SOX RELOADED:Essential Practices for Successful Compliance

BLACKSTRATUS SOLUTIONS BRIEF

Based on a survey conducted by Protiviti in 2015,58% of large corporations spent more on SOX auditfees than in previous year. The research also showedthat more than half of large corporations surveyedspent more than $1 million on audit fees associatedwith SOX compliance, with 25% spending more than$2M. This is an average of $1M spent on SOX forevery $1B in revenues. Most of this spending is forincreased manpower – internal auditors andaccountants – to document, test, and certify internalcontrols.

SOX COMPLIANCE IS EXPENSIVEThe Sarbanes-Oxley Act of 2002 (more commonlyknown as SOX) is legislation passed by the USCongress to protect shareholders and the Americanpublic from fraudulent accounting practices as wellas simple errors in the enterprise. As part of itsmandate, it was also expected to ensure theaccuracy of corporate disclosures. In June of 2003,the Securities and Exchange Commission (SEC)implemented Section 404 of the Sarbanes-Oxley Actof 2002 (SOX) that required corporations not onlyinclude assessments of the controls they used tomanage their financial reporting, but to also providean auditor’s report on that assessment. Both ofwhich were required as mandatory inclusions to theirannual reports.

SOX was intended to improve corporate governanceand accountability. It allowed oversight of not only acorporation’s financial controls and reporting, butalso how it managed its information systems andelectronic records. The controls were put in place tohelp rebuild investor confidence in corporatereporting standards that had been tainted by severalaccounting scandals in the early 2000s. So whilemany agreed that the increased oversight wasneeded, no one was prepared for the costs.

Page 1

WHAT SOX IS

BLACKSTRATUS SOLUTIONS BRIEF | SOX RELOADED

The U.S. SEC and the Public Company AccountingOversight Board (PCAOB) encourage auditors toconsider a risk-based approach in evaluating theinternal controls over financial reporting of publiccompanies. They want auditors to focus on mattersmost important to internal controls that pose higherrisk of fraud or material error. Similarly, auditors arebeing encouraged to consider and use the work ofother auditors. As more auditors adopt this risk-based approach and consider the work of others,audits will be more scalable for the smaller and lesscomplex companies. If properly put into practice, thisnew focus of auditing for SOX compliance isexpected to make SOX more manageable, reducethe associated cost, and enhance its effectiveness inensuring adequacy of controls and integrity offinancial reporting.

REGULATORY RELIEF?

A proactive approach to security is the lynch pin toensuring SOX compliance. Monitoring access tosensitive corporate and customer data is an essentialelement of an effective SOX compliance and riskmanagement strategy. Companies need to ensurethat threats to critical data do not go undetected andwhen incidents do occur, that they are quicklyremediated and documented for internal andexternal audits.

Page 2

SOX mandates all public companies to document,evaluate, monitor, and report on internal controls forfinancial reporting. It also requires disclosure ofcontrols and procedures that include IT controls.Where SOX or the implementation of PCAOBstandards do not define or are not clear on specificissues, auditors will rely on industry accepted bestpractices that are defined by the Committee ofSponsoring Organizations (COSO) of the TreadwayCommission. The SEC makes specific reference tothe COSO Internal Control Framework. PCAOB hasalso indicated a preference to COSO as a suitableframework. The objectives of the COSO frameworkinclude:

• Preventing fraud.

• Improving efficiency and profitability.

• Developing accurate financial reporting.

• Complying with applicable laws and rules.

COSO has identified the essential components ofeffective internal controls to include risk assessment,control environment and activities, information andcommunication, and monitoring. COSO clearlysummarized the post-SOX environment when itstated, “The increasing power and sophistication ofcomputers and computer-based information systemsmay contribute even more to the changing nature offraudulent financial reporting. The last decade hasseen the decentralization and the proliferation ofcomputers and information systems into almostevery part of the company. This development hasenabled management to make decisions morequickly and on the basis of more timely and accurateinformation. Yet by doing what they do best–

PROACTIVE SECURITY IS THE LYNCH PIN

THE SOX CHALLENGE CONTINUES: MAINTAINING ACCUATE AND RELIABLE FINANCIAL REPORTING

BLACKSTRATUS SOLUTIONS BRIEF | SOX RELOADED

This paper explores how security informationmanagement (SIM) solutions offer a cost effectivealternative for proactive risk management acrossyour network, applications, databases, and useractivities, while enabling SOX compliance as a resultof these actions. Properly implemented, a best-practices SIM solution provides organizationsreliable, end-to-end security monitoring and incidentmanagement processes surrounding financialapplications and data, and the IT systems thatsupport them. SIM can enable companies to meetSection 404 objectives through incident resolutionmanagement, data collection and retention,accountability, and reporting. By deploying aneffective SIM solution, companies are equipped witha full range of tools that support SOX complianceobjectives.

