[WEB SECURITY] About Sarbanes-Oxley.

Frederic Charpentier fcharpen at xmcopartners.com
Wed Jul 5 07:28:13 EDT 2006


8 points you need to know about SoX in IT.

1 – You must have a list of core business servers ; those which can
directly impact your business in case of disaster.

2 – You must have “audit mode” enabled (logfiles) on these systems. The
logfiles must contain all information : WHO, WHEN, WHAT.

3 – Logfile and backup of the core server must be stored and centralized
on another server.

4 - You must have a DRP for these servers, with external tape backup and
documented recovery process.

5 – All applications must enforced role segregation : authentication AND
authorization. For instance, “simple” employees can not edit the
accounting ; internal audit can not deleted records in the sales ;
people do not know passwords of others.

6 – You must have a monthly/quarterly/annually review on all the points
above. This means that you frequently check that the logfile are
properly stored, as well for backup data.
You also need to document process for identify management : new users
and theirs roles must be approved with a form by the superior and you
need to check if what is written in the forms is properly set on the
server. This process handles users who had left the company.

7 – All these reviews must be materialized. This means that you must
have a document with evidences of theses checks.

8 – The important things in SoX is business applications. You have to
focused on these applications.



Frederic Charpentier - Xmco Partners
Security Consulting
http://www.xmcopartners.com/



sender at ms25.url.com.tw wrote:
> Dear folks,
> 
> What kind of standards for web application security could help me to comply with Sarbanes-Oxley?
> 
> Thanks a lot.
> 
> --
> http://mymailer.url.com.tw
> 台灣最物超所值的大眾化虛擬郵件主機
> 
> 
> ----------------------------------------------------------------------------
> The Web Security Mailing List: 
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> 

-- 
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web  : http://www.xmcopartners.com/tests-intrusion.html


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list