SOX and Perimeter Security Devices 1700



  • I’d appreciate any feedback as to the extent others feel perimeter security devices (firewalls, remote access servers) are within scope of SOX. I think not since they are not protecting or key to the integrity of any specific financial system but others at work disagree and claim controls over these devices are SOX related because of their overall security significance to the firm, which includes financial and non-financial systems.



  • I would be inclined to agree with your colleagues.
    Despite the fact that SOX is essentially covering internal controls over financial reporting systems, there is also a requirement to have effective company level controls in place. One of these would probably include Network security and conifidentiality of company information.



  • I think not since they are not protecting or key to the integrity of any specific financial system
    I’m just wondering how your Financial Systems are setup if you don’t see the link



  • Hi Mike and welcome to the forums 🙂
    SOX compliancy requires best practices for financial systems in the areas of controls (COSO) and the IT side (COBIT and SOX 404). You might further research the topics placed in parenthesis by searching in the forums or Internet.
    SOX standards are at times nebulus and subject to interpretration, as they are written in generic terms. They are written to cover the wide range of businesses and technological frameworks used by companies. Thus, I’m thankful for this forum as a resource to learn from.
    The SOX 404 standard is the one to research for specifics on IT controls. In this standard, it puts the onus on companies to ensure their financial systems are well protected with IT security safeguards. With IT security you want one-stop shopping in protecting both financial and non-financial systems overall (so the bad guys don’t break into a weaker control on non-financial systems and hop over to the financial side).
    I also feel that perimeter security devices (firewalls, remote access servers) are within scope of SOX also. These types of IT security controls are definitely on the audit checklists for SOX as well as non-SOX audits.
    As an example of financial implications – if someone externally or internally can break into your IT network infrastructure, they might get customer information, account #s, credit card info, etc. and possibly submit fraudulent financial transactions.
    I hope this helps and please feel free to ask additional questions


Log in to reply