Hello,
As always, legal documents (SOX too) are
written in such a manner to make it easy to
interpret them in many ways.
The English language has many ways to
measure readability of a given text.
One of them is the Fog Index.
To calculate the Fog Index of a passage, do the following:
1. Count the number of words in the paragraph, W.
2. Count the number of sentences in the paragraph, S.
3. Count the number of words of three syllables or more, HW.
4. Apply formula: (W/S + HW/(W x 100)) x 0.4
Legal documents often have Fog Index of
15 and above.
I have conducted, seen and provided information for many security audits.
When I was an auditor, I knew exactly
what to look for.
Alas, many auditors do not come from
IT background. Because non-technical interviewers were trying to verify the SOX compliance, the reports were sometimes
focusing on totally unimportant items.
The most common threads I learnt from
audits conducted by others were:
a) Shared Unix accounts (for Unix, Oracle,
and other teams) are forbidden. Each person
must use their own login and then assume identity of some privileged account.
b) Event logging and traceability are
crucial. Email traffic, access to superuser
accounts, access and changes to databases,
and others.
c) All audit data must be sent to a
centralized log system too.
d) Written procedures and updates to
the documentation of the server are
important;
e) Be short with your answers and
do not fall into traps :)
Legal teams and politicians think that some
software can take care of all their requests.
Wrong!
As Bruce Schneier kindly said "Security is not a program, but a process" (and never-ending one for that matter :)).
Frankly, your steps (and a bit more)
will take you beyond SOX easily. Your
common sense and strong ethics can
do much more than any legal document.
You are on the right track!
Best wishes,
VK2COT
VK2COT - Dusan Baljevic
