Sarbanes-Oxley and data retention

OK, so just what is the deal with Sarbanes-Oxley and data retention?
I've talked to several shops recently who are all in a tizzy about it,
looking at triggers and tools and history tables and all sorts of
stuff and in a perfect panic to get something in place ASAP.
So, just exactly what is it that Sarbanes-Oxley requires, that being a
publicly-traded company didn't already require?
War stories, also pointers to answers, questions, literature, or more
appropriate forums are all appreciated.
I have looked both at the text of the act and at the AICPA site, and
neither suggests to me that SOX really puts any new requirements at
all on public companies. Private companies, that might be a different
matter.
http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf
http://www.aicpa.org/info/sarbanes_oxley_summary.htm
When you google this you get a huge list of paid ads of people who
want to sell you systems and services, as if nobody every had any
audit requirements before.
If there's something new, I'd like to see it in the law, chapter and
verse.
Thanks.
Joshua SternJoshua,
It is not really a matter of data retention (with the exception of e-mail)
but the ability to uniquely identify users and track changes to your
financial systems. This means eliminating generic sql logins, auditing login
sucess/failure, restricting access to production systems to the lowest level
necessary for the application to work and keeping developers out of the
production environment. It also means strict documentation on ploicies and
procedures along with a strict change control process. You can find some
decent information about the impact on database applications by looking at
the lumigent web-site - they are trying to sell an auditing application, but
there are some links to usefull information.
http://www.lumigent.com/go/googent/
Hope this helps,
Brad
"JXStern" wrote:
> OK, so just what is the deal with Sarbanes-Oxley and data retention?
> I've talked to several shops recently who are all in a tizzy about it,
> looking at triggers and tools and history tables and all sorts of
> stuff and in a perfect panic to get something in place ASAP.
> So, just exactly what is it that Sarbanes-Oxley requires, that being a
> publicly-traded company didn't already require?
> War stories, also pointers to answers, questions, literature, or more
> appropriate forums are all appreciated.
> I have looked both at the text of the act and at the AICPA site, and
> neither suggests to me that SOX really puts any new requirements at
> all on public companies. Private companies, that might be a different
> matter.
> http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf
> http://www.aicpa.org/info/sarbanes_oxley_summary.htm
> When you google this you get a huge list of paid ads of people who
> want to sell you systems and services, as if nobody every had any
> audit requirements before.
> If there's something new, I'd like to see it in the law, chapter and
> verse.
> Thanks.
> Joshua Stern
>|||On Thu, 16 Dec 2004 11:49:01 -0800, "Brad Feaker"
<BradFeaker@.discussions.microsoft.com> wrote:
>It is not really a matter of data retention (with the exception of e-mail)
>but the ability to uniquely identify users and track changes to your
>financial systems. This means eliminating generic sql logins, auditing login
>sucess/failure, restricting access to production systems to the lowest level
>necessary for the application to work and keeping developers out of the
>production environment. It also means strict documentation on ploicies and
>procedures along with a strict change control process. You can find some
>decent information about the impact on database applications by looking at
>the lumigent web-site - they are trying to sell an auditing application, but
>there are some links to usefull information.
>http://www.lumigent.com/go/googent/
Brad,
These are all Good Things, but they have always been Good Things, and
I still do not see what has changed regarding them as a result of SOx,
especially for publicly-traded companies.
It's all auditability, and even for private companies, it seems most
of these things fall under good general management controls. So, (a)
they were needed before, by law for publicly traded companies, and (b)
I see no specific language in SOx that strengthens the need!
And (c) I am still at a loss as to what technical options are supposed
to be allowed or disallowed in order to achieve these general goals.
At least I am gratified that, apparently, the actual SOx legislation
does not provide T-SQL trigger code that Congress has mandated! :)
J.