The appropriately named Sarbanes-Oxley Compliance Toolkit includes a whole range of materials specifically put together to both introduce, and take you through this most important of legislation.
As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
The SOX email storage requirements can be fulfilled using the
GFI MailArchiver
SOX Advertisers
Sarbanes What?
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Sarbanes-Oxley Act Forum: Forums
The Sarbanes Oxley Act :: View topic - External Auditors and Who Sets The Bar?
Posted: Wed Jul 28, 2010 10:23 am Post subject: External Auditors and Who Sets The Bar?
When external auditors come in to a bank to ensure SOX compliance to what level are they checking? Is the bar set by some internal department in the bank or are there hard and fast rules as to what should and shouldn't be done from a process point of view?
Auditors will work to understand the bank's process flows and understand where risks occur. Based on the risks, they will establish a set of key controls based for each individual bank as processes can differ from location to location. That being said, there are general risks that would apply to any bank, therefore many controls from bank to bank would be similar (daily cash counts/reconciliations, etc.). In addition, the banking industry is highly regulated and has standards that must be adhered to. Compliance with those standards will form the basis for many of the bank's key controls.
Here briefly is my situation: I'm a contractor employed to give out very high level passwords in a British bank. The bank suddenly has American interests and everyone is worried if they are SOX compliant, there has been no external audit yet but its a bomb waiting to go off.
I daily get requests for new passwords to be issued in emails which give an approved change ticket number which more often than not doesn't state the exact server that is going to be worked on but talks more generally about the problem in hand. Ideally the ticket number would include the server name and USERID being asked for but it doesn't.
I then email the user the new password by reply which also states the server name.
This is a new process, the bank hasn't as of yet introduced any hard and fast rules on the issuance of these passwords.
I can see a SOX auditor having kittens when he reviews this process.
I would have thought a clear mention of the server and USERID that the password request is being made should be mentioned in the change request, also I would have thought the email being sent to the requestor should be in two parts so the server and password details are seperate, or the email should be sent encrypted.
So to what extent if any would SOX rules and regulations on the issuance of passwords guide this process? or does the bank create its own process which a SOX auditor would simply ensure was being complied with?
Any views on this situation would be appreciated as I have now been handed the charge of creating a procedure as well as carrying it out, which rings alarm bells in my head straight away!
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
