Home Forums SQL Server 7,2000 Sarbanes-Oxley Looking for SOX-Security Details RE: Looking for SOX-Security Details

  • April 28, 2005 at 3:49 pm

    #555720

    Disclaimer: this is all just my personal interpretation, based on my personal understanding of the issues, based on my personally banging my head on SOX issues the past few months.

    SOX (The Sarbanes-Oxley Act of 2002, http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf for a copy) says nothing about SQL Server. It says nothing about databases. It says nothing about IT. What it does say (and I'm still wading through that .PDF, so I probably am wrong about significant details--but not very) is that business entities that are publicly owned, or that have publicly held debt, have to be a lot more financially responsible than they have been (viz. Enron and other grande scams of recent times). To that end, they have to (a) keep track of (audit) the information that underlies their financial statements, and (b) be able to prove that they are doing so, because otherwise (c) anyone whose job title begins with a "C" (CEO, CIO, etc.) could end up in jail.

    It also seems to spell out that the only way to prove you are SOX-compliant is for an outside auditor to come in, check you over, and say that you're good. (If not, you're in trouble, though the nature of that trouble is not particularly specific.) Who can audit you? Why, people that they say can audit you. Who are "they"? Why, the Public Company Accounting Oversight Board (http://www.pcaobus.org/), which was established by the SOX act (see part 1 of the SOX act).

    So what does any of this have to do with SQL Server, let alone databases? Darn good question. The logic goes that if the data in your databases is used to draw up the companies financial statements, then they want to know (a) who is able (not skilled or inclined, just able) to go in and monkey with the data, and (b) are they or are they not actually doing so. Fair enough questions, of course. Unfortunately, this is pretty hard to do for reasons that rapidly become apparent when you actually sit down and work out what you have to do and what you have to do it with. But that's a subject for another thread.

    This has gotten a bit long winded. I suppose the best summary is, consult with your SOX auditor (and it sure seems that if you don't have an authorized SOX auditor, you're not compliant), determine what they say you need to do, and then do your best to do it. Skilled and articulate use of sophistry will prove invaluable. Since it's all new and--once it gets down to the logical and physical implementation levels--very vague and thus open to wildly varying interpretations, you're not at all likely to find any "carved in stone" How to Soxify your System articles out there. As proof, I find no articles on the subject here in SQL Server Central, and there's precious little Microsoft has to say on the subject.

    Good luck!

       Philip