Sarbanes-Oxley (COBIT)
The Sarbanes-Oxley Act (SOX) of 2002 requires strict internal IT controls and processes. It applies to all public companies. The purpose of the SOX Section 404 control audit is to identify “control deficiencies” that could affect the financial reporting of the company. Sarbanes-Oxley recommends regular audits of log files and keeping a record of audit logs for up to seven years: “audit unauthorized access, misuse and fraud, in order to ensure the accuracy of corporate financial and business information” and “maintain financial records for seven years.”
The IT Governance Institute's Control Objectives for Information and related Technology (COBIT) is most frequently used to help achieve Sarbanes-Oxley Act compliance, but also to ensure security and availability of IT assets in general. COBIT includes specific control requirements: “change standards and procedures” (AI6.1), “application control and audit ability” (AI2.3), and “network testing, surveillance, monitoring” (DS5.5).
The benefits of LogLogic’s solutions for SOX and COBIT:
- The LogLogic Open Log Management platform in conjunction with the LogLogic Compliance Suite: SOX and COBIT Edition and LogLogic Compliance Manager add-on products provide the foundation for audit and retention requirements and monitoring controls (for example section AI2.3).
- LogLogic Security Event Manager and LogLogic Database Security Manager provide more granular threat detection and can even block suspicious activity in real-time (for example DS5.5 and DS 5.10).
Requirements the Sarbanes-Oxley and COBIT Edition of the LogLogic Compliance Suite can help you satisfy:
| Category | COBIT 4.0 | Control Header |
|---|---|---|
| Identity And Access | DS5.3 | Identity Management |
| DS5.3 | User account management | |
| PO7.8 | Job change and termination | |
| User Activity | PO4.11 | Segregation of duties |
| AI2.3 | Application control and audit ability | |
| Change | AI6.1 | Change standards and procedures |
| DS9.3 | Configuration integrity review | |
| Security | DS5.2 | IT security plan |
| DS5.5 | Security testing, surveillance, monitoring | |
| DS5.10 | Network Security | |
| DS11.6 | Security requirements for data mgmt | |
| IT Infrastructure | DS1.5 | Monitoring of service level agreements |
| DS2.4 | Supplier performance monitoring | |
| DS3.5 | Monitoring of performance and capacity | |
| DS13.3 | IT Infrastructure monitoring | |
| DS10.2 | Problem tracking and resolution | |
| Business Continuity | DS4.1 | IT continuity framework |
| DS4.5 | Testing of the IT continuity plan | |
| DS11.5 | Backup and restoration |
While LogLogic can provide you with the tools to enable you to achieve compliance, LogLogic cannot determine if you have met your compliance objectives. For any such determinations, you are advised to consult with a qualified advisor.
