[News]

News:

[mutex]

mutex

mutex

Show mutex's last posts.

Show general stats for mutex.

• 
• Administrator
• Newbie
• Posts: 782

After having been through the joyous experience of going through sarbanes/oxley audits,  I wanted to see if anyone else had been through it and what your experiences were.  
SOX relies heavily on investigating the effectiveness of security controls, and we ran into a lot of problems because many packaged applications (accounting and whatnot) don't have great logical access models.  Is that a pretty common experience?

[Anonymous]

Anonymous

Anonymous

• Guest

We're in the middle of it right now... the do seem to expect things that just are not logically possible.
For example, we have SQL servers and they want us to track SQL system level changes.  SQL just doens't have that sort of reporting built in and automating it is not too easy.

[mutex]

mutex

mutex

Show mutex's last posts.

Show general stats for mutex.

• 
• Administrator
• Newbie
• Posts: 782

ouch!  that is just plain crazy.  One way to possibly manage that is to escrow the SA passwords until they are needed, then have any changes be approved by a manager.  That isn't possible in our situation, so it probably isn't in most cases, but it is a possibility.  
We didn't get hit up on our databases, but they did hit us pretty hard on making sure that someone who is authorized to make a change only makes the changes that they are supposed to.  We made pretty great strides in implementing a change management system, but they want us to take it beyond just getting approval, where the system had workflow built in that would require an approval step before it gets committed to production.  

I feel for you.  I think a lot of the auditors are just feeling around in the dark, because they really don't know what they are really testing for.  One thing you always have to fall back on is to let your CIO/VP/Director state that they are comfortable with the risk associated with not tracking those changes, and let them challenge it.