There are a variety of products that purport to help automate SOX compliance, largely via a combination of scan data analytics from a vulnerability analysis product, like those made by Qualys Inc. or Sourcefire Inc., and checklists of controls that are part of the standard COBIT framework.
I haven't done a detailed analysis of this space, but I highly suspect there is nothing in these products that can't be done equally well, if not better, by a good project manager, a good security manager and a spreadsheet program. Essentially, what is needed is someone who understands the technology and how it's deployed (a security manager), someone to track objectives and help interface with other groups when necessary (a project manager) and some software to track the goals and objectives (a spreadsheet). Like many things in the IT world, measuring compliance is a pretty basic task, though the actual details can get complicated.
The value of commercial compliance products really comes in if the company doesn't have the resources or time for a project manager or doesn't have a lot of in-house experience when it comes to dealing with audits and auditors. In that case, especially when using a product the auditors are familiar with, software like this may save some time during an audit.
For more information:
Dig deeper on Sarbanes-Oxley Act
Related Q&A from David Mortman, Contributor
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ...continue reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security...continue reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.