Non IT Security 319



  • There are templates available for IT Security policies and procedures needed to comply with SOX, what about the physical security aspect?
    Is there any help on writing procedures for card access, security patrols, reporting methods and the like?



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • Non-IT security would likely be outside scope of SOX.



  • I would like to think that is not the case either.
    Section 404 - Management assessement of internal controls - makes me think differently though.
    How can Management sign off on internal controls if people can gain access to a computer room or desk and change data. Sure IT policy limits access to the computer room, how are we sure this is being done.



  • I misunderstood you. Physical security insofar as it relates to IT is covered by CobIT.



  • In documenting processes for the company I am currently working for, I am including details about the physical security implemented for the entire office complex. My primary focus is on physical security as it applies to IT resources but I definitely include a section describing external access to the building(s) at large. Unfortunately, I’ve not found much guidance on how detailed I need to be, but section DS5 of CobIT (‘Ensure Systems Security’) has given me a jumping off point - specifically the extremely brief sub-section 5.7 ‘Security Surveillance’.



  • _at_veek: For SOX purposes you don’t need to implement Cobit in it’s entirety. It is totally sufficient if you focus on the IT Control Objectives for Sarbanes-Oxley’ provided by ISACA (www.isaca.org) or ITGI (www.itgi.org).



  • Hi,
    I don´t understand the people who think that only IT security is part of SOX. Physical security and safeguarding of assets is a very important part of a SOX project. This includes fire alarms, burglar alarms, access to different buildings, sprinkler systems, fire extinguishers, logging of external visitors and a lot of other issues. IT security is important but only one small part of the over-all security.
    Regards



  • Safeguarding of assests is only a topic as far as you need controls which let you realize that something happened to your asstes and you need correct your inventory in terms to provide correct financial disclosures. E.g. you want to know if someone sold your equities which were meant to be held to maturity. If you don’t realize that, your statements might be wrong. Or, you also need to correct your inventory if someone’s stolen your server equipment. You should refer to the PCAOB site. They have given further comments on that topic.



  • I t is valid to debate on the physical security of the enterprise which is implementing SOX. The internal controls emphatically include the physical security aspects. We need to evolve a template for the internal use which can be based on COBIT, as it has comprehensively covers the cotrols on the corporate assets.



  • A follow up question on physical access controls:
    It was thought that changing physical locks and access codes periodically would be good controls to have as it relates to securing data center assets. we are in the age where physical locks and access codes are not being used for access to data centers. many places are using magnetic locks that require a card key to be used to gain entrance. The locks are controlled by software that keeps track of doors, door groups, and time frames. for example, by default an employee would be given access to interior doors from 6am to 9pm (this would exclude data center). any other access would require justification and approval.
    My question is that the control used to be ensure that locks or access codes were changed periodically no longer applies. In the new world there is no need for that. so would the new control be ensuring physical access was setup properly in the first place and then monitoring/reviewing who has access to the data center on periodic basis?


Log in to reply