Is my small business required to comply with regulations that big businesses are subject to?

The Sarbanes-Oxley Act of 2002 focuses on enterprise and public companies, and the majority of small business do not have to heed the new rules. The exceptions are small businesses that expect to become

acquired by a publicly held company and small businesses that provide products or services to large corporations. In the latter case, the large corporations must work with their small business suppliers on compliance.

Even if you’re not on the SOX radar, you can still benefit from initiating your own version of the security requirements of SOX. A lot of SOX regulations make good security sense that can protect your company regardless of its SOX status.

1. Determine who’s in charge of security. Even a small company can designate a “chief security officer” -- perhaps the most tech-savvy senior manager -- who will be responsible for reports and recommendations to be shared with management, investors, employees, consultants, and contractors.
2. Create policies for the full scope of security. Policy statements and guidelines should influence the way you conduct your everyday business. Consider these questions as you develop your very own security policy:
   • Do our security policies, such as business conduct guidelines for Web usage, apply to everyone in our supply chain?
   • Do policies extend to contractors, suppliers, customers, and business partners?
   • Are all parties connecting into our network conforming to the same security policies?
3. Will a natural disaster affect our security and IT assets? Take the time to write out a few worst-case scenarios and the response your IT manager should take. If you live in California, for example, build IT security into your earthquake plan. Make plans to have this available to the next person in charge if you’re away when disaster strikes.
4. Be prepared for the unseen costs of a security breach. Discuss with your lawyer how damages to your company from a security breach can show up as a restatement. Some recompensable damages include:
   • Loss of electrical power
   • Cost of rebooting critical locations
   • Cost of labor to handle damage from blended malicious attacks
5. Integrate Internet security with physical security. Include the chief security officer visibility in your company’s overall security planning. In the event of a physical security threat, such as a fire or impending flood, make sure the person responsible for the building understands the requirements of the IT manager.
6. Don’t wait until you see a security problem. External consultants can help with Internet security planning and perform both internal audits to redefine cyber-security objectives. It’s hard to imagine, but many companies don’t even know they’ve had a security breach until long after they've been attacked.
7. Raise security awareness through education, publicity, and training. Use pre-existing internal channels to increase preparedness, compliance, and overall education. Create an email alias that goes to a response team focused on business continuity in the event of a major security incident.
8. Prioritize your company's IT assets and protect them. Scrutinize the essential business services that are critical to the company and the IT resources that support them. Areas will include electrical power, telecommunications, banking, transactions, and communications mobility.
   • What are the company’s core services?
   • Are they adequately protected?
   • Are they adequately secured in a legally compliant way?
9. Work with legal counsel to address compliance and liability issues. Threats to an enterprise’s security are changing so quickly that it’s a challenge to stay secure and stay legally compliant. Go the extra mile and build in hardened layers of security at every connection edge of the IT network, especially if you are a small business that someday hopes to work with larger, publicly traded corporations.