Sarbanes-Oxley and Data Destruction: How to Best Comply

f you operate or manage a public company or a non-public company with publicly traded debt securities, you’ve certainly heard of the Sarbanes-Oxley (SOX) Act of 2002. This law is also aptly referred to as the “Corporate and Auditing Accountability and Responsibility Act” or the “Public Company Accounting Reform and Investor Protection Act”. 

The SOX Act was enacted by the US federal government to address the standards by which the management and board of directors of any domestic public company handle the financial information and financial reporting of the organization. The SOX Act also extends to public accounting firms as well as to other companies that do business with publicly traded companies, even if said company is not a publicly traded entity. 

The SOX Act aims to strengthen the audit committees of these US-based public companies as well as hold the management and officers liable to the accuracy of the financial statements for the business. In so doing, this Act works to prevent securities and investment fraud by the organizations covered under SOX.  

SOX Act

General Regulations of the SOX Act

The Sarbanes-Oxley Act is made up of two main clauses. According to Section 404 under the Management Assessment of Internal Controls, Clause A requires these publicly traded companies to create a commission on behalf of the company that develops and enforces rules for maintaining an internal control report for each annual financial report by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)). This internal control report must include information and policies on how management establishes and maintains an adequate structure for internal control as it pertains to the financial reporting of the company. Clause A also requires the commission to write up an annual report on the effectiveness of the internal control policies and financial reporting procedures at the end of each fiscal year.  

Clause B expands on the regulations for the internal control evaluation and reporting, adding in required responsibility of the commission or registered public accounting firm issuing the audit report to accurately prepare the audit as stated in Clause A. That is, said commission or public accounting firm is also held liable to the reported information claimed about the management of the stated financial information in the internal control report.  

Maintaining compliance with the SOX Act therefore means ensuring all financial information and reporting that pertains to the organization is kept secure and protected from unauthorized personnel and possible theft.  

SOX data destruction

Data Security Best Practices

When it comes to financial data end-of-life cycles, it’s therefore extremely important for companies covered under the SOX Act to appropriately destroy their data so that the information contained cannot be accessed or reconstructed. In so doing, the company further maintains SOX compliance and ensures fraud prevention of its financial reporting, even as the data has been slated for decommission.  

This means not only proper disposal of the data, but also of the hard drives or electronic storage media housing the data. Organizations covered under the SOX Act must use the proper channels and procedures for data destruction. Such methods include overwriting non-sensitive information with software or hardware to clear the data (not recommended due to the recoverability of data from “erased” drives),  degaussing the media  and rendering the magnetic field permanently unusable, or  destroying the media by disintegration, pulverization, shredding, melting, or incineration. 

Rather than work with a third party off-site to destroy the data and drives, it’s recommended thatthe organization create a designated, private space within its premises for the data destruction and drive disposal. The organization should also consider limiting access to the data and drive destruction procedures within the private space to only a select number of authorized personnel. Enforcing restricted access within a private, on-site space further protects and secures the data from theft and misuse.  

Final Considerations for Data Destruction

Working with a vendor like SEM that provides on-site data destruction machinery is essential to maintaining control and security over your financial data. Allowing your data to leave your premises by a third party can be extremely risky because they are not liable for your data security. For instance, imagine if that third party you hired did not actually destroy your drives but instead sold your financial data to an outside party. 

It’s also a good idea to check that the vendor you are working with has machinery that adheres to NSA and NIST 800-88 guidelines for data destruction and SOX Act compliance.  



Related Articles

Info Security Europe Event for Information and Cyber Security

Info Security Europe Event for Information and Cyber Security Infosecurity Europe is the sourcing and knowledge hub for Europe’s information and cyber security community. Featuring an interactive exhibition floor with over 400 cutting-edge suppliers, a far-reaching conference programme and a host of networking opportunities, the event brings information and cyber security to life. Cybersecurity 4.0: [...]

Japan IT Week Spring 2019

Japan IT Week is truly world's leading trade show where you can find any kinds of latest IT technologies/solutions. A great number of information systems manager, management executives, sales managers, system integrators and managers from IT system division will visit Japan IT Week to conduct business face to face with exhibitors. Japan IT Week is [...]

Optical Media Destruction

Optical media refers to data storage devices that digitally write and read data via a laser diode. The technology was developed in the late 1950s, but didn’t become widely used until the introduction of Compact Discs (CDs) and Digital Video Discs (DVDs) in the 1980s and 1990s and more recently Blu-Ray Discs. Methods of Destruction […]

Mixed Media Destruction – Choose Versatility

As storage media evolves, security professionals are faced with ever changing destruction challenges. Obviously paper is easy to deal with, but what about CDs/DVDs? Cell phones? Flash memory cards? USB drives? and other media that hasn’t even been dreamed up yet? When it comes to these items, a mixed media destroyer can be a versatile […]

Degaussers – How Can You Be Sure the Data is Gone?

To be certain they are functioning properly, NSA Guidelines suggest that degaussers “should be re-tested periodically according to manufacturer’s recommendations”. Many new degaussers feature a magnetic field strength indicator that provides instant feedback to the operator. If the indicator displays the minimum required field strength or greater, the unit will display a PASS/FAIL based on […]