Like most other environments, we start a server, log on as "Administrator" and leave it running in a locked server room. Recently, we were instructed to stop using the Administrator account to log on to our servers, as this does not comply with SOX. Can you explain why?

    Requires Free Membership to View

You are referring to Section 404 of the Sarbanes-Oxley Act or "SOX 404." SOX 404 calls for the improvement of internal controls over the gathering and reporting of financial information, but it is vague on how to implement these controls for the IT systems that process it. Additionally, while it doesn't explicitly call for the control you describe, the requirement may have come from your auditors, who review your SOX 404 implementation with your executive or senior management.

When it comes to IT controls, auditors look to see if policies and procedures are in place to protect sensitive customer and financial data. Proof of these controls is enshrined in documentation outlining IT security policies, procedures and how data is protected. These safeguards could include access control, encryption, firewall architectures and virus protection. Your auditors are probably concerned that using the Administrator account is a weak form of server access control. They probably think these servers contain sensitive financial information that, if not properly secured, could be compromised.

Auditors love paper, and the best way to change the policy you described is to perform a thorough risk analysis of your servers and the data they host. If you can prove to the auditors -- and document it with the risk analysis -- that the data isn't sensitive and there's a low risk of exposure, you may be able to keep using the Administrator account, but plan carefully. Ask yourself the following questions: What data do these servers host? How sensitive is it? Is it confidential customer information, insider financial reports or harmless marketing data for projecting sales? Is use of the servers limited to a small group or widespread throughout your enterprise?

Again, auditors love paper, so whatever you do, document it.


More information

This was first published in January 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: