The Sarbanes–Oxley Act (SOX) is a US federal law that set new or enhanced standards for all U.S. public company boards, management and public accounting firms. There are also a number of provisions of the Act that also apply to privately held companies, for example the willful destruction of evidence to impede a Federal investigation. The sections of the bill cover responsibilities of a public corporation's board of directors, adds criminal penalties for certain misconduct, and required the Securities and Exchange Commission to create regulations to define how public corporations are to comply with the law.
SOX compliance requires a combination of trained staff and management, together with strong policies, and industry leading technology. Most auditors have adopted the Control Objectives for Information Related Technology (COBIT) framework of control objectives, as the de facto framework for measuring SOX compliance.
How Catbird Helps SOX Compliance
Virtualization brings positive advantages to supporting compliance frameworks. Catbird provides comprehensive support for the key controls required by the COBIT framework and hence brings major benefits to achieving SOX compliance.
1. Access Controls and Virtual Administration
Virtualization collapses traditional data center roles and potentially increases the risks associated with inadequate segregation of duties. Catbird provides dual controls to support strong segregation of duties within the virtual infrastructure environment, supporting the creation of specific roles for Operations, Security, and Audit personnel. These roles are then enforceable by zone and policy.
2. Monitoring and Reporting
Catbird includes detailed and multi-layered device, system, service, and Internet web-application monitoring capabilities and provides standard and customizable thresholds for applicable service levels. Reports may be published for individual services, groups of services, or for all services. Real-time monitoring for service and virtual machine availability together with network flow reports may be used to inspect virtual network topologies.
3. Integrity Management
Catbird provides policy-driven security with configuration baselines. This includes security services, alerts, and reporting to monitor events, detect attacks, validate configurations, and protect against unauthorized changes and unauthorized use.
4. Risk Assessment
Support for continuous and periodic assessment of quantitative technical risks to the IT infrastructure assists in the provision of risk reporting. These assessments are available by asset, asset type, zone, site, or any other custom portfolio.
5. Test Environments
Catbird supports manual and automated controls with monitoring and reporting of the integrity of test environments. Catbird TrustZones may be configured to simplify comparison of production and development environments to ensure configuration consistency and integrity.
Catbird Insight and Catbird Secure addresses the key COBIT controls needed for SOX compliance. Catbird goes beyond monitoring and audit by instantly identifying compromised assets, alerting appropriate personnel, and instituting an optional quarantine of offending virtual machines. No other vendor can deliver the breadth and depth necessary for SOX compliance from within the virtual infrastructure.
Catbird includes the following features for achieving SOX compliance in the virtual data center:
- Default COBIT specific policies and reports built upon Catbird controls that are automatically mapped to the appropriate COBIT controls. Catbird monitors, audits, and enforces more COBIT controls than any other vendor
- Enforcement of network access and traffic flow controls even in a flat network—significantly reduce the scope and cost of audit and compliance requirements
- Automatic quarantine of out-of-policy or compromised Virtual Machines to prevent breach of data center security
- Network segmentation
- Continuous vulnerability management
- Continuous monitoring and configuration validation of Catbird TrustZones
- Change audit and compliance enforcement
Specific COBIT security policies designed for optimal protection of the management network and other hypervisor management components.