• Request Info

Ensuring SOX Compliance with Vulnerability Management

Addressing SOX Compliance Requirements with Vulnerability Management

The Sarbanes-Oxley Act of 2002 was enacted to prevent financial statement fraud among public companies doing business in the U.S.  The legislation establishes greater accountability at the executive level for financial reporting and removes many potential conflicts of interest between companies and their audit service providers. The Act also makes corporate executives responsible for establishing, evaluating and monitoring financial reporting controls. Penalties and sanctions for non-compliance can include fines up to $5 million, imprisonment up to 20 years and de-listing from stock exchanges.

Section 404 and the Role of IT in Sarbanes-Oxley Compliance

Information security plays an important role in Sarbanes-Oxley Section 404: “Management Assessment of Internal Controls.” This section requires public organizations to:

  • Implement a series of internal controls and procedures for financial reporting, and
  • Submit an annual assessment of internal controls and procedures to the SEC.

To achieve compliance, the Public Company Accounting Oversight Board created by the Sarbanes-Oxley Act recommends that organizations follow the Financial Controls Framework defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).


Address Key Components of the COSO Controls

CORE Security solutions for predictive security intelligence assist with Sarbanes-Oxley compliance by addressing key components of the COSO controls, as outlined below:

COSO Financial Controls Framework Components How CORE can help

Risk Assessment

"Every entity faces a variety of risks from external and internal sources that must be assessed... Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change."

Conduct Proactive Risk Assessments of Financial Assets and Business Processes

Our predictive security intelligence solutions enable organizations to proactively identify critical threats, see how risk changes over time as technology and business processes evolve, and prioritize their risk and security practices to stay ahead.

  • Continuously assess changing infrastructure against the latest threats and proactively identify weaknesses posing imminent risks
  • Dynamically reveal paths and pivots that attackers and malicious insiders would use to access sensitive assets
  • Add deeper intelligence and context to vulnerability and threat data through actual testing and simulation; enabling security and risk teams to prioritize and remediate the most critical threats

Control Activities

“Control activities… include a range of activities as diverse as approvals, authorizations, verifications, and reviews of operating performance and security of assets."

Evaluate Security Awareness and Incident Response Processes

  • Test policy compliance spanning both IT and employee training on security
  • Safely replicate social engineering threats to assess employee security awareness
  • Conduct red team / blue team exercises to practice and measure incident response processes
  • Integrate with Governance Risk and Compliance (GRC) systems, providing them with data on the efficacy of operational risk controls

Information and Communication

“Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business."

Convey Risk in Terms that Resonate with Executive Management

  • Provide dashboards and reports that reveal the impact of security exposures on specific business objectives and goals, such as compliance, liability reduction, and customer retention
  • Consolidate and validate security data from multiple sources to gain a clear picture of overall security posture and understand which potential threats are real
  • Benchmark security posture and track vulnerability management trends and deltas over time


“Internal control systems need to be monitored - a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two."

Monitor and Verify Security Controls Efficacy

  • Assess IPS/IDS, firewalls and other defenses against real-world network, client-side and web application attack techniques
  • Ensure that defensive technologies are configured and updated to protect against current threats
  • Reveal paths that attackers and malicious insiders would use to circumvent security controls and access sensitive assets
  • Repeat assessments to validate the efficacy of new or updated security controls

Next Steps

Request Info