be able to provide a complete historical trail with data values from the past resulting from every read, update, change, delete and accessed transaction, including those from privileged users.