NT Servers _and_amp; SOX 261



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • Why do you think that having an NT server would stop you complying with SOX?
    With IT the issue is (very simplistically) do your in-scope systems have sufficient General Computer Controls as defined by COSO/CobIT. There is no fundamental reason why an NT server cannot satisfy these requirements if set up and run properly.
    By in-scope systems I mean ones where you have identified automated key controls within a business process that rely on that system.



  • Dennis is correct to a certain point…
    If your NT server directly support an application that is in scope or is relied upon as part of a key control for a business cycle will need to be well maintained and reasonably secured.
    Most IT hardware/software activities are in scope as part of general computer controls.
    Therefore, it would be wise to review the security settings of the NT server and ensure any changes/maintenance/support of the NT server complies with your operational procedures.
    Then you will be fine.
    Cheers
    tristanatbui.com



  • Yoda404 - you are right but the original poster was under the impression that the NT servers would have to be eliminated because of SOX becuase they CANNOT be SOX compliant. This is clearly not the case and this sounds like BS from someone who wants to sell them new kit.



  • So in order to be SOX compliant your systems must be compliant with COSO/CobIT? Where is that information at? The actual Sarbanes-Oxley Act document.
    Can anyone find the words COSO or CobIT in this document? Better yet, see how many times the word ‘technology’ appears in the document and what it refers to.
    Please. Somone shut me up and display some evidence from the Sarbanes-Oxley Act that says your IT systems must meet the compliance terms of X.



  • You need to look at the SEC’s ‘Final Rule: Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports’ which references the COSO framework extensively. Although it stops short of saying ‘you must use COSO’ - in theory, you could use another framework - it is strongly suggested.
    With respect to CobIT this is not referenced in the legislation at all. However, the widespread use of CobIT comes because COSO doesn’t handle the IT side of things very well and CobIT is seen as the de facto standard. In order to make this ‘compliant’ the IT Governance Institute prepared a mapping of CobIT to COSO objectives (available on ISACA website) to make use of CobIT easier.
    Is this enough to shut you up or do you need more 😉



  • You need to look at the SEC’s ‘Final Rule: Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports’ which references the COSO framework extensively. Although it stops short of saying ‘you must use COSO’ - in theory, you could use another framework - it is strongly suggested.
    With respect to CobIT this is not referenced in the legislation at all. However, the widespread use of CobIT comes because COSO doesn’t handle the IT side of things very well and CobIT is seen as the de facto standard. In order to make this ‘compliant’ the IT Governance Institute prepared a mapping of CobIT to COSO objectives (available on ISACA website) to make use of CobIT easier.
    Is this enough to shut you up or do you need more 😉
    Nope. Not enough. This document references COSO for the definition of ‘internal control’ as well as referencing it for ‘internal control over financial reporting’ but makes no mention of how this should apply to IT. The only mention of IT anything in this document is this ‘adequate safeguards over access to and use of assets and records, such as secured facilities and authorization for access to computer programs and data files.’ Obviously this talks about securing the systems which confidential data. I don’t see how making changes to network infrastructure has anything to do with any of this unless it is affecting a financial system of some sort. Getting back to the subject, then by definition, since Microsoft will no longer be supporting Windows NT, then Windows NT in and of itself cannot be SOX compliant unless you disconnect it from your network.



  • Actually Denis is right, but you have to go into COSO to see specifically how the IT component works.
    COSO covers how control risks should be identified within processes and the controls to cover them. It refers to manual controls and automated controls and how the latter need to be supported by appropriate General Computer Controls.
    Best practice suggests that General Computer Controls are best covered by COBIT.
    You need to go SOX Act to SEC Final Rule to COSO to COBIT.
    For a couple of short paragraphs Section 404 requires plenty of reading :evil:


Log in to reply