Storage Network - Sox compliance 1954



  • Hi,
    In terms of Storage Networks (storage units, san switches) how can someone be sox compliant.
    :?:
    Best,
    linus



  • Hi,
    I believe that one of the process domains to achieve SOX IT compliance includes controls over backup and recovery. You should be able to find more information about suggested controls for SOX compliance in the guidance from CobiT.
    CobiT 4.0 may be found at isaca.org
    Additionally, the usual suspect (Harry W.) and others will likely reply to your question in more detail. However, as a starting point, it might be helpful to research some of the published guidance online.
    Hope this helps,
    Milan



  • Hi and welcome to the forums ๐Ÿ™‚
    As Milan noted the COBIT 4.0 standards are some of the acceptable guidelines audit firms use for SOX 404 compliancy. SOX 404 provides a general IT framework for automated financial system controls, so there arenโ€™t highly specific things noted for the SAN environment.
    Briefly, the key areas of consideration include:

    1. Security
    2. Backup and Recovery
    3. File retentions - most SOX files must be retained for 7 years so, you need a NAS device ๐Ÿ˜‰
    4. DR failover capabilities
      CAS Technologies (differs from NAS, but same SOX requirements)
      http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1475
      Free copy of COBIT 4.0 when you register
      http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1920


  • Physical and logical access is only what I think should be in scope for SAN Switches and storage units.
    For the data/configuration that resides in storage unit, you have operational controls related to backup and restoration which becomes applicable apart from logical access.
    We have a SAN environment and these were the only two controls that were tested as a part of ITGC (in agreement with external auditors)
    Calvin


Log in to reply