Google Docs Sarbanes-Oxley (SOX) Compliance
Segment: Publicly Traded Companies
Google Apps Edition: Google Apps For Business
The Standard – Background
- Sarbanes–Oxley Section 302: Disclosure controls – requires that the company’s principal officers (typically the Chief Executive Officer and Chief Financial Officer) certify and approve the integrity of their company financial reports quarterly. Internal access controls should be developed, implemented and reviewed periodically.
- Sarbanes–Oxley Section 404: Assessment of internal controls – requires management and external auditors to report on internal controls. Access controls should be maintained, reviewed and reported periodically.
Sarbanes-Oxley Compliance in Google Apps with CloudLock:
SOX Requirements Action Required CloudLock Feature
Section 302 - Disclosure Controls Report on access controls and assess risk. To comply with SOX, management must have a clear understanding of who owns and who is authorized to access financial documents. CloudLock provides a complete access management system with reporting on user access rights for each document in the domain. This is supported by automatic discovery of all the documents and users in the domain and classification of documents by access and exposure levels. CloudLock supports review and approval processes to make sure only authorized users can access sensitive financial documents.
CloudLock Apps Firewall provides the visibility into all 3rd party applications that are granted access into the domain and the level of their access rights.
Section 302 - Disclosure Controls Demonstrate to external auditors that effective internal controls over financial reporting were maintained over time CloudLock’s Security Policy Engine lets IT set content, context and sharing based policies and set security monitoring on Auto pilot. The policy engine will detect and alert once the sharing deviate from the policies defined for the financial documents.
Section 302 - Disclosure Controls Audit and report on all access rights and changes in access permissions to regulated data stored in Google docs.
SOX requires organizations to provide ongoing evidence that they are compliant.
CloudLock provides ongoing monitoring of all the documents in the domain. A daily change report for each document details changes in ownership, collaborators and permissions.
Section 404 - Assessment of Internal Controls Management is required to produce an “internal control report” that is shows that the organization is establishing and maintaining an adequate internal control structure and procedures for financial reporting CloudLock’s Security Policy Engine provides an ongoing scanning and alerting based on the Acceptable User Policies, therefore serves as an evidence in the third party auditing process.
Section 404 - Assessment of Internal Controls Implement access controls to limit user rights based on a need-to-know basis. Identify users with excessive rights to protect financial data from unauthorized activities. CloudLock provides IT with the visibility and control to all the documents in the Google Apps domain without the need to be shared on these documents. IT can easily secure access rights to financial documents according to company policy, and can
transfer document ownership in bulk without manually logging into accounts.
CloudLock Apps Firewall provides the ability to classify 3rd party apps based on their risk profile and allows IT to take action to secure the domain by revoking the unapproved apps and notifying associated users.
Section 404 - Assessment of Internal Controls All activities should be reported for auditing and to support forensic investigation. A complete change report is available for every document. Alerts and email notifications are generated for permission changes and new exposures. All admin activities and changes are reported in a tamper-proof audit trail.
Section 404 - Assessment of Internal Controls Separation of duties and enable for auditor independence. Sox auditors can be delegated access to CloudLock to review the access rights to all financial documents. This is done without making them domain administrators or collaborators on these documents.