The Sarbanes Oxley Act, 2002 (SOX) provides oversight on the financial reporting of companies. All companies that are publicly held in America and any international organizations that have registered equity or debt securities within the US Securities Exchange Commission must comply with SOX. 

SOX was designed to verify internal processes to combat corporate fraud. In this section, we will identify the key data elements that are protected under SOX and the correct actions required by the standard. This relates to topic 3.7c in the 210-255 specification:

While SOX focuses on senior managers reviewing annual reports, signing off deficiencies, and reporting fraudulent behavior, this is based on trust in the internal policies and controls. If all the paperwork and accounts add up, this is worthless unless the signing officers and auditors can be sure of the data's integrity.

For information to be truly auditable, all systems, including computers, network equipment, and other infrastructure, which have contact with financial data, must provide assurance. A SOX audit will, at minimum, review the policy and technology that impact on the truthfulness of the financial data produced. These could include the following:

• Access controls, which define users that have physical and electronic access to financial data, and how much access each of these users has. This also includes the management of former employees, contractors, and other system users.
• IT security policies, which prevent the loss of sensitive data and maintain their integrity. In most other scenarios, the biggest threat is data leaks, but a ransomware situation would mean that the organization would be non-compliant with SOX, with all the consequences that would bring.
• Logging of changes to users, infrastructure, IT assets, and the financial data itself, which will provide assurance of the data's integrity.
• Backups of the financial data and any logs must be protected in case data recovery is required. SOX compliance includes data stored offsite or by a third-party data storage provider. The policy regarding backups should also be clear about how often backups are taken, and how to ensure that different versions of the data are controlled.