Do I need digital certificates to be sox compliant?

Digital certificates
Sarbanes-Oxley Act
SOX compliance
Dear LS, I'd like to understand to which extend I need digital certificates (PKI) in order to be in compliance with current most important regulations including sox, but also other relevant regulations that might be applicable. This includes topics like WIFI within an Enterprise on a Global scale or secure email or when I use a smart card as log in method. Thanks for your help in advance.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Digital certificates should not be a SOX compliance requirement. Digital certificates are primarily used for two purposes: authentication and encryption. For a digital certificate to be trusted, there must be a trusted root that all parties “trust” (like a Verisign or Geotrust). This means that the owner of the certificate is who they say they are. The encryption part of a digital certificate is provided by public/private keys. The certificate usually includes the public key of the owner. This is what is used for encrypted sessions to this owner. I wrote a blog about trust and digital certificates. Check it out. I will be glad to answer any additional questions on this topic.

*note to Puneet – Great additional material but please add your comments to the bottom of existing answers, Do not delete existing content. This is the moderator’s responsibility. Thanks. Troy Tate
Just to add, the SOX compliance requirement for Certificates broadly covers two controls:

Strong authentication

* enable Web-based authentication using a broad range of identity types, including usernames and passwords, SAML, Microsoft Passport, and digital certificates stored on a user’s computer or on a hardware smart card, token, or biometric device
* enable strong authentication in a client-server environment, helping to ensure that only strongly authenticated users are able to access sensitive information contained in encrypted files, folders and email messages

Data Protection & Integrity

Internal controls around both data access and data integrity can be enforced through the use of encryption and digital signatures, respectively. Data contained in files, folders, or email messages can be encrypted to prevent unauthorized access due to security breaches or weak access controls. That same data can be digitally signed to provide both transaction accountability and data integrity, supplying organizations not only with information on who signed the data, but also verification that it did not change from the time it was signed, regardless of whether it traveled across the Internet or was stored locally.

hope this helps

Discuss This Question:  

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: