Overview of the Sarbanes-Oxley Act

Overview of the Sarbanes-Oxley Act About us Investors Partners Careers Solutions SOLUTIONS Zero Trust Suite Quantum-Safe Cryptography (QSC) SalaX Secure Collaboration Security Risk Assessment, Quantification & Mitigation By Topic Just-in-Time Access Secure vendor access Credentials & Secrets Management Hybrid & multi-cloud access management Interactive tour: Privileged Access in the Cloud M2M connections IT Audits & Compliance Secure file transfer By Industry Managed Service Providers (MSP) Operational Technology (OT) Federal Government Security Products SECURE ACCESS & SECRETS MANAGEMENT SECURE FILE TRANSFER & ENCRYPTION NQX™ quantum-ready encryption Tectia™ SSH Client/Server Tectia™ z/OS SalaX Secure Collaboration Secure Mail 2024 Secure Messaging 2024 SalaX Secure Collaboration Solutions SOLUTIONS PrivX Zero Trust Suite SalaX Secure Collaboration Strong ID-based access with Entra ID & Zero Trust Suite Quantum-Safe Cryptography (QSC) Security Risk Assessment, Quantification & Mitigation Device trust & access and identity verification Identity-based authentication & converged IAM and PAM TOPICS Just-in-Time Access Secure vendor access Credentials & Secrets Management Hybrid & Multi-Cloud Access Management Interactive tour: Privileged Access in the Cloud M2M Connections Management IT Audits & Compliance Secure File Transfer INDUSTRIES Managed Service Providers (MSP) Operational Technology (OT) Federal Government Security Healthcare Data Security OT Security IT/OT convergence of data & systems Zero Trust Access and ZSP Workflow approvals Secure remote access  Secure patch management  OT Compliance Discovery and threat intelligence Phishing-resistant MFA & device trust Products SalaX SECURE COLLABORATION Secure Mail Secure Messaging Secure Sign SalaX Secure Collaboration FQX File Encryptor SECURE ACCESS & SECRETS MANAGEMENT PrivX™ PAM PrivX™ OT Edition PrivX Key Manager SECURE FILE TRANSFER & ENCRYPTION Tectia™ SSH Server Tectia™ SSH Server for IBM z/OS PrivX Desktop NQX™ quantum-safe encryption Services SSH Risk Assessment™ Professional Services Support Contact us Customer cases PrivX Zero Trust PAM Enterprise Key Management UKM Tectia SFTP for servers & mainframes SSH Secure Collaboration Resources SSH Academy Content library Blog References Press releases Downloads Manuals Events & Webinars Media Legal Report a vulnerability Solutions SOLUTIONS PrivX Zero Trust Suite SalaX Secure Collaboration Strong ID-based access with Entra ID & Zero Trust Suite Quantum-Safe Cryptography (QSC) Security Risk Assessment, Quantification & Mitigation Device trust & access and identity verification Identity-based authentication & converged IAM and PAM TOPICS Just-in-Time Access Secure vendor access Credentials & Secrets Management Hybrid & Multi-Cloud Access Management Interactive tour: Privileged Access in the Cloud M2M Connections Management IT Audits & Compliance Secure File Transfer INDUSTRIES Managed Service Providers (MSP) Operational Technology (OT) Federal Government Security Healthcare Data Security OT Security IT/OT convergence of data & systems Zero Trust Access and ZSP Workflow approvals Secure remote access  Secure patch management  OT Compliance Discovery and threat intelligence Phishing-resistant MFA & device trust Products SalaX SECURE COLLABORATION Secure Mail Secure Messaging Secure Sign SalaX Secure Collaboration FQX File Encryptor SECURE ACCESS & SECRETS MANAGEMENT PrivX™ PAM PrivX™ OT Edition PrivX Key Manager SECURE FILE TRANSFER & ENCRYPTION Tectia™ SSH Server Tectia™ SSH Server for IBM z/OS PrivX Desktop NQX™ quantum-safe encryption Services SSH Risk Assessment™ Professional Services Support Contact us Customer cases PrivX Zero Trust PAM Enterprise Key Management UKM Tectia SFTP for servers & mainframes SSH Secure Collaboration Resources SSH Academy Content library Blog References Press releases Downloads Manuals Events & Webinars Media Legal Report a vulnerability About us Investors Partners Careers SSH Academy Cloud Cloud Access Management Cloud Applications Cloud Computing Cloud Computing Models Cloud Computing Pros and Cons Cloud Computing Security Cloud Computing Services: Characteristics Cloud Infrastructure Entitlement Management (CIEM) Cloud Security Buyer's Guide Cloud Security Maturity Model Cloud Service Providers IaaS Immutable Infrastructure in Modern IT PaaS SaaS Virtualization Technology Compliance Cybersecurity Compliance Basics of SSH Compliance Basics of SSH Key Compliance Basel III Digital Operational Resilience Act (DORA) Ensuring ISO 27001 with PAM Fips 200 GDPR HIPAA ISACA ISO 27001 NIS Directive A Guide to NIS2 Directive NIST Cybersecurity Framework NIST 2.0 Cybersecurity Framework NIST 7966 NIST 800-53 PCI-DSS Sans Top 20 Sarbanes Oxley Understanding PAM Standards Cryptography Cryptography Explained Cryptography and the Quantum Threat Encryption Key Management Private & Public Keys Quantum Computing & Post-Quantum Algorithms What is File Encryption? Identity and Access Management (IAM) What is Identity and Access Management (IAM)? What is IAM Zero Trust Framework? What is Zero Trust Network Access (ZTNA)? A Guide to Zero Trust Architecture Active Directory Entra ID by Microsoft Ephemeral Certificates & Ephemeral Access Gartner CARTA How PAM Complements Existing IAM IAM vs PAM Identity Governance and Administration (IGA) Identity Management Jump Server Just-in-Time