Sarbanes-Oxley (SOX) sets standards for all public companies in the U.S. including management, external boards, and their public accounting firms. One of the biggest impacts of SOX for IT organizations is section 404. Because of the impact of not complying with SOX, many CIOs are directly involved in ensuring their IT organizations comply with the requirements. Criminal penalties for violating SOX can include fines and imprisonment for those who knowingly violate the act.
SOX requires the usage of an internal control framework or set of best practices such as COBIT or ITIL that will enable specific application transaction processing management procedures. While SOX focuses on financial application transactions such as payroll, general ledger, accounts payable, and other ???key??? systems, because of the strict penalties for violation, most companies take a broad approach to ensuring control mechanism for every IT element that may somehow affect the balance sheet. IT. Application transaction controls and access controls are both critical for compliance. This includes not only the applications themselves, but also supporting systems, such as networks, operating systems and databases.
Health care organizations of all sizes must content with HIPAA, the act requiring controlling access to protected health information. HIPAA mandates that computer systems and electronic communications containing private health care information transmitted electronically over open networks can't be intercepted by anyone other than the intended recipient. If organizations violate HIPAA, the also can face civil penalties, fines and legislative hearings.
Any organization that stores, transmits or processes credit cards is also subject to the Payment Card Industry (PCI) standard. If they don???t comply, they can loose the privilege of processing cards. While some requirements such as installing and maintaining a firewall and not using vendor-supplied defaults for system passwords and other security parameters are straight forward, other requirements such as maintaining a policy that addresses information security and restricting access to data by the business can be more challenging to achieve. Over a dozen requirements that also tracking and monitoring all access to network resources and cardholder data as well as regular testing will likely involve a suite of tools from various vendors to accomplish the disperse set of tasks. These include anti-virus software, configuration management products, host-based security products, data protection appliances, and more robust password policy software.