ASPs and SOX Compliance 86



  • Can ASPs possibly be SOX compliant? As an example, there are legal ebilling systems that move legal invoices, provide workflow and approvals and ultimately feed AP systems behind the firewall to initiate payment. These systems do not use authentication mechanisms beyond UN/PW. Some of these vendors even house multiple client DBs on the same server.
    I’m looking for some input as to where the true risks are in this kind of environment>



  • This post is deleted!


  • This post is deleted!


  • The short answer to your question is: Yes, ASP can be SOX compliant.
    I am currently working with two ebusiness groups as a consultant on this matter.
    I can’t answer you in detail here but let me point you in the general direction:
    Work with your programers and IT security people on developing a ‘Best Practices’ requirment document.
    Following the best practices document will help ensure your as secure as you can be using the ASP platform.
    There are many books and articles on ASP best practises so your in luck there.
    Next do an ‘as is’ audit of where you now as far as security. Compare that against your best practices work sheet.
    Do a GAP analysis comparing where you are now against your best practices sheet.
    Do a FORMAL and documented Risk Benefit analysis (hopefully using your companies documented risk assement (Cobit P09 managing risks).
    Remediate what you can.
    Now sit down again with your programs and security guy…and ask them to define what risks can not be managed through code changes etc due to the inherant risks associated with ASP platform.
    Document all those risks. Do another Risk Assessement.
    Those risks you have left that are signfigant but can not be changed due to inherent weaknesses of ASP must be noted and where possible manual controls must be put into place to mitigate those risks.
    As long as you know where your weaknesses are thats half the battle.
    If you have specific questions please post those too.
    I am giving you a very high level procedure here because of time and space constraints…


Log in to reply