Compliance
Sarbanes-Oxley (SOX)
Regulation Summary
The Sarbanes-Oxley Act of 2002 was designed to reform the reporting,
governance and disclosure of public company financial statements. Sarbanes-Oxley (SOX) mandates that public
companies demonstrate due diligence in the disclosure of financial info rmation and maintain internal
controls and procedures for the communication, storage and protection of that data.
While not explicitly mentioned in the legislation, IT security is a central requirement of Sarbanes-Oxley
compliance. SOX requires companies to assess any risk associated with info rmation technology or the internal
process that may impact the accurate and timely reporting of financial info rmation. Specifically, SOX
requirements include:
- Section 302 : Establishes the responsibilities of the CEO and CFO for establishing and
maintaining internal controls.
- Section 404: Requires management to assess the effectiveness of internal controls,
obtain external validation of those controls, and provide assurances that financial/accounting processes are
protected from unauthorized usage.
- Section 409 : Requires real-time disclosures of material events.
Meeting the Compliance Challenge
Faced with the penalties for
non-compliance – hefty fines and possible jail time – companies need a comprehensive, enterprise
security system that will address these common, best practice control objectives: info rmation security,
vulnerability assessment, asset identification, configuration policy, threat detection and response, policy
enforcement, and monitoring.
The Sourcefire 3D System™ is ideally suited to help your company achieve Sarbanes-Oxley compliance.
3D is the first to unify IPS, NBA, NAC and Vulnerability Assessment technologies under the same management
console. This ETM approach provides an efficient and effective layered security defense – protecting network
assets before, during and after an attack – ensuring that your financial systems are protected from
unauthorized access.
Sourcefire Supports SOX Requirements
The Sourcefire 3D System helps your organization comply
with Sarbanes-Oxley requirements. The table below shows a few examples of common control objectives that Sourcefire supports.
| Control Objective |
The Sourcefire 3D Approach |
| Appropriate controls are in place to prevent unauthorized access via public
networks |
The 3D system represents several best practice controls to secure networks from
unauthorized use including, intrusion prevention, vulnerability assessment, asset discovery and network behavior
analysis |
| Monitoring logging and reporting of security activity |
The 3D system monitors, logs, and reports security events from IDS/IPS, potential
vulnerabilities, and violations of configuration and acceptable use policies |
| Authorized software on company IT assets |
Users may set and automatically enforce authorized software policies. The 3D System
passively identifies all assets, OS, protocols and applications present on your network – in real time. |
| System infrastructure is properly configured to prevent unauthorized access |
A baseline configuration policy can be automatically enforced in real time |
| Security Incident Response. |
Impact flags speed analysis of incidents and the P&R system supports the established
incident response process - automating remediation or alerting the incident response team |
| Periodic testing and assessment is performed confirming the infrastructure is appropriately
configured |
3D exceeds this requirement performing configuration policy enforcement in real time |
|