Access Just-in-Time Security Tokens Key IAM Concepts for IT Professionals Multi-Factor Authentication (MFA) OpenID Connect (OIDC) Privileged Identity Management (PIM) Radius Sudo User Account Types User IDs Unified IAM-PAM solution Internet of Things (IoT) IoT Security IoT: Accessing IoT devices for SSH What is IIoT? Operational Technology What is OT Security? Best OT Security Solutions Best Practices for Secure Remote OT Access Critical Infrastructure Cybersecurity: Key Concepts Explained How to Safeguard Your OT Network Without Separate IT/OT Solutions How to Secure IoT and OT Systems: A Practical Guide ICS OT Security Industrial Automation Cybersecurity: Key Considerations and Risks IT vs OT Navigating OT Security Standards OT, ICS, SCADA explained OT Risk Management: What It Is and Why You Need It OT Security Assessment OT Security Best Practices OT Security Essentials OT Governance: Key Principles for Effective Implementation PAM and IACS Integration PAM & IEC 62443 Access Control Standards PAM for Energy Sector PAM for Manufacturing PrivX for Energy Sector PrivX for Forestry Industry Remote Diagnostics for Ships Remote Maintenance of Pulp&Paper Machines SCADA Security Essentials: Your Need-to-Know Guide What Is OT Monitoring and Why Is It Important? What is the IT/OT Convergence? Why Is Zero Trust Access Important in OT? Password and Secrets Management A Guide to Passwordless and Keyless Authentication Break-Glass Access Credential Management System Password and Key Rotation Password Attack Types Password Generator Password Strength Best Practices Password Vaults Passwordless Authentication - Advantages Passwordless Authentication - Implementation Passwordless Explained pt. 1 Passwordless Explained pt. 2 Secrets Management Guide Secrets Vault Zero Standing Privileges (ZSP) Privileged Access Management AI in PAM for Predictive Security Automating PAM Best PAM Solutions 2025 Comparing PAM Solutions Challenges in Cross-Platform PAM Integrating PAM with SIEM KPIs for PAM Least Privilege PAM Best Practices PAM Checklist PAM Enhances Remote Work Security PAM Lifecycle Management PAM Vendors: Must-Have Capabilities for Effective Access Control Privileged Access Management (PAM) Privileged Access Management (PAM) in the Cloud PrivX MFA The Strategic Role of PAM PAM - IT Benefits for Different Industries PAM for Pharmaceuticals Data Security PAM for Healthcare PrivX PA; for Financial Industry Data PrivX PAM for Government and Public Sector PrivX PAM for Healthcare Industry PrivX PAM for Manufacturing PrivX PAM for Media and Entertainment Industry PrivX PAM for Pharmaceutical and Biotechnology Data Privileged Accounts and Sessions Privilege Elevation and Delegation Management Privileged Account PrivX Against Privileged Account Hijacking Privileged Account and Session Management (PASM) Root Accounts Public Key Infrastructure (PKI) What is Public Key Infrastructure (PKI)? PKI Background PKI Certificates X.509 Certificates Secure Information Sharing (SIS) Business Email Compromise (BEC) Business Email Compromise: How to Prevent BEC Attacks Digital Signatures Email Phishing Enterprise Email Security Secure Data Sharing Secure Email Gateways (SEGs) Secure Shell (SSH) What is Secure Shell (SSH)? What is the Secure Shell (SSH) Protocol? Automated M2M Connections Network Monitoring OpenSSH OpenSSH Server Process (SSHD) Port 22 Remote File Copy (RCP) Remote Login (rlogin) Remote Shell (RSH) Secure File Copy (SCP) Session Key Single Sign-On (SSO) Using SSH Agent SSH Command SSH Configuration SSH for Windows SSH Software Downloads SSH Server SSH Server Configuration Tectia SSH Server Telnet WinSCP SSH protocol Vs Microsoft: A Comprehensive Guide Security Orchestration Basics of Security Orchestration Data Loss Prevention (DLP) Security Information and Event Management (SIEM) Security Operations Center (SOC) Security Orchestration, Automation, and Response (SOAR) SFTP & Secure Remote Access File Transfer Protocol (FTP) Clients File Transfer Protocol (FTP) Legacy File Transfer Protocol (FTP) Servers Obsolescent Secure File Transfer Protocol (FTPS) Secure Remote Access (SRA) SSH File Transfer Protocol (SFTP) SSH Clients What are SSH Clients? Tectia SSH Client PuTTY Background PuTTY Download PuTTY for Linux PuTTY for Mac PuTTY for Windows PuTTY for Windows Installation PuTTY Public Keys PuTTYgen for Linux PuTTYgen for Windows SSH Keys A Basic Overview of SSH Keys Authorized Key Authorized Keys File Authorized Keys in OpenSSH CAC and PIV Smartcards Copy ID Passphrase Passphrase Generator Public Key Authentication SSH Host Key SSH Key SSH Key Identities SSH Key Management SSH Key Proliferation SSH Keys for SSO SSH Keygen SSH Tunneling SSH Tunneling SSH Tunneling Example Hacks, Threats & Vulnerabilities BothanSpy & Gyrafalcon Breaches in Operational Technology Breaches Involving Passwords & Credentials GoScanSSH Malware Man-in-the-Middle Prevent Data Exfiltration with PrivX PAM PrivX PAM Against Malware & Ransomware Password Sniffing Sarbanes-Oxley Summary - SSH Keys Need Attention The financial industry has been under audit scrutiny ever since the enactment of the Sarbanes-Oxley Act. Sarbanes-Oxley, also known as SOX-404 or Sarbox, mandates that all publicly-traded companies must establish internal controls and procedures for financial reporting and must document, test and maintain those controls and procedures to ensure their effectiveness.

