Archive for September, 2009

Bare minimal risks that your ITGC SOX controls should cover!

Monday, September 21st, 2009

What is the bare minimal risks that your ITGC SOX controls should cover? Although there are ITGI/COBIT documents to guide you through, one can easily get lost in the maze - I thought, I will put together this checklist for anybody to apply this to get a comfort.

a. New accounts or modifications to account privileges are approved - OS, DB, App, Network, Logical Security (VPN, ActiveDirectory, NIS, LDAP and other authentication sources),  Physical security.

b. Terminations are performed timely - applicable to same processes as above

c. Transfers are handled as combination of b. and a. above - applicable to same processes as a.

d. Controls around change management to specifically address database object level changes, data fixes, data migrations and UATs are recorded for all application level changes

e.  Shared privilege level account management - passwords are changed when team members having access to shared privileged accounts leave the company - applicable to all areas listed in a.

f. Storage backup is tested for recovery (especially for databases)

g. Password configuration complies with enterprise standards for areas listed in a.

Optional:

a.  Account reviews in each area listed in a.