Software for SOX
SOX Act of 2002
Sarbanes-Oxley Compliance Checklist
A SOX compliance checklist should include the following items that draw from Sarbanes-Oxley Sections 302 and 404. For each item, the signing officer(s) must attest to the validity of all reported information.
- Establish safeguards to prevent data tampering (Section 302.2)
Implement an ERP system that tracks user logins access to all computers that contain sensitive data and detects break-in attempts to computers, databases, fixed and removable storage, and websites.
- Establish safeguards to establish timelines. (Section 302.3)
Implement an ERP system that timestamps all data as it is received in real-time. This data should be stored at a remote location as soon as it is received, thereby preventing data alteration or loss. In addition, log information should be moved to a secure location and an encryped MD5 checksum created, thereby preventing any tampering.
- Establish verifiable controls to track data access. (Section 302.4.B)
Implement an ERP system that can receive data messages from virtually an unlimited number of sources. Collection of data should be supported from file queues, FTP transfers, and databases, independent of the actual framework used, such as COBIT and ISO/IEC 27000.
- Ensure that safeguards are operational. (Section 302.4.C)
Implement an ERP system that can issue daily reports to e-mail addresses and distribute reports via RSS, making it easy to verify that the system is up and running from any location.
- Periodically report the effectiveness of safeguards. (Section 302.4.D)
Implement an ERP system that generates multiple types of reports, including a report on all messages, critical messages, alerts and uses a ticketing system that archives what security problems and activities have occurred.
- Detect Security Breaches. (Section 302.5.A/B)
Implement an ERP system that performs semantic analysis of messages in real-time and uses correlation threads, counters, alerts, and triggers that refine and reduce incoming messages into high-level alerts. These alert then generate tickets that list the security breach, send out email, or update an incident management system.
- Disclose security safeguards to SOX auditors. (Section 404.A.1.1)
Implement an ERP system that provides access to auditors using role-based permissions. Auditors may be permitted complete access to specific reports and facilities without the ability to actually make changes to these components, or reconfigure the system.
- Disclose security breaches to SOX auditors. (Section 404.A.2)
Implement an ERP system capable of detecting and logging security breaches, notifying security personnel in real-time, and permitting resolution to security incidents to be entered and stored. All input messages are continuously correlated to create tickets that record security breaches and other events.
- Disclose failures of security safeguards to SOX auditors. (Section 404.B)
Implement an ERP system that periodically tests network and file integrity, and verifies that messages are logged. Ideally the system interfaces with common security test software and port scanners to verify that the system is successfully monitoring IT security.