[WEB SECURITY] About Sarbanes-Oxley.

Andrew van der Stock vanderaj at greebo.net
Tue Jul 4 09:15:09 EDT 2006


First, you need to understand if you need to comply with SOX at all.  
If you're not a publicly traded US firm or have significant US  
interests, it simply does not apply to you.

SOX is very simple: the directors of the firm must state at least  
once per year "our financial records are true and accurate" and have  
adequate -financial- controls in place to prevent another Enron. This  
is usually process driven; it shouldn't be possible for one person to  
place the entire company in jeopardy through deliberate fraud or  

SOX compliance surrounding financial systems is only true when a  
comprehensive Information Security program is in place -around-  
financial and other core business systems (ie if you're a company  
like Amazon, your GL and your logistics software must be protected.  
If you're like an ISP then the GL and the systems which allow you to  
enrol and service customers to prevent significant churn must be  
protected). As every company is different, there is no One True Way  
or one set of machines to protect.

Most folks end up adopting COBIT as it's reasonably comprehensive. Be  
prepared to spend some serious $$$$$$ for your average firm  
investigating and implementing the risk based controls. It's not just  
picking up the control framework and pointing at it when the auditors  
come through.

WebAppSec standards are few and far between. I put in mappings to  
relevant COBIT sections in the Guide 2.0 as I was going through  
exactly the same thing last year, so probably the OWASP Guide 2.0 is  
your best bet if your web apps are directly relevant to the bottom  
line of your firm. If your web apps are brochureware, it's unlikely  
you need to remediate them for SOX "compliance".


On 04/07/2006, at 12:43 AM, sender at ms25.url.com.tw wrote:

> Dear folks,
> What kind of standards for web application security could help me  
> to comply with Sarbanes-Oxley?
> Thanks a lot.
> --
> http://mymailer.url.com.tw
> 台灣最物超所值的大眾化虛擬郵件主機
> ---------------------------------------------------------------------- 
> ------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2234 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060704/bc23789f/attachment.p7s>

More information about the websecurity mailing list