Sarbanes–Oxley and Enterprise Security: It Governance and What it Takes to Get the Job Done

Abstract Several sections of the Sarbanes–Oxley Act of 2002 (SOX) directly affect the governance of the information technology (IT) organization, including potential SOX certification by the chief information officer, Section 404 internal control assessments, “rapid and current” disclosures to the public of material changes, and authentic and immutable record retention. The Securities and Exchange Commission (SEC) requires publicly traded companies to comply with the Treadway Commission's Committee of Sponsoring Organizations that defines enterprise risk and places security as a critical variable in enterprise risk assessment. Effective IT and security governance are examined in terms of SOX compliance. Motorola IT security governance demonstrates effective structures, processes, and communications; centralized security leaders participate with the Management Board to create an enabling security organization to sustain longterm change.