[Nottingham] Sarbannes Oxley experiences
Matt Bunter
matt.bunter at wanadoo.fr
Fri Sep 9 22:25:30 BST 2005
>>One of the biggest problems is the use of 'system'
>>accounts for stuff
>>like Oracle, or batch jobs, or sys admins on
>>servers.
>>
>>
>Which aspect in particular do system accounts cause
>problems for? Was is audit? Was it a matter of
>painfully delegating all non-audit-admin-related
>powers (eg. "turn off auditing") to a new role, which
>was then used by the admins?
>
>
According to SOX, at least my company's interpretation of it, system
accounts are a no-no. Unless of course one can log exactly who was using
said system account at what time (on what machine and what they were
doing). As you can imagine with a team of Unix/Linux sys admins,
application support, DBAs, network people etc. etc. this is quite a
task. It seems that Active Directory goes some way to solving this. The
SOX project team have found some references for using Active Directory
for Unix authentication.
I'm sure that 99% on this list cringed after reading that, but I've seen
one very good presentation that was written by a Unix guy who actually
found that it (using AD) made his life easier. Or else it was a
Microsoft spy who wrote about his experiences.
>
>
>Is not the measurable quantity that the organization
>audited has made measurable efforts to ensure that all
>appropriate individuals have watched the training
>video (by recording when the do), passed the multiple
>choice exam (by storing their pass-mark), etc?
>
>
This still doesn't PROVE that no-one is ignorant.
Matt
More information about the Nottingham
mailing list