'Re: [WEB SECURITY] About Sarbanes-Oxley.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       websecurity
Subject:    Re: [WEB SECURITY] About Sarbanes-Oxley.
From:       Frederic Charpentier <fcharpen () xmcopartners ! com>
Date:       2006-07-05 11:44:08
Message-ID: 44ABA24D.4010608 () xmcopartners ! com
[Download RAW message or body]

8 points you need to know about SoX in IT.

1 &#x2013; You must have a list of core business servers ; those which can
directly impact your business in case of disaster.

2 &#x2013; You must have &#x201C;audit mode&#x201D; enabled (logfiles) on these \
systems. The logfiles must contain all information : WHO, WHEN, WHAT.

3 &#x2013; Logfile and backup of the core server must be stored and centralized
on another server.

4 - You must have a DRP for these servers, with external tape backup and
documented recovery process.

5 &#x2013; All applications must enforced role segregation : authentication AND
authorization. For instance, &#x201C;simple&#x201D; employees can not edit the
accounting ; internal audit can not deleted records in the sales ;
people do not know passwords of others.

6 &#x2013; You must have a monthly/quarterly/annually review on all the points
above. This means that you frequently check that the logfile are
properly stored, as well for backup data.
You also need to document process for identify management : new users
and theirs roles must be approved with a form by the superior and you
need to check if what is written in the forms is properly set on the
server. This process handles users who had left the company.

7 &#x2013; All these reviews must be materialized. This means that you must
have a document with evidences of theses checks.

8 &#x2013; The important things in SoX is business applications. You have to
focused on these applications.



Frederic Charpentier - Xmco Partners
Security Consulting
http://www.xmcopartners.com/



sender@xxxxxxxxxxxxxxx wrote:
> Dear folks,
> 
> What kind of standards for web application security could help me to comply with \
> Sarbanes-Oxley? 
> Thanks a lot.
> 
> --
> http://mymailer.url.com.tw
> &#x53F0;&#x7063;&#x6700;&#x7269;&#x8D85;&#x6240;&#x503C;&#x7684;&#x5927;&#x773E;&#x5316;&#x865B;&#x64EC;&#x90F5;&#x4EF6;&#x4E3B;&#x6A5F;
>  
> 
> ----------------------------------------------------------------------------
> The Web Security Mailing List: 
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> 

-- 
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web  : http://www.xmcopartners.com/tests-intrusion.html


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic