The appropriately named Sarbanes-Oxley Compliance Toolkit includes a whole range of materials specifically put together to both introduce, and take you through this most important of legislation.
As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
The SOX email storage requirements can be fulfilled using the
GFI MailArchiver
SOX Advertisers
Sarbanes What?
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Posted: Fri Jun 19, 2009 1:05 pm Post subject: Login failure review - criteria
New to SOX and we are implementing controls around login failures and the review of them. At this point our threshholds are 10 or more failures in a 30 minute period. This is proving to be a challenging threshhold as it results in 100's of accounts to review (per week).
Looking for guidance around how to frame the criteria for this weekly review. We have AD policy in place that after 5 attempts within 15 minutes results in a account lock out for 30 mins.
If you've put in place, or have an established review of login failures in place, I look forward to hearing how you've implemented and perform it.
Joined: Jan 12, 2006 Posts: 849 Location: Roanoke, Virginia
Posted: Mon Jun 22, 2009 11:36 am Post subject:
Hi Jeff - As SOX 404 is silent on specifics, it encourages firms in a flexible manner to ensure their IT financial systems are properly secured and controlled (using a self assessment approach that is later evaluated by SOX external auditors).
Certainly, logging and actively monitoring IT security events is important for ITGC and SOX 404 compliancy. Some ideas for this include:
-- Sometimes Intrusion Detection Software (IDS) or security suites (e.g., KSA, Bindview, etc) can provide reporting capabilities
-- If you can't actively review all items, you might randomly sample a certain number (e.g., 25 per week instead of 100).
-- Sometimes the SOX External auditor can share guidance on what they feel would be acceptable
-- The COBIT 4 standards are often what external SOX auditors use to evaluate IT controls for financial systems and a free copy can be obtained in these links:
Joined: May 26, 2008 Posts: 187 Location: Switzerland
Posted: Wed Jun 24, 2009 8:46 am Post subject: controls over unsuccessful login attempts
Does the password protected system house an application that is material for the organization's consolidated financial statements (i.e. is at least reviewed as a basis for manual or automated inputs in financial accounting)?
If yes, doesn't your system allow the blocking of user-IDs with three (or more) CONSECUTIVELY invalid attempts (i.e. wrong) password (i.e. there is no login with the correct password in between and the time period of the logins is irrelevant). This is a very effective preventive control even if passwords are rather weak in length and composition. If in addition, the person in charge of unblocking user-accounts is required to contact and verify the identity of the user and ask whether it was really him that entered invalid password on day X at time Y, then you have strong controls and know if anybody is trying to obtain unauthorized access.
If this blocking policy is no option, consider only reviewing invalid login attempts for user-IDs with more powerful access rights and/or only a sample of invalid login attempts.
Hello.
Now a days all of us are facing diffrent types of cyber crimes. Many of us may have encontered the prolem of bank account theft. Cyber criminal hack our bank account no. and password and transfer money to their accouts or take all of our money through ATM. They are so much efficient that they have sent an mail to Obama describing his accont no. and password. This had made him to think seriously about cyber crime.
Joined: Jan 12, 2006 Posts: 849 Location: Roanoke, Virginia
Posted: Mon Oct 26, 2009 1:38 pm Post subject:
Yes, security violations of this nature are numerous and very serious as well. While somewhat outside the scope of SOX itself, this is still an area of risk to both companies and individuals.
Companies have a fudiciary responsibility to safeguard their customer accounts and information (e.g., PCI/DSS standards). Depending on the type of business and nature of credit card usage, there may be even some SOX related controls established (depending on whether material risks are deemed present)
Likewise individuals have a role in their own personal protection (e.g., to avoid malware traps and infections, avoid phishing scams, safeguard their personal/account info, etc). As one of my formal classes taught:
SECURITY = SEC-U-R-IT-Y ("You are it" -- and play a vital role)
In the dozen or so years I've evaluated this issue -- I see it more on the bank's side to improve. It's much too easy to obtain and use credit cards by phone or web these days -- and tough to genuinely prove the person the other side of that remote transaction, is who they say they are.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
