Hacker News new | ask | show | jobs
by weard_beard 1406 days ago
SOX compliance has expanded in recent years to cover a gamut of Cybersecurity process and policy. Go look it up. I recently compiled all the documentation necessary for a client I am serving in order to pass. It includes handling of PII, access controls for code repositories and production environments, and tools for ensuring code quality like performing static analysis and mitigating DDOS attacks such as a decent WAF.
1 comments
nradov 1406 days ago
Yes I have looked it up and you obviously have no clue what you're talking about. The law is the law, and regardless of what nonsense some random corporate trainer might have fed you, SOX compliance requirements haven't expanded in recent years. Go read the actual law instead of spreading misinformation.

Some businesses do require their partners to have additional controls on PII handling. But that's purely a business issue and has no relationship to SOX.

link
weard_beard 1406 days ago
This is in the medical and recreational marijuana space which may have additional Reqs, but I am telling you exactly what the auditors themselves are asking for. I'm not talking out of my ass here.
link
nradov 1406 days ago
You're talking out of your ass here. Your auditors may be checking various things for a variety of unrelated reasons, but it has nothing to do with SOX.

Read the law. Seriously, it's posted online. You can just go look.

link
weard_beard 1406 days ago
https://securityscorecard.com/blog/what-is-sox-compliance

"SOX itself never mentions cybersecurity. However, in 2018, the SEC released a “Commission Statement and Guidance on Public Company Cybersecurity Disclosures (the Guidance).” (https://www.sec.gov/rules/interp/2018/33-10459.pdf) The SEC realized that increased technology use and data breach risk impact corporate financials. In fact, the Guidance lists several financial risks linked to cybersecurity:

Remediation costs Cybersecurity protection costs Lost revenue due to customer churn after an attack Litigation and legal risks, including regulatory fines Increased insurance premiums Reputation damage Damage to competitiveness, stock price, and long-term shareholder value In order to comply with SOX, public companies need to ensure that they establish appropriate controls and security monitoring programs that mitigate risk.

In 2020, the SEC released new guidance “Cybersecurity and Resiliency Observations” (Resiliency Guidance) (https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resil...) through its Office of Compliance Inspections and Examinations (OCIE). This revised guidance offered greater specificity for organizations that need to file public financial reports."

link
MichaelZuo 1405 days ago
You’ve linked to guidelines that do not have the force of law behind them.
link