SOX Compliance

The Sarbanes-Oxley Act, also known as SOX, was implemented in 2002 right after several large financial scandals. Its goal is to improve financial transparency and protect shareholders as well as the general public from accounting errors and fraud.

Who needs to comply with SOX standards?

If your company fits one of the profiles below, then it must be compliant with SOX Council Standards:

  • A publically held American company
  • A company that has registered equity or debt with the U.S. Securities and Exchange Commission
  • An accounting firm that provides financial services to either of the above

The size of your business and network determines the compliance requirements your network infrastructure needs to meet.

Consequences of non-compliance with SOX standards

Failing to comply with SOX standards could lead to one or all of the following consequences:

  • A 10-year jail term for unintentional violations, and a 20-year jail term for intentional non-compliance.
  • Fines up to $1,000,000 for unintentional violations, and $5,000,000 for intentional non-compliance.
  • Loss of customer trust and a damaged reputation.

Sox compliance requirements

One of the crucial requirements of a SOX compliance audit is the review of internal controls. Internal controls include all computers and network hardware that are used to process financial data. An audit of internal controls will look into the following parameters:

Access: This includes both physical and electronic controls. The electronic aspects of access include the implementation of secure passwords and lockout screens.
Security: This includes positioning of controls that will prevent any form of data breach. SOX compliance requires investing in services and hardware that will ensure your financial data is protected.
Change Management: This requires having records of what was changed on the network, when it was changed, and who changed it. This information will help track and rectify issues when they occur.
Backup procedures: SOX compliance requires backup systems be in place to protect sensitive data. All data centers—both onshore and offshore—are also expected to adhere to SOX standards.

How to ensure SOX compliance with Network Configuration Manager

The following features of Network Configuration Manager help you achieve SOX compliance by fulfilling some crucial SOX requirements.

1. Change Management:

Change management gives you a complete record of what was changed, by whom, and when. Network Configuration Manager allows you to monitor and moderate changes made to your network with role-based access control, change notifications, and user activity tracking.

2. Login attempts log:

Your network could face a brute-force attack at any point. Network Configuration Manager uses the login attempts log to track and block suspicious users after a specified number of login attempts.

3. Enable Secret Password:

Cisco devices allow users to protect resources using a plain text password. This makes the device vulnerable to attacks and requires encryption. Network Configuration Manager checks the passwords and helps encrypt them using configlets.

4. Idle timeout:

You can configure a session timeout on the console port after a specified period of idle time. Every idle user is logged out automatically when they cross a period of inactivity, which reduces the time the network is exposed to data breaches.

5. Routine backups:

You can manually back up configuration files and databases in Network Configuration Manager, or schedule backups for whenever’s convenient. All configuration files are versioned and stored in an encrypted format, making them highly secure. In addition to the two modes of backup above, syslog events also trigger backups so that no critical information is lost.

How to fix SOX violations with Network Configuration Manager

Network Configuration Manager allows you to set remediation configlets for compliance policy rules. When you run a compliance check on the associated devices, the compliance report displays the rule violations on each device. You can then fix violations directly from the report by executing the corresponding remediation configlets on the rules that have been violated. This helps eliminate any breach of data, and lowers your chances of being penalized for non-compliance with SOX standards.