Active Directory How-To pages

How to stay compliant to Section 302 and 404 (Security compliance) of the SOX Act?

The Sarbanes-Oxley Act (SOX) is Federal law for all publicly held companies in the USA. The purpose of the act is to reduce fraud, build public confidence and trust, and protect data that may affect companies and shareholders.

The 2 principle sections in this act pertaining to security are Section 302 and 404.

• Section 302: This section elaborates the requirements to safeguard against faulty financial reporting.
• Section 404: This section elaborates the requirements to externally verify the safeguards stated in Section 302 (as well as other sections) by independent auditors.

Section 302-

• 302.2 – Establish safeguards to prevent data tampering.
• 302.3 – Establish safeguards to establish timelines.
• 302.4.A – Establish and maintain internal controls.
• 302.4.B – Establish verifiable controls to track data access.
• 302.4.C – Ensure that safeguards are operational.
• 302.4.D – Periodically report the effectiveness of safeguards.
• 302.5.A&B – Detect Security Breaches.

Section 404-

• 404.A.1 – Disclose security safeguards to independent auditors.
• 404.A.2 – Disclose security breaches to independent auditors.
• 404.B – Disclose failures of security safeguards to independent auditors.