Software SOA Compliance 1754



  • Hello,
    I want ask you a question regarding the compliace with SOA.
    I work for an Italian company that make software for shipping and industries.
    This software is used for the maintenance planning and management, stock management and purchasing.
    Our software can use as engine MSSQL, Oracle and Sybase Adaptive Server.
    The question is that one of our customer is asking if our software is SOA compliant, at the moment I cannot give any answer to this customer, so can you tell me if there is a list with all the requirement necessary to have a software compliant with soa?
    Thanks in advance and regards
    Agostino



  • Hi Agostino and welcome to the forums 🙂
    As a software provider, the following are some ideas to consider:

    1. Meeting SOX 404 standards would be a key concern, so that there’s appropriate IT security and controls built into your applications.
    2. The PCAOB also uses COBIT 4.0 standards as part of the software certification process.
    3. Meeting SOX requirements also involves a secure implementation with good controls by your customers
    4. A software company’s responsibility is that of ensuring there are no major security flaws in their products (e.g., search here and the Internet for SOX 404 requirements).
    5. I’m not aware of a firm that certifies or ‘brands’ software as being SOX compliant?
    6. Some of the links below might help define IT requirements:
      Some key links on COSO, SOX 404, and COBIT
      http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-p=5990#5990
      Additional Links - please add www and paste into browser
      google.com/search?q=SOX software requirements
      softwaremag.com/L.cfm?Doc=2006-01/2006-01-compliance
      dbazine.com/ofinterest/oi-articles/mcquade2


  • Many many thanks for your help.
    Your information are very helpful.



  • I was looking on internet that the security requirement must be the same reported in the ISO 17799
    Can you confirm it?
    thanks and regards



  • Hi - Using the search button above, you can enter 17799 as the search argument and find over a dozen posts related to this.
    This post in particular has relevance regarding possible relationships of SOX and ISO 17799:
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1584
    As one of SOX experts shared the short answer is ‘No’ for ISO 17799 fully satifying SOX requirements. However, ISO 17799 are an excellent set of security standards and would go a long ways in fulfilling many of the SOX IT requirements. Certainly, it’s beneficial for software products to ISO 17799 standards alone.
    The key goal of SOX is to ensure ‘no one can cook the books’ (e.g., Enron and other companies), and the emphasis on financial controls (e.g., workflows, separation of duties, autonomy levels, change control, security protection, etc.).
    SOX 404 standards are the key measure for IT software compliancy . External Auditors often use COBIT 4.0 as a template for SOX 404 compliancy, as it’s widely recognized by the PCAOB as one way of fulfilling SOX IT compliancy requirements (however COBIT is not mandated specifically in SOX itself).
    Most likely your software will have proper controls, autonomy levels designed into it, and other factors that can help meet SOX 404 requirements. You might further on SOX 404 and COBIT 4.0 for more specific requirements.
    Finally, SOX 404 compliancy also depends on how software products are implemented by the customer as well. Many vendors offer guidelines on how to implement their products for SOX, HIPAA, and other regulatory requirements.
    Good luck 🙂



  • ok thanks many thanks for this information


Log in to reply