As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Sarbanes-Oxley Act Forum: Forums
The Sarbanes Oxley Act :: View topic - A personal shared folder a violation?
Posted: Wed Jul 11, 2012 10:45 am Post subject: A personal shared folder a violation?
I have a build server that builds for several projects. I shared a few folders on that machine. 1) a distribution folder for the builds, 2) a downloads folder that contains all the installers to recreate the build environments and 3) a development folder for the installers I'm developing. I share the dev folder so I don't have to copy the file to a share then grab it from there on the test machine. My question is if sharing a folder is a SOX violation? I have an IT guy that is telling I can't share any folders without going through the IT department. I worked for a company that was saying a lot of things were a violation but never a shared folder off a personal machine or a build server. It would be insane if this was a violation.
Different companies have different policies as far as SOX goes. In general, there is nothing wrong with shared folders as long as access is restricted to those who need access. If access is to download or read a file, then it is difficult to see the harm in that. If shared access allows everyone to write to a file that should be secured, then that is an issue.
Work with your team to understand why they think there is an issue. Once you have the Company position, talk with your auditors to see if they agree. Sometimes having the auditor tell others that they don't have to be so locked down will convince management to ease up on things that they have too tight of control over.
Joined: Jan 12, 2006 Posts: 849 Location: Roanoke, Virginia
Posted: Mon Aug 27, 2012 12:18 pm Post subject:
I also agree with kymike's good comments ... Folder sharing can be done as long as only "the need to know" individuals are properly defined and it does not compromise financial system controls. As he shared, hopefully you can work with the IT folks to alleviate concerns, and lock down resources appropriately. I've seen organizations take SOX standards like the SOX 404 IT compliancy controls beyond what is reasonable.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.