Non IT Security 319

  • Non-IT security would likely be outside scope of SOX.

  • I would like to think that is not the case either.
    Section 404 - Management assessement of internal controls - makes me think differently though.
    How can Management sign off on internal controls if people can gain access to a computer room or desk and change data. Sure IT policy limits access to the computer room, how are we sure this is being done.

  • I misunderstood you. Physical security insofar as it relates to IT is covered by CobIT.

  • In documenting processes for the company I am currently working for, I am including details about the physical security implemented for the entire office complex. My primary focus is on physical security as it applies to IT resources but I definitely include a section describing external access to the building(s) at large. Unfortunately, I’ve not found much guidance on how detailed I need to be, but section DS5 of CobIT (‘Ensure Systems Security’) has given me a jumping off point - specifically the extremely brief sub-section 5.7 ‘Security Surveillance’.

  • _at_veek: For SOX purposes you don’t need to implement Cobit in it’s entirety. It is totally sufficient if you focus on the IT Control Objectives for Sarbanes-Oxley’ provided by ISACA ( or ITGI (

  • Hi,
    I don´t understand the people who think that only IT security is part of SOX. Physical security and safeguarding of assets is a very important part of a SOX project. This includes fire alarms, burglar alarms, access to different buildings, sprinkler systems, fire extinguishers, logging of external visitors and a lot of other issues. IT security is important but only one small part of the over-all security.

  • Safeguarding of assests is only a topic as far as you need controls which let you realize that something happened to your asstes and you need correct your inventory in terms to provide correct financial disclosures. E.g. you want to know if someone sold your equities which were meant to be held to maturity. If you don’t realize that, your statements might be wrong. Or, you also need to correct your inventory if someone’s stolen your server equipment. You should refer to the PCAOB site. They have given further comments on that topic.

  • I t is valid to debate on the physical security of the enterprise which is implementing SOX. The internal controls emphatically include the physical security aspects. We need to evolve a template for the internal use which can be based on COBIT, as it has comprehensively covers the cotrols on the corporate assets.

  • A follow up question on physical access controls:
    It was thought that changing physical locks and access codes periodically would be good controls to have as it relates to securing data center assets. we are in the age where physical locks and access codes are not being used for access to data centers. many places are using magnetic locks that require a card key to be used to gain entrance. The locks are controlled by software that keeps track of doors, door groups, and time frames. for example, by default an employee would be given access to interior doors from 6am to 9pm (this would exclude data center). any other access would require justification and approval.
    My question is that the control used to be ensure that locks or access codes were changed periodically no longer applies. In the new world there is no need for that. so would the new control be ensuring physical access was setup properly in the first place and then monitoring/reviewing who has access to the data center on periodic basis?

  • Yes. But if you are controlling through software, consider who has access to the software too, and what exactly they can do.
    There needs to be control over issuing and recovery of access devices, as well as procedures to deal with ones that are lost or stolen, or left at home for the day.
    You will need to review the access lists periodically to ensure that they continue to have only the right people - typically errors will creep in over time, as perhaps a terminated person was not deleted, or a service engineer was granted temporary access that was not revoked.

  • which control do you think is most important as far as the primary control to ensure physical access is revoked for terminating employees?

    1. collecting the card key/badge of an employee that is terminating employment
    2. deleting badge access out of the system
      Both need to be done, however from a timing perspective deleting badge access from the system may not happen at exactly the precise moment the employee leaves the building.

  • Not a SOX obligation, but a good security issue.
    It depends on the sensitivity of your environment.
    In very sensitive environments we first delete badge access out of the system and change logical access permissions and rights to the system and after that we let the employee learn about the termination 8O
    In most environments: I suggest first to collect the card key/badge of an employee that is terminating employment and then to delete badge access out of the system. Provided that there is a good security team in place, it works efficiently.

Log in to reply