James Tanner

legacy-wiki

Sarbanes-oxley

March 17, 2012

Recovered from the older tannerjc.net wiki snapshot dated January 23, 2016.

  • http://searchsecurity.techtarget.com/feature/Introduction-to-COBIT-for-SOX-compliance blockquote there is no specific mention of IT in Section 404, and more importantly, there are no specifics as to what controls have to be established within an IT organization to comply with Sarbanes-Oxley legislation. /blockquote blockquote Although there are various standards a company can use for defining and documenting its internal controls – ITIL (IT Infrastructure Library), Six Sigma, and COBIT – the majority of auditors have adopted COBIT. /blockquote

  • http://www.isaca.org/Knowledge-Center/cobit/Pages/FAQ.aspx

  • http://www.cpaaustralia.com.au/cps/rde/xbcr/cpa-site/IT-checklist-small-business-2011.pdf

  • http://itknowledgeexchange.techtarget.com/it-compliance/how-do-you-align-an-it-risk-assessment-with-cobit-controls/

  • http://www.integrigy.com/security-resources/whitepapers/DBA-Guide-to-Understanding-Sarbanes-Oxley-Presentation.pdf

  • There is no single point of reference or comprehensive guidelines for SOX compliance

  • The definition of SOX compliance is defined by the corporation referencing a set of internal controls frameworks

  • Because every business assesses risks differently, the controls each business requires will be different

  • Oracle Applications is often the financial system of record

  • (Oracle databases are) required to meet a higher standard of SOX compliance than the rest of the IT department

  • SOX is most concerned with any and all changes to the financial data and the processing of the financial data

  • Unauthorized querying or viewing of data may be an issue in terms of HIPAA, GLBA, US and European privacy laws, and SEC rule

  • Security must be addressed at the application, database, and operating system level

  • System administrators and developers should have inquiry-only functional responsibilities

  • Developers and other support staff should have no access to production to register programs, change profile options values, etc

  • Custom system administration responsibilities should be created for IT and limited to only necessary function

  • DBAs and support staff have named, read-only database account

  • Change management is critical to SOX compliance

  • (change management) Must include all changes to the application, database, application servers, operating system, and hardware

  • Manual controls and acceptance of risk by management are possible solutions to audit findings

http://cloudcomputing.sys-con.com/node/1622079

All the configuration changes to the application whether requested by the Cloud consumer or done by the SaaS Provider should be logged and reported on, some of the important attributes to be logged are :

  • Application level Access Control Changes
  • Which Event Changed the Configuration
  • Date and Timestamp
  • Operation Performed
  • Transaction Type
  • User ID