Contents Overview of the Sarbanes-Oxley Act Why is this important Ramifications of non-compliance SOX-404 and SSH mapping guidance What are the recommended next steps Further reading Overview of the Sarbanes-Oxley Act When the U.S. Congress passed the Sarbanes-Oxley Act, the intent was to drive improvements in companies’ internal controls. The benefits were seen as greater assurance to shareholders and other stakeholders in published financial reports, while compliance costs were of lesser significance and were dramatically underestimated.

However, cost is of tremendous importance to corporate executives. While they have an obligation to provide an effective system of internal control that provides assurance regarding the integrity of financial reporting and the safeguarding of assets, there should be a balance between the cost of those controls and the risks they are managing.

SOX-404 dove organizations to define, document and communicate their Information Technology Internal Controls. These controls basically cover four (4) domains:

Logical Access - This control provides reasonable assurance that financial/critical reporting systems and subsystems are appropriately secured to prevent unauthorized use, disclosure, modification, damage or loss of data. Segregation of duties is an essential step for access controls because we want to assign the right personnel to access the right data and software in the right business tasks.

System Administration and Monitoring - This control provides reasonable assurance that IT components, as they relate to security, processing, and availability, are well protected, would prevent any unauthorized changes, and assist in the verification and recording of the current configuration. For example, the control requires that system audit logs are active and monitored to ensure unauthorized activity is detected.

Change (program) Management - This control provides reasonable assurance that system changes of financial reporting significance are authorized and appropriately tested before being moved into production. Any changes should be documented and maintained.

