Achieving Sarbanes-Oxley Compliance with Penetration Testing
The Sarbanes-Oxley Act of 2002 was enacted to prevent financial statement fraud among public companies doing business in the U.S. The Act set new mandates for strengthened controls, accurate financial auditing and reporting, and increased risk management. CORE IMPACT helps to protect the controls and procedures required by the Act while equipping you with the security audit information necessary for compliance.
The Sarbanes-Oxley Act makes corporate executives responsible for establishing, evaluating and monitoring financial reporting controls. Penalties and sanctions for non-compliance can include fines up to $5 million, imprisonment up to 20 years and de-listing from stock exchanges.
Section 404 and the Role of IT in Sarbanes-Oxley Compliance
IT organizations are most affected by Section 404 of the Sarbanes-Oxley Act, which seeks to preserve the integrity of financial data by requiring all public organizations to:
- implement a series of internal controls and procedures for financial reporting, and
- submit an annual assessment of internal controls and procedures to the SEC.
The Public Company Accounting Oversight Board created by the Act recommends implementation of the controls defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The COSO controls are deployed primarily in IT systems, requiring IT departments to play a key role in compliance efforts.
Meeting Sarbanes-Oxley Requirements for Internal Controls with CORE IMPACT
Penetration testing with CORE IMPACT assists with Sarbanes-Oxley compliance by addressing key components of the COSO controls.
Risk Assessment
"Every entity faces a variety of risks from external and internal sources that must be assessed... Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change."
By systematically identifying, exploiting and recording real network vulnerabilities, CORE IMPACT gives you a clear assessment of your information security risks. With CORE IMPACT, you can quickly and easily re-evaluate your security posture to ensure compliance as your network infrastructure evolves with the demands of your business.
Control Activities
"Control activities... include a range of activities as diverse as approvals, authorizations, verifications, reviews of operating performance and security of assets."
Penetration testing with CORE IMPACT helps you protect your network assets from unauthorized access and ensure the integrity application-driven controls. The product exposes actual attack paths, allowing you to efficiently remediate vulnerabilities that put your controls at risk.
Information and Communication
"Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business."
Penetration testing with CORE IMPACT enables you to validate that your organization's systems of record are secure and stable. The product generates detailed reports that assist with compliance by quantifying your testing procedures.
Monitoring
"Internal control systems need to be monitored - a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two."
CORE IMPACT enables you to independently monitor the security of your IT infrastructure on a regular basis and perform in-house risk assessments as internal controls and processes change. Because CORE IMPACT penetration tests are repeatable, you can easily compare successive test results to demonstrate progress and highlight changes.