WE OFFER A BETTER ALTERNATIVE

placing vast quantities of data within easy reach,computers multiply the potential for misusing ormanipulating information, increasing the risk offraudulent financial reporting. Using computertechnology effectively to prevent, detect, and deterfraudulent financial reporting is a challenge thatrequires foresight, judgment, and cooperation amongcomputer specialists, management, and internalauditors.

Page 3

organizations can successfully demonstrate that ITcontrols support a sound internal control frameworkthat meet Section 404 requirements. A high-performing organization that executes a proactiveSIM strategy will establish six key practices from thetop-down and bottom-up to:

1. Clearly define the control environment – Identifythe systems, services, devices, data, and personnelassociated with financial data and reporting. Whenselecting controls for the organization, it will help toensure that such controls support businessprocesses.

2. Strictly control access – Not only protect the data,but the systems, services, and devices within theorganization. The organization must be able todemonstrate that it knows which employees,contractors, and partners have physical and logicalaccess to the network, devices, applications, anddata for specific and authorized business purposes,and that unauthorized access attempts – bothphysical and logical – can be identified andmitigated.

3. Validate security controls – Regularly monitor theenvironment for performance and effectiveness ofthe controls in place. Establish baseline activity,study trend line analysis, and ensure that unusualactivity can be quickly identified and corrected asnecessary.

4. Document all corrective action – Demonstratethat the proper steps were taken to correct systemsand adjust policy if a noncompliant situation isidentified.

5. Study the results of testing and reporting –Continuously manage and oversee the environmentthrough reporting and testing, while providingdocumented evidenceof due diligence to auditors.

For a public company to maintain the accuracy andreliability of financial reporting required by SOX, itsIT teams must have:

• Clear visibility into the network. • Complete oversight and control of logical access

to the network, applications, databases, and sensitive data.

• An effective incident resolution management protocol that allows it to respond rapidly to material events within 24 to 48 hours.

• Access to historical data for audit and forensic activities.

A comprehensive and specific approach to managingthe IT controls associated with Section 404 of SOXcan begin by leveraging a SIM solution – one thatenables real-time monitoring and on-demand trendreporting. But technology alone is not the answer.Tools supplement a comprehensive security programthat integrates existing assets – people, processes,and policies – that function within the operatingenvironment. By implementing effective,comprehensive SIM policies and procedures forestablishing accountability and consistent datacollection, retention, and reporting practices,

SECURITY INFORMATION MANAGEMENT: ENABLES IT CONTROL OBJECTIVE FOR SOX

BLACKSTRATUS SOLUTIONS BRIEF | SOX RELOADED

THE ROLE OF SECURITY INFORMATION MANAGEMENT

6. Retain data according to local jurisdictionalrequirements – Preserve near-term and long-termdata in its purest form for audit, forensics, andevidentiary presentation.

Page 4

DATA COLLECTION AND RETENTION IS PARAMOUNT

The BlackStratus Solution: A HolisticApproach to SOX Compliance

BlackStratus security and compliance platformenables an efficient, comprehensive strategy forexamining the adequacy and effectiveness ofinformation security policies, procedures, andpractices. BlackStratus delivers a robust securityinformation management system with a variety oftools to help organizations:

• Collect and retain security event data from across the network.

• Identify, track, analyze, and remediate incidents. • Implement an integrated incident resolution

management work flow with embedded knowledge to resolve security incidents.

The success of each organization’s SIM solution isdependent upon its ability to collect sufficient datafrom across the network and applications. Eachorganization should take reasonable steps to ensurethat sufficient data is collected to identify andrespond to security incidents and to monitor andenforce policies and service level agreements.Appropriate data collection controls enable networkand security personnel to review and analyze earlywarnings of potential system failures, unauthorizedaccess attempts and security violations, providesupport for personnel actions, and aid inreconstructing compromised systems. Automateddata collection and retention allows many indicatorsof security and performance across the network andcritical applications to be tracked on a continuousbasis – as opposed to a periodic review – helping tocreate a proactive risk management process for:

• Identifying: o Policy violations

o Anomalous behavior

o Unauthorized configuration and other conditions that increase the risk of intrusion or other security events

• Real-time collection and historical data retention to quickly and accurately identify, classify, escalate, report, and guide responses to security events or weaknesses

• Incident remediation • Audit trails • Forensics support

BLACKSTRATUS SOLUTIONS

BlackStratus security and compliance platformautomates the collection and correlation of theimmense volumes of data created through customer-defined policies and procedures. This high-performance SIM platform also provides periodicassessments of the risk and degree of harm thatcould result from unauthorized access, modifications,or destruction to data and information systems thatsupport operations and organizational assets, afundamental principle behind Section 404. Morespecifically, the BlackStratus platform providesorganizations a core-to-perimeter set of tools andtechnologies that support Section 404 requirements,including:

BLACKSTRATUS SOLUTIONS BRIEF | SOX RELOADED

• Device, database and application monitoring –Centralized application and device monitoringenables the collection, correlation, analysis,reporting, and retention of audit events fromdisparate security and network technologies. TheBlackStratus platform monitors web and databaseapplications, security and network devices,servers, and desktops to identify threats at thenetwork perimeter, as well as malicious anderroneous inside activity. By monitoring andconsolidating security activity on all systems,databases, and devices, and by leveraging a highlyintuitive security and compliance reportingsystem, organizations can protect the integrity ofenterprise data – especially from the increasingprevalence of insider threats.

