Knock your SOX off: Federal compliance rules and the cloud

Big things happened in 2002.

Peter Jackson won the Best Director Oscar for “The Fellowship of the Ring.” The New England Patriots won the Super Bowl (for the first time). The United States hosted the Winter Olympics. Nine coal miners were rescued from the Quecreek Mine in Pennsylvania.

And on July 30, President George W. Bush signed into law what is known as The Sarbanes-Oxley Act.

The Sarbanes-Oxley Act (also known as SOX) was a response to huge accounting scandals in the years leading up to its creation. Enron, WorldCom, Global Crossing, and Tyco all participated, one way or another, in misleading investors and costing shareholders billions of dollars.

But what does this have to do with IT? A lot, actually. It’s changed the way we approach data, storage, and a number of other IT functions, and it has amped-up the number of regulations that IT departments must comply with. It has also complicated infrastructure changes, like a company’s ability to move to the cloud. Fortunately, the biggest cloud providers have systems in place to ensure compliance with regulations like SOX.

If your company is one that must comply with SOX regulations, there are several aspects you should look for when evaluating cloud solutions. But first, let’s take a look at what the Sarbanes-Oxley Act is, and what it means to IT.

A brief history of SOX

As I’ve already mentioned, SOX was a reaction to the business scandals – and billions lost – in a few very high-profile cases. Most notable were Enron, of course, but also Tyco, WorldCom, Global Crossing, and even, several years earlier, Waste Management.

From Flickr: https://www.flickr.com/photos/k3nna/3802348922
Flickr / K3nna

The details of what occurred at these companies are well documented and, frankly, outside of the intent of this piece. The result of what they did, however, besides the monetary losses, shook the faith of investors in general in what was being disclosed by public companies in regards to their earnings.

To rebuild the trust, Sen. Paul Sarbanes and Rep. Michael Oxley introduced a bill that brought the most sweeping reforms to business regulations since the 1930s.

What SOX requires is that all publicly held companies implement and report on internal accounting controls to the Security and Exchange Commission. It also outlined penalties for noncompliance. In addition to publicly held companies, private companies that do business with public firms may also be required to comply with the regulations.

Why should IT care about SOX compliance?

I’m sure this is all interesting, but you’re probably starting to wonder why you should care. If SOX is all about financials and accounting controls, how does it apply to IT?

Where SOX and IT touch is at the intersection of company accounting and financial information and the systems that store and relay that information.

The regulations outline what kind of records need to be stored that relate to SOX compliance, and for how long. This includes electronic records as well as electronic messages – so email and any documents, spreadsheets, or other computer files will fall under the regulation.

In addition, electronic communications must be reasonably secure and meet, at a minimum, the level of security best practices. This means things like Web-based communications and applications that deal with sensitive data should be encrypted, and end-point protections should be in place, for example antimalware and antivirus protection, firewalls, and so forth.

It’s important to note, though, that nowhere within the law does it state how the regulations should be met. SOX does not dictate the level of complexity of passwords. Or the specific kinds of encryption used. Or the specific storage methods implemented. Describing what needed to be done and not how it should be done was intentional. It allows companies to adapt and implement more advanced technologies as they become available, instead of waiting for lawmakers to catch the law up to current technical standards.

Because of the lack of specific implementation direction, the cloud is a feasible infrastructure for companies compelled to adhere to SOX compliance. In 2002, the cloud was barely a concept, even for the likes of IBM. Had Sarbanes and Oxley specified how IT was to handle data and security for these electronic records, they couldn’t have taken the cloud into account as a viable environment for financial applications and data to exist. We’d probably still be waiting for Capitol Hill to make changes to the Act to accommodate the cloud.

Since the law has the foresight to avoid specifics when it came to technology, companies today have the option to leverage the flexibility and cost savings of compliant cloud infrastructure as opposed to having no choice beyond onsite infrastructure.

