About 
Services Products Compliance - Australian Federal Government Endorsed Supplier (GITC4)
- Victorian Government - APROSS Approved Supplier
- Sarbanes Oxley Act (SOX)
- AS 3636.4 - Data Storage
- AS 2834 - Computer Accommodation
- ISO 27000 Information Security Management
- ACSI 33 - ASIO Security Guideline
- PCI Data Security Standard
- Disaster Recovery and Business Recovery Plan
- Auditors
- Risk Assessments
- Policy and Procedure
Vaults and Vans Case Studies FAQ Client Resources
Sarbanes Oxley Act (SOX) compliant processes & The TapeTrack process
TMS’ TapeTrack software is SOX compliant.
TMS use TapeTrack software, which is used internationally by major offsite storage companies. TapeTrack and the processes and procedures it dictates have been audited many times by Sarbanes Oxley Auditors in the U.S.
The true test of SOX Compliance is being audited by a U.S. Sarbanes Oxley Auditor.
| How TMS Enables Clients to Comply with SOX | |
|
Requirement TMS Service
|
|
|
Information cannot be tampered with or altered by any employee
|
TapeTrack data is encrypted, and TMS does not have access to the password
|
|
Trail of transactions must be discernable and kept in sequence
|
All iterations of a tape movement are serialised, and cannot be overwritten
|
|
Audit trails
|
Access and tape movement is date and time stamped by the user each time a tape is handled
|
|
Information is available only to client's authorised personnel
|
Client access is only through “authorised signatories” personnel with the password
|
|
Records must be accessible
|
Access to tape details and Audit Trails are available 24/7 online
|
|
Certain data must be maintained for not less than 7 years.
|
Data will remain in the TMS vaults for as long as the client chooses to retain it. Retention is set during the implementation or TMS import, so once configured the tapes are automatically cycled. TapeTrack audit trail is never archived |
About SOX
The Sarbanes-Oxley Act (SOX) of 2002 is one of the most important laws impacting public corporations to be passed in many years.
The purpose of SOX is to protect investors from a continuation of the many accounting scandals over the past decade. SOX places the onus on companies and registered accounting firms to comply with stringent rules regarding the accuracy and reliability of specific information by strengthening maintenance requirements of records, and the auditing/reporting of these records.
Some of the provisions of the Act define what must be maintained, how long relevant material must be maintained, accounting procedure requirements, and consequences (criminal and civil) for failure to follow the Act. (There is no specific language about the mechanism or method of storing information in the Act).
In placing a more rigorous requirement on financial reports the storing of the records becomes vitally important because the trail of transactions must be secure. The regulated companies, in choosing an offsite storage vault, will therefore look to a format that will insure it can satisfy the legal requirements of the SOX, in other words, the offsite storage vendor storage facilities/program/process and procedures.
Since an offsite storage vendor facility is not privy to the contents of the information it stores for a client, the facility is not responsible for ensuring that its customer is in compliance with what is being kept or who in the company (including independent auditors) has access. However, it is accountable for the availability and security of the information being stored. The offsite storage vendor facility must have safeguards in place to ensure quality control standards include the following:
-
That information stored cannot be tampered with (altered) by any employee
-
That the client can ascertain where the tape is, and when it moved; (The records kept must allow a trail of transactions to be discernable so that tape movements are kept in sequence.)
-
That safeguards are in place to ensure that information is available only to the client's authorised personnel
-
That records are accessible whenever needed; and
-
That the facility has the ability to maintain the data for the period stated in the Act. (Section 103 (a) (2) (A) (i)