• Incident resolution management – By integratingincidence response processes with existingenterprise workflow systems, the BlackStratusplatform enables an accelerated incidenceresponse through a best practice, collaborativeapproach. Companies need to continuouslyreduce risk exposure through timely and effectiveincident response, even when faced with vastamounts of security data including countless falsepositives. Using a clearly defined, repeatable,documented security information workflow,organizations can ensure quick and accuratehandling of security incidents and prove diligencein SOX audits.

• Compliance dashboards – BlackStratus’customizable dashboards provide real-timemonitoring and a holistic view of the company’ssecurity posture at a given point in time, andallows security staff to quickly measure threatlevels against high value assets – including thosemost critical to achieving regulatorycompliance.

Page 5

• Embedded knowledge base – The BlackStratusknowledge base delivers guidance in analyzing,documenting, and reporting on security issues,including newly discovered vulnerabilities,malware, and vendor-specific vulnerability data.Security operators and analysts can obtain acontinual flow of relevant and actionableinformation to pinpoint attacks and providecontainment and remediation steps to networkand configuration managers. Security teams canget highly specific response guidance in the eventof a reoccurrence because the knowledge basecan be updated with organization-specific data,such as information about a previous incident.

• Security operations performance measurement –SOX compliance is driving the need for metrics-based security management. BlackStratus givesorganizations the tools to measure theperformance of security operations, to betterunderstand risk, and to quantify the success ofSOX compliance initiatives. BlackStratusautomates key compliance metrics – fromvulnerability metrics to high-level risk metrics byproviding reports that focus on vulnerability,threat, and incident response for all SOX relatedassets.

• Risk assessment – BlackStratus delivers acontinuous, comprehensive picture of riskthrough a suite of risk assessment tools,techniques, and reports that capture real-timeand historical risk information – pinpointingthreats and vulnerabilities at the network and useractivity level. An array of risk assessment reportsprovide the necessary details behind each SOXrelated asset and its associated risk, enablingsecurity teams to pinpoint and prioritize threats.Real-time insight into the risk baseline is deliveredthrough a suite of operational and managementreports that are available from a customizabledashboard.

BLACKSTRATUS SOLUTIONS BRIEF | SOX RELOADED

• Strong correlation of system-wide securityevents – BlackStratus’ correlation technologies gobeyond simply logging security information, andinstead speed threat identification and provide anaccurate picture of risk. These technologies arearchitected to handle the massive volume ofsecurity information from network-relatedsources as well as server logs, applications, anddatabases and identify attacks from the inside andbeyond based on a thorough understanding ofnetwork and user activity. The correlationtechnologies process large volumes of data fromthe perimeter down to the core to identify real-time threats and historical patterns. Organizationscan leverage their broad security knowledge baseand correlate the information to uncover threatsthat would otherwise go undetected, facilitatingproactive security management.

• Incident detection through visualization andreporting – With the BlackStratus solution,organizations can visualize threats as well as thesecurity information underlying the threats.Security teams can assimilate information fasterand then focus on the real security threats,mitigating vulnerabilities before threatsproliferate. Through in-depth reporting, keystakeholders and auditors have ready access toactionable information on all security relatedissues such as viruses, worms, and other maliciouscode; all system status and configuration changes;and privilege and authorization changes.

Page 6

• A highly scalable and redundant securityarchitecture – The extensive scalability ofBlackStratus architecture cost effectively supportsgrowth and ensures that as your organizationgrows and changes, your SIM solution can growand evolve with it. These robust SIMarchitectures incorporate high volumes of datafrom across the organization, regardless of thenumber of devices, applications and databases.BlackStratus offers the only multitier SIMarchitecture with full failover to ensure SOXcompliance.

