Impact of Sarbanes-Oxley on Information Security
Internal controls in a financial system depend on the following information security capabilities:
- Users are reliably authenticated before they can access the system.
It should be difficult or impossible for anyone other than a legitimate user to impersonate that user.
- Only authorized users have access to the system.
This implies control over the introduction of new users into the system, and an efficient, reliable process to terminate access once it is no longer appropriate.
- Once signed in, users can only perform actions for
which they have authority.
This implies a strong connection between business processes, which determine what privileges are appropriate to each user, and access controls inside the system.
- Users are assigned rights in a manner that allows one user
to monitor the actions of another.
This is where traditional financial controls, such as separation of duties fit into the security structure.
- User actions are recorded in an indelible record.
It should be possible to trace user actions after the fact, for audit and accountability reasons.
- Data is protected.
This implies encryption of transmitted and stored data, access controls at the data storage layer (filesystem or database), and sound backups.
It is important to note that financial information systems depend on other information systems infrastructure -- directories, network operating systems, perimeter defenses, virus protection and more. When considering information security requirements for a financial system, it is essential to protect all of this supporting infrastructure as well.