Compliance Reports: Sarbanes-Oxley Act of 2002 (SOX)

Document created by RSA Information Design and Development on May 25, 2016Last modified by RSA Information Design and Development on Jun 18, 2018
Version 152Show Document
  • View in full screen mode
 

Sarbanes-Oxley Act of 2002 (SOX). Congress passed the Sarbanes-Oxley Act (SOX) in large part to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws. Section 404 of Sarbanes-Oxley not only requires companies to establish and maintain an adequate internal control structure, but also to assess its effectiveness on an annual basis.

Dependencies

The SOX compliance reports have the following dependencies.

                  
SA RulesSA ListsApp Rules

Access to Compliance Data Details

Access to Compliance Data Summary

Accounts Created

Accounts Deleted

Accounts Modified

Admin Access to Compliance Systems Details

Admin Access to Compliance Systems Summary

Change in Audit Settings

Group Management

Logon Failures Details

Logon Failures Summary

Password Changes

Password Changes Summary

User Access Revoked

User Access to Compliance Systems Details

User Access to Compliance Systems Summary

Administrative Users

Compliance Data

Compliance Systems

alm:cardholder-data

account:created

account:deleted

account:modified

account:logon-success

config:change-audit-setting

account:group-management

account:logon-failure

account:password-change

access:user-access-revoked

Citations

The SOX compliance reports have the following Citations.

                                                                                             

Report Rule

Citation NumberCitation Description
Accounts CreatedSOX 404Management assessment of internal controls.
Accounts DeletedSOX 404; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1Management assessment of internal controls; An access control policy should be developed and should state the access control rules and rights for all users and groups. Both logical and physical access controls should be used.
Accounts ModifiedSOX 404Management assessment of internal controls.
Group ManagementSOX 404; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1Management assessment of internal controls; An access control policy should be developed and should state the access control rules and rights for all users and groups. Both logical and physical access controls should be used.
User Access to Compliance Systems - Top 25Sox 404; ISO 27002 -11.5.1Management assessment of internal controls.; All successful and unsuccessful logon attempts should be recorded.
Account ManagementSOX 404Management assessment of internal controls.
Admin Access to Compliance Systems - DetailSox 404; ISO 27002 - 10.10.4Management assessment of internal controls; All activities by System Administrators and System Operators should be logged. 
Admin Access to Compliance Systems - Top 25Sox 404; ISO 27002 - 10.10.4Management assessment of internal controls; All activities by System Administrators and System Operators should be logged. 
Change in Audit SettingsSOX 404; ISO 15408-2Management assessment of internal controls; The system should ensure that security policy enforcement functions succeed before functions are allowed to proceed. 
Access to Compliance Data - DetailSOX 404Management assessment of internal controls.
Access to Compliance Data - Top 25SOX 404Management assessment of internal controls.
Logon Failures - DetailSOX 404; ISO 27002 - 11.5.1Management assessment of internal controls; All successful and unsuccessful logon attempts should be recorded.
Logon Failures - Top 25SOX 404; ISO 27002 - 11.5.1Management assessment of internal controls; All successful and unsuccessful logon attempts should be recorded.
Password Changes - Detail
Password Changes - Top 25
SOX 404Management assessment of internal controls.
User Access RevokedSOX 404; ISO 27002 - 11.2.1Management assessment of internal controls; Users who have changed jobs or left the organization should have their access rights removed immediately.
User Access to Compliance Systems - DetailSox 404; ISO 27002 -11.5.1Management assessment of internal controls.; All successful and unsuccessful logon attempts should be recorded.
You are here
Table of Contents > Compliance Reports: Sarbanes-Oxley Act of 2002 (SOX)

Attachments

    Outcomes