SOX Compliant IT/IS backup/restore policy guidance... 2997

  • Hello,
    I’m new to this forum. I don’t know if anyone still looks in here or not. I’m in need of some specific details of what SOX regulatory compliant best practices are for data backup, retention and restore. And they should be Vendor agnostic.
    There are lots of high level comments from Vendors and/or bloggers about how their backup/restore products/opinions are SOX compliant. But few specific details on how one goes about actually implementing these regulatory compliant best practices.
    Is there some place that anyone can reference where a step by step process is described? I don’t need more high level descriptions. I’m looking for specifics. Such as what kind of offsite policy is compliant? What retention periods are compliant? What are compliant restore times?
    I’m in a product/service based organization. Not financial services.
    A url or a suggested search topic would be great. I’ve googled about everything I can think of and usually end up on some Vendor page. I need guidance specifically about backup/restore as that’s what I’ve been tasked to do.
    Thanks for your time and consideration.
    Blaine Miller

  • Hi blaine miller
    first of all, welcome on site
    to help you, we may need indeed more details of your need.
    i don’t expect that you are request to implement a control of something without to provide you on guidelines, procedures of what is expected from you.
    if you need the text of sox regulations
    here is it
    [Link removed]
    to answer the implementation method, i will say it may be according the internal strategy of your company, mean that each company may establish a process to fullfill this requirement, but if you provide more details, we can try help
    the retention period may be find in regulation for it backup, as instance the HR files are expected to be archived forever, while the account one at least in my area is about 10 years and this period is fixed by gov via regulations or our activities regulations or from contractual scope, depending.
    from an it point of view , if i use your wording and do googe search , i got this
    [Link removed]
    but it may not anwser your question
    waiting your feedback

  • Hello, Selena…
    I think we may be on the right track. To use a specific example, SOX says in a general way, I need to have a backup and recovery plan for my organization. This is in support of the need for disaster recovery and business resumption policies and procedures.
    I’ve read the SOX Act and there are no specifics as to what constitutes any of these policies or procedures.
    That is, HR data must be retained and/or rotated over specific intervals. Financial data must be retained and/or rotated over specific intervals.
    Nor does the SOX Act specifically relate a process for being compliant. From experience, It looks as if general audit processes and procedures are used to define what the Data processing policies and procedures are.
    I guess I’m looking for a source for direction or templates to draw from for these general auditing processes and procedures for SOX compliant documentation.
    The MS site you reference(the TechBrief) refers to a rollout/rollback process, not a SOX compliant backup/restore policy or procedure.

  • SOX requires you to select a control framework (this may not be in the act, but is in the explanations that followed the act) to follow. Most use COSO as their framework. The IT cousin to COSO is COBIT. There you will find all sorts of information.

  • hi blaine
    additional to kymike comment
    i want just to send you back to this document if you need to see the sox requirement
    get glance from the chapter ’ document to be retained’ until ’ workpapers defined’ . in this last chapter, the electronic record is included within the document required to be kept from any dammage or to be destroyed. also you may find the legal period for retention
    good luck

  • Hi, I am new to his forum.I had read the queries and replies given, and also I read the Final Rule:Retention of Records Relevant to Audits and Reviews. I had few queries…

    1. In Final Rule:Retention of Records Relevant to Audits and Reviews clause, its mentioned as ’ need to maintain the data regarding audit work papers, and other information related to any audit report, need to maintain 7years? as per(End notes 24)
    2. Is this mainly talks about financial reports and audits, (coso framework)??
    3. What about IT data backup’s retention duration?

Log in to reply