RBAC 2086

  • Hello guys and gals,
    Quick question… what kind of role does RBAC (Role Based Access) play in SOX testing? Is it a requirement when I’m testing Logical Access on my Apps DBs or just a best practice thing? I’ve started in a new place and my manager insists that its one of the requirements and I can Fail the test if an app or db doesnt meet it… I disagree but only based on the fact that I have never had to test that aspect. The only online material I came across is the ISACA’s Maturity Model chart, but unfortunately that didn’t answer my question in full.
    Thanks and keep on SOXing…

  • Yes thats a requirement when you are testing the logical access to Apps and DB from the IT side. As minimum, there needs to be segregation between Dev and Prod roles (most important issues for the external auditors) .There needs to be some compensating controls to prevent risk if the one person is performing multiple roles.
    Also the person who generates a report and person who reviews and approves needs to be from different roles. Generally speaking someone who reviews the reports is from the Management tier.
    You can look up ISACA for the IT roles and responsibilities (IT SOD) matrix.

  • Thanks Cal for the reply.
    However Im more concerned with RBAC as from Logical Access; Grant Access point of view rather than as a SOD issue. Let me try to clarify of what am I asking. RBAC = rather than individual user being granted rights, an user is granted a role, and this role would have right assigned to it. So lets say Joe Accountant needs access to a DB rather than assigning Joe individual rights he would be assigned a bundle of rights that all accountants have. Now is this a SOX requirement, or just a nice thing to have??

Log in to reply