Non IT Security 319
-
There are templates available for IT Security policies and procedures needed to comply with SOX, what about the physical security aspect?
Is there any help on writing procedures for card access, security patrols, reporting methods and the like?
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
Non-IT security would likely be outside scope of SOX.
-
I would like to think that is not the case either.
Section 404 - Management assessement of internal controls - makes me think differently though.
How can Management sign off on internal controls if people can gain access to a computer room or desk and change data. Sure IT policy limits access to the computer room, how are we sure this is being done.
-
I misunderstood you. Physical security insofar as it relates to IT is covered by CobIT.
-
In documenting processes for the company I am currently working for, I am including details about the physical security implemented for the entire office complex. My primary focus is on physical security as it applies to IT resources but I definitely include a section describing external access to the building(s) at large. Unfortunately, I’ve not found much guidance on how detailed I need to be, but section DS5 of CobIT (‘Ensure Systems Security’) has given me a jumping off point - specifically the extremely brief sub-section 5.7 ‘Security Surveillance’.
-
_at_veek: For SOX purposes you don’t need to implement Cobit in it’s entirety. It is totally sufficient if you focus on the IT Control Objectives for Sarbanes-Oxley’ provided by ISACA (www.isaca.org) or ITGI (www.itgi.org).
-
Hi,
I don´t understand the people who think that only IT security is part of SOX. Physical security and safeguarding of assets is a very important part of a SOX project. This includes fire alarms, burglar alarms, access to different buildings, sprinkler systems, fire extinguishers, logging of external visitors and a lot of other issues. IT security is important but only one small part of the over-all security.
Regards
-
Safeguarding of assests is only a topic as far as you need controls which let you realize that something happened to your asstes and you need correct your inventory in terms to provide correct financial disclosures. E.g. you want to know if someone sold your equities which were meant to be held to maturity. If you don’t realize that, your statements might be wrong. Or, you also need to correct your inventory if someone’s stolen your server equipment. You should refer to the PCAOB site. They have given further comments on that topic.
-
I t is valid to debate on the physical security of the enterprise which is implementing SOX. The internal controls emphatically include the physical security aspects. We need to evolve a template for the internal use which can be based on COBIT, as it has comprehensively covers the cotrols on the corporate assets.