Where cloud providers come in

You might be tempted to think that the cloud is the way to go for compliance controls because, well, if you put it all up on their systems, it’s their problem, not yours, right? Unfortunately, that’s not true. There is a lot of shared responsibility when it comes to regulatory controls and using a cloud provider. While the bulk of the responsibility still sits on your shoulders, cloud providers must be responsible for their part in assuring their customers can meet compliance requirements.

Since your cloud provider maintains the physical equipment and location of that equipment, it’s up to them to keep those systems in compliance. Your company bears the burden of making sure you choose a provider that meets the compliance criteria. In simple terms, for you to comply, they must comply.

The good news is there are tools at your disposal to help make sure that the provider you chose will meet your needs.

When it comes to SOX compliance in particular, you want a cloud vendor that provides two types of reports known as Service Organization Controls: SOC 1 and SOC 2. Each of these reports has a different reason for being.

A SOC 1 report is produced when an organization has been through an SSAE 16 audit, which is completed by an outside, third-party auditor. The SSAE 16 (or Standards for Attestation Engagements No. 16) is the update to the old SAS 70 audit. The SAS 70 never provided a certification, and didn’t have controls in place to evaluate datacenters and their processes, but the SSAE 16 does.

Specifically, the SOC 1 report includes the opinion of the auditor on the effectiveness of the datacenter’s design of controls and system, and the accuracy and completeness of those controls. A full SOC 1 report will also include the effectiveness of the controls over a longer period of time, usually six months to a year.

With SOC 2, the auditors provide testing results and the auditor’s opinion on the security and availability of the service provider’s systems as they relate to a set of predefined benchmarks. The report also includes opinions and results on the integrity of the systems and privacy standards.

With these reports, your company can evaluate, and contractually obligate, your cloud provider to meet and uphold the standards that you must meet to stay SOX compliant.

These are the kinds of things that your cloud provider can provide to ensure they meet your standards today. But what happens if they fall down? You can wave a contract in front of their faces, your company can sue for breach of contract, but at the end of the day you’ll still need to find a way to be compliant.

This is the point where your organization needs to make sure you maintain as much control over your cloud infrastructure and applications as possible. “Lock-in” is the buzzword of the day when it comes to cloud concerns, but setting up your systems to prevent lock-in is critical when you must operate under compliance restrictions.

Take the time to evaluate your systems and applications to prevent tying them too closely to your provider’s systems. While some ties may be inevitable, having a process in place to keep track of those bindings and knowing what would need to change in a lift and shift of your systems can help evaluate and plan the work should the worst case – your cloud provider losing its certification – come to pass.

There was a time, not long ago, when companies living under the restrictions of regulatory compliance, like SOX, didn’t have the option of leveraging the benefits of a cloud implementation. Thankfully, the door was left open as part of the Act to take into account future computing advancements. But proper evaluation of cloud providers resides with the complying organization and their IT department. Ensuring your vendor is compliant and using internal processes to track deep connections to your provider’s systems will allow your organization to take advantage of all that a cloud implementation can offer, while maintaining control over your compliance responsibilities.

1 thought on “Knock your SOX off: Federal compliance rules and the cloud”

  1. You stated that “With these reports, your company can evaluate, and contractually obligate, your cloud provider to meet and uphold the standards that you must meet to stay SOX compliant.” A SOC 1 and SOC 2 report does not ensure or validate compliance with SOX. What is the compliance standard used when a 3rd party conducts a SOC 1 or SOC 2 audit? Is it a framework derived from COSO, or the ISO-27001, or is it “best practices”? The SSAE 16 audit types originated from the AICPA, but did the AICPA provide a recognized standard, such as the ISO-27001? The findings and results of the SSAE 16 are time sensitive and they don’t provide a certification as such. It is important to understand where the SSAE 16 crosses over with a recognized framework and/or standard in order to comprehend what value it provides to a business associate company or client. On top of that, the reports resulting from a SOC 1 and SOC 2 are not to be shared externally from the firm they were audited from, only the SOC 3 report.

Leave a Comment

Your email address will not be published.

Scroll to Top