News Stay informed about the latest enterprise technology news and product updates.

Preparing for a SOX audit

If your number comes up for a Sarbanes-Oxley audit, don't panic. A compliance expert offers five tips to help IT administrators meet the challenge.

Fourth in a series.

In a recent interview, Alex Bakman, CEO of Ecora Software Corp., in Portsmouth, N.H., offered his top five tips for IT administrators when preparing for a Sarbanes-Oxley (SOX) audit.

1. Select a set of controls -- and test repeatedly. The essence of the SOX audit is to prove that you do what you say you do. The Sarbanes-Oxley Act doesn't require people to have a specific set of IT controls, but whatever set of controls you pick, you need to demonstrate that you have a credible way of testing them.

For more information

Special report: Coming to terms with compliance

2. Develop a sound password policy. This involves establishing password duration and password aging policies and requiring complex passwords. Many organizations are guilty of allowing users to create obvious passwords, such as the name of a pet.

3. Review permissions. The first thing auditors do is go into "shares" to find out who has access to what. You should review shares with an eye toward whether such permissions are in line with documented policies.

4. Validate access control lists. Test credentials against critical line-of-business systems. Auditors will look to see if your lists for who should have access to an application really govern who has access.

5. Plug database holes. Review database management systems and be able to validate that from a DBMS-authorization perspective that there are no holes. A common problem that auditors look at involves how many production systems that are housing sensitive data are running with the full credentials.

Dig Deeper on Enterprise infrastructure management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.