SOX compliance is mandatory for all public companies, Because SOX shares common security controls with the NIST, SOX compliance can be supported with the following controls from the NIST Cybersecurity Framework (CSF):
• Deploy risk assessments - Risk assessments are one of the best ways of discovering deficiencies in regulatory compliance, both internally and for each third-party vendor.
• Protect critical assets - Assets housing sensitive information critical to business continuity require significant protection against cybercriminals. This process begins by identifying all critical assets and quantifying the business impact if they're compromised.
• Establish a regular auditing schedule - To prove SOX compliance, two yearly audits are required - one by an external independent auditing body and another by the organization - to highlight internal controls and management's contributions to supporting continuous improvement in financial data protection.
• Harmonize cybersecurity initiatives - To support rapid security posture improvements, governance is required to harmonize security efforts throughout the organization. Deep attack surface visibility is key to achieving this.
• Ensure business continuity - Establish policies demonstrating business continuity in the event of a cyberattack. This can be achieved with an Incident Response Plan (IRP).