Camera Systems 1709
Seal last edited by
Is there any requirement by SOX for video camera surveillance footage. ie. How far back do you need to keep (1 month, 2 months, etc. )
I was asked this question by our MD and said i would find out.
EMM last edited by
THis would depend on whether or not you are using security camera footage as some sort of Key control over access to office. warehouse etc.
If it is going to be subject to testing as a key control, I would refer to your ext auditors with your query
harrywaldron last edited by
I also agree with EMM, as SOX 404 standards mandate good technical and physical controls regarding IT security, but don’t usually get down to specific compliance levels (e.g., retention of video camera surveillance footage), as they might vary among different firms. Checking with Audit, HR, or Legal Counsel might be beneficial outside of SOX related needs
milan last edited by
SOX IT requirements addresses physical and environmental security in the general controls or GCC (general computer controls).
Physical and Environmental Security control addresses risk inherent to organizational premises, including:
Location Organizational premises should be analyzed for environmental hazards.
Physical security perimeter The premises’ security perimeter should be clearly defined and physically sound. A given premises may have multiple zones based on classification level or other organizational requirements.
Access control Ingress/egress locations in the physical security perimeter should have appropriate entry/exit controls commensurate with their classification level.
Equipment Equipment should be sited within the premises to ensure physical and environmental integrity and availability.
Asset transfer Mechanisms should exist to track entry and exit of assets through the security perimeter.
General Policies and standards, such as utilization of shredding equipment, secure storage, and ‘clean desk’ principles, should exist to govern operational security within the workspace.
As noted in the earlier posts, specific requirements are not prescribed to address the retention period for surveillance camera footage.
Denis last edited by
Good comments from all, but I think it is worth stating that:
It is extremely unlikely that as a result of SOX you would have to keep video camera surveillance footage.
Whilst it is possible that this could be a key control over financial reporting and it may just form part of the IT General Controls, this really is tenuous.
Personally, if I had this as a key control I would look to design another one because the effort around keeping video footage for non-operational issues just doesn’t seem worth it.
Seal last edited by
Thank You all for your input. The situation in out organization is that we have cameras installed in various area, but the most important ones are the Data Facility and the Trusted Centre.
I will definately get some input from our ext auditors. Thanks