IT Operations - This control provides reasonable assurance that recorded, processed and reported data remain complete, accurate and valid during the update and storage process. It is highly recommended to implement operating system security patches to evaluate the relevant security vulnerabilities and to ensure that security risks are mitigated as soon as possible.

Why is this important Auditors have been focusing on IT General Controls as dictated by audit governing bodies such as the PCAOB. SSH keys have been under the radar being a critical part of production plumbing that has not gotten the deserved attention. Industry reports draw attention to the fact that financial audit outcomes are consistent year after year. Whereby the majority of audit findings and exceptions further highlight new or unforeseen weaknesses for the logical access, privileged access, program or change management and operations controls. The findings in many cases are associated with new applications, new technologies, or are identified based upon discovered vulnerabilities which were not considered during prior audits.

Organizations within the financial industry continually face audits year after year to ensure that they are compliant with various laws and regulations whether they are government or association based. Financial organizations take extra measures to ensure trust is in place for their customers by adhering to industry best practice standards and guidelines to minimize the risks that could lead to a potential data breach or loss in trust. The common digital security theme across all organizations is “It’s Not a Matter of If, But When!”. As a result, many leading experts in the security industry state that organizations may have already suffered a breach, but they don’t yet know it.

It goes without saying, the threat landscape is always changing based upon the evolving vectors being utilized to try and gain access to protected data. Protected data goes beyond information such as social security numbers; the government, regulating bodies and industry standards have become more stringent as government agencies are conducting compliance audits which come with hefty fines; and much more. SSH Communications Security product offerings can help your organization achieve compliance related to common issues and exceptions that are repeat findings among financial organizations audits.

Ramifications of non-compliance All applicable companies must establish a financial accounting framework that can generate financial reports that are readily verifiable with traceable source data. This source data must remain intact and cannot undergo undocumented revisions. In addition, any revisions to financial or accounting software must be fully documented as to what was changed, why, by whom and when.

Besides lawsuits and negative publicity, a corporate officer who does not comply or submits an inaccurate certification is subject to a fine up to $1 million and ten years in prison, even if done mistakenly. If a wrong certification was submitted purposely, the fine can be up to $5 million and twenty years in prison.

The threat landscape is constantly changing based upon the evolving vectors being utilized by internal and external attackers that seek access to protected data. Protected data goes beyond information such as a social security numbers. The government, regulating bodies, and industry standards have become more stringent as government agencies are conducting compliance audits which come with hefty fines and in some cases personal criminal liability on executive management. SSH Communications Security product offerings can help your organization achieve compliance related to common issues and exceptions that are repeat findings among financial organizations audits.

SOX-404 and SSH mapping guidance Audits to date have included user credentials and access they are granted on production systems. Financial organizations have excelled in that arena and have a well-documented and executed corporate governance process overseeing all that type of activity. Unfortunately, they fall short when it has to deal with SSH keys and management of the access they grant. We must consider the following:

The table below highlights how our products and solutions help organizations achieve compliance with a few KEY SOX-404 controls:

Control Description Risk SSH Communications Security Guidance Formal job descriptions are used to delineate employee responsibilities and provide for adequate segregation of duties. Unable to effectively enforce key segregation of duties without a basic understanding of a user’s role in the organization. Properly deployed SSH keys and continuous monitoring of their usage ensures access compliance with approved job descriptions. Provision and monitor user access according to the user’s role and applicable policies. Adequate segregation of duties exist so that systems and programming personnel do not have update access to production data or software on a regular basis. IT personnel have access levels that weaken or eliminate segregation of duty controls. Production data is modified without appropriate controls. Inventory and monitor usage of SSH keys to ensure only authorized access to production environments is permitted. Centralized visibility of encrypted remote system access, privileged user activities and data transfers. Terminated company employees are removed from systems within a reasonable timeframe. Access to critical production systems by terminated employees or anonymous access by a current employee. Ensure all access is immediately removed upon terminations and/or transfers. Centrally revoke access to provisioned systems. System audit logs are activated and monitored to ensure unauthorized activity is detected and the integrity of key data elements is maintained. Inadvertent or malicious changes to critical production data may not be prevented or detected timely. Universal SSH Key Manager access review reports include all access including temporary and 3rd party contractors. User Portal enables easy provisioning and tracking of 3rd party access. PrivX On-Demand Access Manager manages and audits privileged access. Only authorized individuals may authorize and approve production changes to begin build/test tasks, and that ability must be reasonable for their current job function. Approvals ensure that changes do not progress through the change process without appropriate review. SSH keys assigned to ensure only authorized users can release changes to production environments Logs and video replay capabilities to reconstruct encrypted sessions that may have caused production processing failures. Access to modify or cancel scheduled and batch jobs is limited to only a small number of personnel. Uncontrolled changes to manual and automated job schedules in the production environment can result in missed processing deadlines, ineffective backup, and system downtime. Leveraging Universal SSH Key Manager to ensure only authorized access is granted with the ability to modify production processing jobs. Logs and video replay capabilities of PrivX allow to reconstruct encrypted sessions that may have caused production processing failures. What are the recommended next steps SSH key usage is one of those unseen workhorses in a financial organization’s IT infrastructure. It can also be referred to as the “dark side” of compliance because many organizations have no visibility into their SSH key usage or management and assume compliance is in place with their SSH key environments. That is until an auditor identifies the issue or exception in their review and associated findings report. SSH keys are a critical component for ensuring adequate and compliant controls for your production environments and they need to be managed and monitored on an ongoing basis to ensure risk and compliance are to be addressed appropriately.

