We are going through SOX as well.  Have already implemented a lot of "SOX" items.  SOX for our company includes but is not limited to:

SOX, HIPAA, Segregation of duties, Plain ole common sense, Bill 481 (reporting security breaches), etc...

We have already locked down access to SQL data by role.  Each role is associated with an AD (windows) group.  Direct access to write to tables is via the application account BATCH and real-time WEB transactions.  Direct access is also available via "emergency accounts".

Code management is also a biggy.  Can code be installed into production without getting tested, approved, source code stored, etc...

Proper testing is/has been/will always be around nuff said.

Written approvals from the asset owner, project manager, etc... for good ole CYA and accountability.

Auditing is also HUGE.  Can you track who dun what, when, why, how?  If not WHY not and will your CIO signoff on it?  If not looks like somebody is adding code to applications.  It is VERY easy to capture Environ$("COMPUTERNAME"), Environ$("USERNAME"), etc...

These are a few of many FAVORITE things...