BLACKSTRATUS SOLUTIONS BRIEF | SOX RELOADED

SECURITY AND COMPLIANCE MANAGEMENT SOLUTIONS

With BlackStratus Security information and LogManagement platform capabilities, BlackStratusdelivers the most well-engineered securitycompliance management solutions available today:powerful, scalable and flexible. From real-time threatidentification and mitigation to log management andaudit readiness, BlackStratus is renowned forproviding solutions that help organizations takecontrol of security, operations and compliance. Ourpatented, award-winning technologies tie togethersilos of data to obtain a complete, understandablepicture of network security and compliance posture.By centralizing huge volumes of data - from theperimeter to the core of the network - and deliveringthe right security information into the right hands atthe right time, BlackStratus solution dramaticallyimprove your organization’s ability to identify andrapidly respond to threats. Companies can finallygain an effective, proactive approach to protectingcritical data and ensuring compliance with regulatorymandates and corporate policies. The BlackStratusplatform delivers a whole new breadth and depth ofsecurity intelligence, regardless of organizational

size, type, or budget. Unlike other SIM or LogManagement vendors, BlackStratus will not force anoverly expensive SIM with more horsepower thanyou need, or try to ineffectively scale a basic logmanagement solution to fit the needs of a complex,distributed environment. We are the only SIMvendor that has a complete line of solutions toeffectively address your specific needs, from both aperformance and cost perspective. We believe thatno matter how large or small your network, youshould not have to make a choice between beingsecure and being compliant.

BlackStratus – Enterprise-class Securityand Compliance PlatformThe BlackStratus security and compliance platform,the industry’s most robust Security InformationManagement software solution, transforms hugevolumes of disparate, security-related data intounderstandable, actionable intelligence. Built on ahighly-scalable n-tier architecture, it enables largeorganizations with complex networks to centrallygather, analyze, and accurately report on securityevents and risk posture. By identifying and enablinga rapid response to threats and providing anauditable compliance framework, it helps protectvaluable data and address a myriad of regulatorychallenges.

BlackStratus offers an all-in-one or combined SIMand Log Management appliances that are fast,effective and exceptionally affordable. Easy todeploy and use, BlackStratus features advancedcorrelation technologies and real-time monitoring forrapidly identifying and prioritizing threats. Add tothat comprehensive log collection, documentationand storage - and organizations can now cost-effectively meet compliance demands whileenhancing their overall security posture. BlackStratusoffers flexible deployment options to accommodateany size networking environment.

Page 7

BLACKSTRATUS SOLUTIONS BRIEF | SOX RELOADED

CONCLUSIONSWith concerns regarding ongoing costs associatedwith addressing a SOX audit, many affectedorganizations lose sight of the positive effect oncorporate governance gained by improving theaccuracy and reliability of financial data. SOXcompliance can assist organizations in improvingoperational efficiencies, and provide assurance ofgood business practice to consumers and investors.Section 404 mandates that management take anactive role in operational oversight. Additionally,many organizations have a new appreciation for therole of IT in the internal control structure and arenewed appreciation for effective informationsecurity controls. Management needs to workclosely with IT organizations on risk assessment andthe implementation of security policies andoperations. Overall, a security program thatintegrates people, policies, process, and technologyis the best approach to managing Section 404compliance. Fully implemented, holistic SIMsolutions like BlackStratus, along with alignment ofhuman, process, and information controls, enablesorganizations to meet SOX objectives. By leveragingexisting technology and tools, organizations canidentify, assess, and report on the status and securityof financial-related processes and information, andcan provide tangible evidence of their informationsecurity initiatives.

ADDITIONAL RESOURCESFurther information about Sarbanes-Oxley isavailable at the following websites:

• The Securities and Exchange Commission: www.sec.gov – the official source of government information on regulation, documentation, interpretation, and updates

• The Public Company Accounting Oversight Board: www.pcaob.org – the official source of Sarbanes-Oxley for auditors

• The IT Governance Institute: www.itgi.org– an industry consortia that has produced interpretation documentation and guidance for filers and implementers

• SOX Financial Frameworks: http://www.soxonline. com/coso_cobit_coso_framework.html –information on Sarbanes-Oxley and supporting working documents, with daily news updates

• Sarbanes-Oxley.com: www.sarbanes-oxley.com–a private information website, portions of which are available only to subscribers

BLACKSTRATUS SOLUTIONS BRIEF | SOX RELOADED

ABOUT BLACKSTRATUSBlackStratus is a pioneer of security and compliancesolutions deployed and operated on premise, in thecloud or “as a Service'' by providers of all sizes,government agencies and individual enterprises.Through our patented multitenant securityinformation and event management (SIEM)technology, BlackStratus delivers unparalleledsecurity visibility, prevents costly downtime, andachieves and maintains compliant operations at alower cost to operate.

BlackStratus and the BlackStratus logo are trademarks of BlackStratus, Inc. Other third-party trademarks are the property of their respective owners. © 2016 BlackStratus, Inc. All Rights Reserved.

BlackStratus, Inc. | 1551 South Washington Avenue Suite 401 | Piscataway, NJ 08854 | T. 732.393.6000 | F. 732.393.6090 | www.blackstratus.com