Without sufficient tools in place to reliably and clearly connect SSH keys to trust relationships and users throughout a network, enterprises will continue to face unacceptable levels of risk in terms of how public and private keys are being used. Whether you are going through an audit, conducting a risk assessment, investigating a breach, etc.; SSH Communications Security products are an excellent and critical asset for every step you take along the compliance path.

Whether you are an audit committee member, an internal audit member, a security team member, a member of the senior management team you can no longer ignore the criticality of properly deployed and managed SSH keys within your environment(s). Take immediate action now before an auditor identifies SSH key management is an issue. Depending on your auditor and types of attestations you make, this type of issue may be external (customer and partner) facing.

The good news is that the initial steps in dealing with SSH key management are not difficult or costly. Initially organizations must find out to what extent their environments are exposed to the risks identified. Skilled personnel with the right tools can accomplish these initial steps within a matter of days. Delays in addressing SSH keys may result with exponential cost increases, additional audit findings or exceptions and increased risk of a data breach.

SSH Communications Security offers training, services and products that help organizations address the potential issues raised. Working together with your staff, we can provide a comprehensive evaluation of your current environment and recommend effective approaches for remediation and management of your SSH keys.

Further reading For further information, please download our whitepaper What Financial Institutions Need To Know About The Management of SSH Keys.

SSH is a leading defensive cybersecurity company that secures communications between humans, systems, and networks. We specialize in Zero Trust Privileged Access Controls and Quantum Safe Network Security. Our customers include a diverse range of enterprises, from multiple Fortune 500 companies to SMBs across various sectors such as Finance, Retail, Technology, Industrial, Healthcare, and Government. 25% of Fortune 100 companies rely on SSH’s solutions. Recent strategic focus has expanded SSH business to Defence, Critical Infrastructure Operators, Manufacturing OT Security and Public Safety.

Leonardo S.p.A invests 20.0 million EUR in SSH, becoming the largest shareholder of the company. SSH solutions form a Center of Excellence for Zero Trust privileged access management and quantum-safe network encryption in Leonardo - a global industrial group that creates multi-domain technological capabilities in the Aerospace, Defence and Security sector with 17.8 billion EUR revenue in 2024. SSH company’s shares (SSH1V) are listed on Nasdaq Helsinki.

 

Solutions Zero Trust Suite Zero Trust Suite & Entra ID Integration Quantum-Safe Cryptography (QSC) SalaX Secure Collaboration Security Risk Mitigation OT security MSP Security Device Trust Monitoring & Threat Intelligence Credentials & Secrets Management IT Audits & Compliance Products PrivX™ Hybrid PAM PrivX Key Manager Tectia SSH Client/Server™ Tectia™ z/OS Secure Messaging Secure Mail Secure Sign NQX™ Quantum-Safe Services SSH Risk Assessment™ Professional Services Support Resources Careers References Downloads Manuals Events & Webinars Blog Company About us Contact Investors Partners Press Stay on top of the latest in cybersecurity Be the first to know about SSH’s new solutions, product updates, new features, and other SSH news!

Thanks for submitting the form. © Copyright SSH • 2025 • Legal