NT Servers _and_amp; SOX 261
-
We will have a few remaining NT Servers past 12/31. I know these will be SOX compliance issues, but I’m told that we may be OK if:
- We have a plan to replace them
- We have ‘mitigating controls’ in place until they are replaced.
Of course we will run Anti-Virus software on these systems. But what other ‘mitigating controls’ can we considered. Note - simply taking these systems off the network is not an option.
Your input is really appreciated.
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
Why do you think that having an NT server would stop you complying with SOX?
With IT the issue is (very simplistically) do your in-scope systems have sufficient General Computer Controls as defined by COSO/CobIT. There is no fundamental reason why an NT server cannot satisfy these requirements if set up and run properly.
By in-scope systems I mean ones where you have identified automated key controls within a business process that rely on that system.
-
Dennis is correct to a certain point…
If your NT server directly support an application that is in scope or is relied upon as part of a key control for a business cycle will need to be well maintained and reasonably secured.
Most IT hardware/software activities are in scope as part of general computer controls.
Therefore, it would be wise to review the security settings of the NT server and ensure any changes/maintenance/support of the NT server complies with your operational procedures.
Then you will be fine.
Cheers
tristanatbui.com
-
Yoda404 - you are right but the original poster was under the impression that the NT servers would have to be eliminated because of SOX becuase they CANNOT be SOX compliant. This is clearly not the case and this sounds like BS from someone who wants to sell them new kit.
-
So in order to be SOX compliant your systems must be compliant with COSO/CobIT? Where is that information at? The actual Sarbanes-Oxley Act document.
Can anyone find the words COSO or CobIT in this document? Better yet, see how many times the word ‘technology’ appears in the document and what it refers to.
Please. Somone shut me up and display some evidence from the Sarbanes-Oxley Act that says your IT systems must meet the compliance terms of X.