There are Red Sox and White Sox and, of course, Fox in Socks, but in 2002, a new SOX entered our lexicon: The Sarbanes-Oxley Act of 2002. This financial regulation was a response to large corporate misdeeds at the time, most notably Enron misleading its board through poor accounting practices and financial oversight.
The regulation seeks to ensure accurate and reliable financial reporting for public companies in the United States. But what does financial reporting have to do with IT?
A lot, it turns out, since it’s no longer en vogue to have scribes with long feather quills scribbling out numbers in giant paper books. Unfortunately for the quill, ink and abacus peddlers of the world (and fortunately for the auditors), financial systems are now the domain of servers and databases running large ERP applications.
The section of SOX that most affects IT is section 404. It requires “Management Assessment of Internal Controls,” which is a tiny portion of the bill but a huge part of any audit. The reason for this is that an auditor wants to assure the effectiveness of internal controls with regard to the financial systems and processes.
In practical IT terms, this means they want to know that data flowing through the system can’t be tampered with and controls are in place to manage risk to that data.
Some primary control areas are:
- Change Management
- Access Management – physical and logical
- Disaster Recovery (backups, business continuity)
- Automated Processes (scheduled jobs)
While auditors will be concerned with policy and process, they will also want to see evidence of those policies and processes at work. A great example is change management; change should be authorized, implemented by an appropriate person, tested and deployed into production.
Each part of the process is to ensure that change does (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Anthony Israel-Davis. Read the original post at: https://www.tripwire.com/state-of-security/regulatory-compliance/sox/sox-sarbanes-oxley-compliance-primer/