Camera Systems 1709

  • Is there any requirement by SOX for video camera surveillance footage. ie. How far back do you need to keep (1 month, 2 months, etc. )
    I was asked this question by our MD and said i would find out.

  • THis would depend on whether or not you are using security camera footage as some sort of Key control over access to office. warehouse etc.
    If it is going to be subject to testing as a key control, I would refer to your ext auditors with your query

  • I also agree with EMM, as SOX 404 standards mandate good technical and physical controls regarding IT security, but don’t usually get down to specific compliance levels (e.g., retention of video camera surveillance footage), as they might vary among different firms. Checking with Audit, HR, or Legal Counsel might be beneficial outside of SOX related needs 🙂

  • SOX IT requirements addresses physical and environmental security in the general controls or GCC (general computer controls).
    Physical and Environmental Security control addresses risk inherent to organizational premises, including:
    Location Organizational premises should be analyzed for environmental hazards.
    Physical security perimeter The premises’ security perimeter should be clearly defined and physically sound. A given premises may have multiple zones based on classification level or other organizational requirements.
    Access control Ingress/egress locations in the physical security perimeter should have appropriate entry/exit controls commensurate with their classification level.
    Equipment Equipment should be sited within the premises to ensure physical and environmental integrity and availability.
    Asset transfer Mechanisms should exist to track entry and exit of assets through the security perimeter.
    General Policies and standards, such as utilization of shredding equipment, secure storage, and ‘clean desk’ principles, should exist to govern operational security within the workspace.
    As noted in the earlier posts, specific requirements are not prescribed to address the retention period for surveillance camera footage.

  • Good comments from all, but I think it is worth stating that:
    It is extremely unlikely that as a result of SOX you would have to keep video camera surveillance footage.
    Whilst it is possible that this could be a key control over financial reporting and it may just form part of the IT General Controls, this really is tenuous.
    Personally, if I had this as a key control I would look to design another one because the effort around keeping video footage for non-operational issues just doesn’t seem worth it.

  • Thank You all for your input. The situation in out organization is that we have cameras installed in various area, but the most important ones are the Data Facility and the Trusted Centre.
    I will definately get some input from our ext auditors. Thanks

Log in to reply