HPE Community
Switches, Hubs, and Modems
1754223 Members
3493 Online
108812 Solutions
New Discussion юеВ

Sarbanes-Oxley

 
Les Ligetfalvy
Esteemed Contributor

тАО02-24-2006 11:29 AM

тАО02-24-2006 11:29 AM

Sarbanes-Oxley

Can anyone share how they use PCM+ to meet the requirements of SOx? I have the latest PCM+, but I don't see how I can easily generate the reports for compliance.

Please help.
0 Kudos
7 REPLIES 7
Kell van Daal
Respected Contributor

тАО02-27-2006 12:45 AM

тАО02-27-2006 12:45 AM

Re: Sarbanes-Oxley

Hi Les,

Could you provide some details of what reports you need for SOx? I'm not really familiar with it.
Maybe more people can help you then.
0 Kudos
Les Ligetfalvy
Esteemed Contributor

тАО02-27-2006 12:49 AM

тАО02-27-2006 12:49 AM

Re: Sarbanes-Oxley

That's just it... the auditors won't tell us what they need, they just point us to the thousands of pages of legislation. I was hoping someone had already sorted that bit out and would share it.
0 Kudos
Les Ligetfalvy
Esteemed Contributor

тАО02-28-2006 08:02 AM

тАО02-28-2006 08:02 AM

Re: Sarbanes-Oxley

Is it that nobody uses PCM in their SOX or that it is too painful to discuss?
0 Kudos
Matt Hobbs
Honored Contributor

тАО02-28-2006 09:47 AM

тАО02-28-2006 09:47 AM

Re: Sarbanes-Oxley

I had a brief chat to a friend about this who has gone through SOx auditing in the past. He advised that they will just want to see what security measures you have in place to prevent financial data being accessed by users that don't require it.

In the case of your network, ACL's I would imagine is what they would be most interested in.

Don't quote me on this though.
0 Kudos
Les Ligetfalvy
Esteemed Contributor

тАО02-28-2006 10:14 AM

тАО02-28-2006 10:14 AM

Re: Sarbanes-Oxley

Well, my network is around 50/50 legacy/Procurve so I am not using any ACLs at the network layer.

I was hoping to get by with just change management on just the Procurve equipment by using the configuration revision logging and reporting in PCM+.

I don't know how I am supposed to handle the change approval process because I approve all my own changes but SOx assumes that I cannot be trusted and must get approval from above. In reality, it is those above me that are not to be trusted.

I plan to declare the legacy half as unmanaged.
0 Kudos
Chris Sidwell-Smith
Advisor

тАО04-24-2006 09:50 PM

тАО04-24-2006 09:50 PM

Re: Sarbanes-Oxley

We've just gone through SOX ourselves (though as a US owned UK company).

The auditors love documentation and paper trails.

The (rough) setup we use it.

1) Document. Switch config is documented.

2) Change Control. All alterations to switch config are documented and authorised.

3) Security. Only a the people that need it can access the switch config.

Now we are doing a followon project in investigating IPS/IDP but that is seperate from our Procurve switches.

Now if there are specific security/financial issues (say a financial VLAN or network segment) then generally they can be covered by the above.
0 Kudos
Bergin
Advisor

тАО04-25-2006 02:48 AM

тАО04-25-2006 02:48 AM

Re: Sarbanes-Oxley

Just to add in my own experiences

1) Document. Switch config is documented. (And reviewed)

SARBOX is big about one person documenting, the another person reviewing what the first person documented and a third person approves it. You will see this idea of multiple people as a check/balance systems.

2) Change Control. All alterations to switch config are documented and authorised.

Same thing - One person initiates the change, another person approves the change, and one person does the change. See - multiple people.

3) Security. Only a the people that need it can access the switch config.

Read this - no more generic login's - no more Administrator, no more Root, no more Admin, etc.

All accounts must be me unique and auditable, they also must be only enabled when a change has been appoved, and only for the systems that are covered by the change package. Think RADIUS, TACACS+, daily reporting, etc.

Hope this helps

I would add this as well

4) Reporting - most SARBOX wants reports, daily, weekly, monthly, of the change managements and successes/failures.

Thanks,

Rob
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.