The below information has been tapped from here: http://www.planetmagpie.com/itconsulting/complianceconsulting/sarbanesoxleycompliance.aspx Or you can read below.
I Recommend every DBA should download/read this info: http://www.integrigy.com/security-resources/whitepapers/DBA-Guide-to-Understanding-Sarbanes-Oxley.pdf or http://www.mssqltips.com/tip.asp?tip=1300
The Sarbanes-Oxley Act features numerous sections;
However, three of them—302, 404 and 409—offer the greatest potential impact on companies and how the companies conduct business.
Section 404 requires an Internal Control Report to be included in all annual financial reports. Created by a company’s auditor, the document must present management’s assertions about the design and operational effectiveness of internal controls at year end. Management must also evaluate the effectiveness of internal controls over financial reporting and disclosure controls on a quarterly basis.
With Section 302, the CEO and CFO of a company are responsible for the accuracy, documentation and submission of financial reports and internal control structure to the SEC. Certifications signed by those two principal officers must be included in the annual or quarterly reports.
Information must be accumulated and summarized for timely assessment and disclosure in accordance to the SEC’s rules and regulations. When Section 404 compliance is required in about a year, companies must be able to disclose on a near real-time basis—up to 48 hours—any changes in their financial condition or operations.
Section 404 and IT.
In general, Section 404 is the tallest mountain to climb, with key areas regarding IT controls:
Change Management
Companies must provide visibility over changes in the IT environment and enable the ability to initiate, authorize, manage and implement all IT changes through a systematic change process.
Backup
A process must be deployed to identify critical data and to duplicate, store and recover data as needed.
Security
A process must be deployed to ensure the integrity of information and secure applications, databases, operating systems, internal network access and perimeter network.
Documentation
Companies must deliver thorough documentation to cover change management, back up and security policies and processes.
Remediation
Companies must have solutions to fill gaps in change management, backup and security.
Loading ...
[...] In continuation to my previous post here : http://dbanation.com/?p=101 [...]
[...] SOX Compliance Strategies. (Server / Database Security) Read my Article here [...]