Sections
1) Public Company Accounting Oversight Board (PCAOB)
2) Auditor Independence
3) Corporate Responsibility
4) Enhanced Financial Disclosures
5) Analyst Conflicts of Interest
6) Commission Resources and Authority
7) Studies and Reports
8) Corporate and Criminal Fraud Accountability
9) White Collar Crime Penalty Enhancement
10) Corporate Tax Returns
11) Corporate Fraud Accountability

Key Provisions
SOX Section 302: Internal control certifications
SOX Section 404: Assessment of internal control
SOX Section 802: Criminal penalties for violation of SOX
Information Security Triad
What is an Internal Control
SOX Section 302: Internal control certifications
Holds the Chief Executive Officer (CEO) and Chief Financial Officer (CFO) personally responsible to certify that financial reports are accurate and complete.
They must also assess and report on the effectiveness of internal controls around financial reporting.
CEOs and CFOs now face the potential for criminal fraud liability.
Section 302 does not specifically list which internal controls must be assessed.

SOX Section 404: Assessment of internal control
The most contentious aspect of SOX
PCAOB standards require management to do the following:
Assess both the design and operating effectiveness of selected internal controls related to significant accounts and relevant assertions, in the context of material misstatement risks;
Understand the flow of transactions, including IT aspects, sufficient enough to identify points at which a misstatement could arise;
Evaluate company-level controls, which correspond to the components of the COSO framework;
Perform a fraud risk assessment;
Evaluate controls designed to prevent or detect fraud, including management override of controls;
Evaluate controls over the period-end financial reporting process;
Scale the assessment based on the size and complexity of the company;
Rely on management's work based on factors such as competency, objectivity, and risk;
Conclude on the adequacy of internal control over financial reporting.

SOX Section 802: Criminal penalties for violation of SOX
" Whoever knowingly alters, destroys, mutilates, conceals,
covers up, falsifies, or makes a false entry in any record,
document, or tangible object with the intent to impede,
obstruct, or influence the investigation or proper
administration of any matter within the jurisdiction of any
department or agency of the United States or any case filed
under title 11, or in relation to or contemplation of any such
matter or case, shall be fined under this title, imprisoned not
more than 20 years, or both. "

Also requires auditors to maintain accounting
documents and work papers for a minimum of five
years.

So, after all of that, what does SOX have to do with information security

Not a whole lot, it’s primarily concerned with accuracy in financial reports
InfoSec professionals may benefit from bigger budgets because the higher ups are afraid of liability for inaccurate data (playing the Integrity angle)
However, InfoSec can help in the following ways:
Documentation, documentation, documentation
Control of access to financial records
Detection of modification
Preventions of data loss and contingent liabilities
Contingent liability
Liability for investor losses in stock price based on:
Disclosures that lessen consumer confidence
Security issues that effect reliability and safety

COBIT
Control Objectives for Information and related Technology
Security Policy
Security Standards
Access and Authentication
Network Security
Monitoring
Segregation of Duties
Physical Security

Criticism
Higher cost burden on US companies
Less IPOs take place on US stock exchange
Praise
Increased investor confidence
Financial restatements decreased significantly

Web References

The text of the law (PDF)
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgidbname=107_cong_bills&docid=f:h3763enr.tst.pdf
SANS Institute - An Overview of Sarbanes-Oxley for the Information Security Professional by Gregg Stults
http://www.sans.org/reading_room/whitepapers/legal/1426.php 
Sarbanes Oxley for IT Security by Mark Rasch
http://www.securityfocus.com/columnists/322 
Signing Statement of George W. Bush
http://www.whitehouse.gov/news/releases/2002/07/20020730.html
COBIT Site
http://www.isaca.org/cobit
SOX Wikipedia Entry
http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act
Sarbanes-Oxley An Opportunity for Security Professionals
http://www.secureworks.com/research/newsletter/2005/03/
The Sarbanes-Oxley Act 2002
http://www.soxlaw.com/


Book References
Sarbanes - Oxley IT Compliance Using COBIT and Open Source Tools
Lahti, Christian; Peterson, Roderick
9781597490368

IT Governance : A Manager's Guide to Data Security and BS 7799/ISO 17799
Calder, Alan; Watkins, Steve
9780749444143

Business Guide to Information Security
Reuvid, Jonathan
9780749446420

Enterprise Information Systems Assurance and System Security : Managerial and Technical Issues
Warkentin, Merrill; Vaughn, Rayford
9781591409137
 

Printable version of this article