How the Sarbanes-Oxley Act affects your data center
Feb 04, 2014

In 2002, the Sarbanes-Oxley Act, or SOX, ushered in a new wave of business regulations that dictated how corporate financial data should be kept and accessed. A response to highly publicized white collar crimes by firms like Enron, the SOX sets up stiff fines – sometimes into the millions of dollars – for companies that don’t play by the rules.

sarbanes-oxley-act-and-data-centersThis short article couldn’t hope to outline all the intricacies and mandates of SOX – it’s highly advisable that you set out on your own and read the fine print. In this blog post, you’ll find examples of what sort of laws SOX institutes, however, and also get a rough glimpse of exactly what’s being asked of you in terms of data management. SOX is separated into titles and sections, some more detailed and lengthy than others, but all equally important.

An entity you’ll quickly become familiar with in reading the act is the Public Company Accounting Oversight Board. The Board oversees your compliance with the law and is largely responsible for audits and inspections, and as such requires firms to “prepare and maintain for a period of no less than 7 years audit work papers, and other information related to any audit report, in sufficient detail to support the conclusions reached in such report.”

Seven years worth of data can be utterly massive. Not only do you need the raw storage volume to house such a wealth of knowledge, you will also need to safeguard the data from accidental corruption or deletion.

Your data must also be accessible at the time of an impromptu inspection above and beyond your regular audits. This means the Board can descend upon your data center at any time, without reason, and launch an inquiry. At this point, you’ll have to have all the necessary data organized, filed and ready to submit. Keep this in mind when arranging and classifying years’ worth of data.

But there is such a thing as having data that’s too accessible. Title VIII decrees that creating or destroying files to “impede, obstruct or influence” any investigation, whether it’s underway or even in the planning stages, is a felony. Though any ethical person wouldn’t go out of his or her way to tamper with records, you still need to have prudent safeguards set up to protect your data. If files are compromised, the last worry you want to have is how it was accessed and changed. SOX allows for executives to be held personally and legally responsible for wrongdoings under the act, so making sure that all information is kept under lock and key should be of the highest priority. Password protection is a must, and redundant identifying protocols are encouraged just to be on the safe side.

Section 104 and 802 of SOX call for audits to be administered and carried out by third-party audit firms, taking the responsibility and due diligence out of the hands of those who have their companies at stake. These professional engineers will be sent by the Board to scrutinize your data based on the above criteria and more. Knowledge of the rules and the inner workings of your data center are invaluable. As Sun Tzu so famously wrote in The Art of War, “know your enemy and know yourself and you can fight a thousand battles without disaster.” The devil’s in the details, and the route to surviving an audit is all about preparation. And if you fail to plan, you should plan to fail.

For more information on how sys-tek can help keep your data center in compliance, contact us.

Check out these other posts relating to data centers:

How to Run a Green Data Center

Download our FREE e-book, How to Run a Green Data Center and learn everything you need to know about running an energy efficient data center.