SOX and Division of Duties 1947
JSB last edited by
Hello again I wonder if I may put another question to you all.
Recently I have been asked by a Systems Administrator from one of our clients how Division of Duties fits in with SOX compliancy. They have staff to provide a separate Ëœcheck and balance’ on System / Security administration, monitor the systems, networks and report any variance to their company policies. Some software which is being run needs administrator / root access to access the information needed.
This causes a problem as the Sys Admin has been told that he must not allow anyone but Sys Admin staff to have root access. The maintenance staff must run their software under accounts with lesser privileges (these staff members have no direct logon to the servers but use installed clients on the servers running under root / administrator which returns specific information for their monitoring purposes) and thus Division of Duties.
He asked me about this because it had been mentioned to him that this was needed to be SOX compliant. I know of Division of Duties but have not as yet heard any compulsorily reference to it in regards to SOX.
Has else anyone encountered anything like this?
nilesh last edited by
JSB last edited by
Granted, but this seems to be an extreme situation that has been associated with SOX.
If the monitoring staff, are registered on their DOD documentation to have administrator rights on and their local machines and be able to communicate with remote software that is running under root / admin on remote servers (i.e. they have no actual login on to the server.) then this should comply.
NC last edited by
this is a common concern and headache for IT function of any organizaiton that is running the SOX race.
If you are able to demonstrate controls in the preceeding or subsequent activities or controls in the form of manual reviews of system generated activites, SOD need not necessarily be stressed as THE control.
We need to look at the control environment in totality and not as IT control environment and Business process control environment.
A weakness in IT may be sufficiently mitigated in process( great possibility).
hope this bit was useful