CXL - Securing your mid-range systems.

unix, os400 vms security reviews
OS/400 security reviews
Oracle security reviews
unix, os400 vms security reviews
Purchase azscan
unix, os400 vms security reviews
Unix security reviews
unix, os400 vms security reviews
AZScan users
unix, os400 vms security reviews
VMS reviews security
unix, os400 vms security reviews
unix, os400 vms security reviews
SOX Compliance


Implementing a SOX compliance project in the IT world.

This article is for those of you who are new to SOX and have to get a SOX compliance project up and running quickly. The task of getting a SOX project off the ground can seem very difficult but when you break it down into component parts, life gets a lot easier.

1. Find out what SOX is and how it affects your company.
There are lots of documents and resouces out there to help you learn about SOX and how to implement it in your company. The references on this site relate to SOX in the IT world. The very basics can be found here.

2. Staffing the project
Someone has to do it. This may range from just you to a dedicated team of people brought in especially for the purpose. The most likely scenario is that your company will reassign people to the task temporarily. These people (person) have to come to grips with the project and what is involved. So, get some staff.

3. Pick your standards
SOX compliance is all about comparing your company's controls against some accepted standards. You could invent your own standards of what you thing is right but they are unlikely to be comprehensive and you will find it hard to argue the need for them when they only have your support. Much better is to pick some internationally recognised standards such as

CobiT - Control Objectives for Information and Related Technology
COSO - Committee of Sponsoring Organizations of the Treadway Commission

These may already be accepted within your company, in which case your work will be much reduced. More likely, your company will have these as a sort of aim but have never been measured against them.

There are other frameworks too such as ISO7799, Hipaa

By far, the most comprehensive of the frameworks in an IT environment is CobiT.

A CobiT Primer

Learn more about CobiT here

3. Identify people and guidelines
Begin collecting names of key players in the world of IT and those around them. Whoare the main IT people, IT security people, auditors - internal and external and most of all who are the main business people.

Now obtain the documents - the audit guidelines, the management policies currently in place and any other documents which define policies and procedures within the company.

4 Identify a test team.
SOX is all about identifying controls, documenting them and testing them. This is the main part of SOX compliance and also the most time consuming. Taking people from each of the business areas is a bad approach since you lose independence. It may be better to get a small group from just one area and then assign a coordinator - maybe you.

5 Define the roles and start working
Well, we have a coordinator - probably you. You will have selected the framework to test against and have it agreed with your boss. There is now a lot of work to do. The next job is to split your group up into Testers and Documenters. There will be a lot of systems and procedures to review and validate and you will need to keep the SOX work under control to ensure that it is done properly and completely.

Sarbanes-Oxley seems quite an onerous task when you start out but soon you realize that you are making a positive impact to the control environment in you company.