Helpdesk/Support Staff and SOX 213



  • We are having our rights stripped from us daily as we go through SOX compliance. Has anyone out there an opinion or experience with accomodating support staff rights?.. Shouldn’t the people supporting the system have rights to that system?
    We no longer have access to networked data drives so we can’t test bad spreadsheets or simulate problems. Other people complain that they don’ t have access to the production boxes they support. … it sounds like the auditors are getting carried away.
    Has anyone, implementing SOX, restricted their helpdesk or support staff’s ability to get their jobs done? What are the specific guidelines for this?



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • You need to speak with the individuals who are handling the IT side of your SOX documentation and testing about what you need to do in order to properly do your job. Unfortunately, some are getting carried away with security and blaming it on SOX. In reality, SOX does not prescribe the specific rules to follow for each business related to IT. This leads to various interpretations by the teams trying to implement SOX in the workplace.
    It could be that you are having your rights restricted to a specific drive because there is other data on that ddrive which could be accessed by you and needs to be secured. This just means that you need an alternative way to access the data you need in order to perform your job. Only your SOX IT tem can explain what they are doing and why. Good luck.



  • It obviously doesn’t help the Helpdesk not to have access to the systems they need to support. On the other hand does SOX require a full control over the fincancial data ending up in the paperwork disclosed.
    That impacts not necessarily that the access has to be cut totally. That only means that you need to know and have control over who is accessing the data and what they’re doing with it.
    In terms of the Helpdesk you need a effective and documented four-eye-principle and a effective and documented user management. You also need a guideline / policiy in place defineing very closely what the Helpdesk is allowed to perform and who is responsible for that.
    And of course all the documentation, support tickets etc. need to be archived for at least 7 years.
    You certainly can get around that by restricting the helpdesk so that they can’t access anything at all… 😉



  • As I understand it, rights to the system can be defined in more than one way. There are read-only rights, read / write rights (others?) that can be set for any drive, file, program, etc. You may ahve had more access than you needed to perform your job and you lost all rights instead of just having them limited to what you need.
    I’ll reiterate my advice above - speak with your IT SOX contact and get a better understanding of what they are trying to accomplish. Make certain that they understand your needs to do your job effectively.
    SOX is not intended to lock everything down perfectly. If you need access to make program changes, then there should be controls around those changes to ensure that the changes are authorized. The controls can either be preventive (advance authorization) or detective (change reports reviewed on a timely basis by someone who can authorize the changes).
    The description of your problem does not provide us with enough information to give a definitive answer, but maybe we have spurred your thinking enough to better understand the issue and get it resolved.


Log in to reply