SOX and Division of Duties 1947

  • Hello again I wonder if I may put another question to you all.
    Recently I have been asked by a Systems Administrator from one of our clients how Division of Duties fits in with SOX compliancy. They have staff to provide a separate Ëœcheck and balance’ on System / Security administration, monitor the systems, networks and report any variance to their company policies. Some software which is being run needs administrator / root access to access the information needed.
    This causes a problem as the Sys Admin has been told that he must not allow anyone but Sys Admin staff to have root access. The maintenance staff must run their software under accounts with lesser privileges (these staff members have no direct logon to the servers but use installed clients on the servers running under root / administrator which returns specific information for their monitoring purposes) and thus Division of Duties.
    He asked me about this because it had been mentioned to him that this was needed to be SOX compliant. I know of Division of Duties but have not as yet heard any compulsorily reference to it in regards to SOX.
    Has else anyone encountered anything like this?

  • JSB,
    Yup Seggregation of Duites (SOD) or Division of duties (DOD) is one of key SOX control. What you have mentioned in your question is how you have achived the DOD in daily operations task. But there should be documented DOD in place which identifies duties which are conflicting and this document should be reviewed and updated on periodic basis. Even some organisation has put in place to go through this document whenever access is granted to new user or access is elevated for existing user. SOD/DOD helps one to give assurance that every body has got access on need to know and need to do basis thus helping to maintain secure operational environment for systems in terms of user accesses.

  • Nilesh,
    Granted, but this seems to be an extreme situation that has been associated with SOX.
    If the monitoring staff, are registered on their DOD documentation to have administrator rights on and their local machines and be able to communicate with remote software that is running under root / admin on remote servers (i.e. they have no actual login on to the server.) then this should comply.

  • JSB
    this is a common concern and headache for IT function of any organizaiton that is running the SOX race.
    If you are able to demonstrate controls in the preceeding or subsequent activities or controls in the form of manual reviews of system generated activites, SOD need not necessarily be stressed as THE control.
    We need to look at the control environment in totality and not as IT control environment and Business process control environment.
    A weakness in IT may be sufficiently mitigated in process( great possibility).
    hope this bit was useful

Log in to reply