Hello,
Not exactly a problem of Windows but didn't know which forum to post message. The CFO of one of my clients asked that we prepare the network to be Sarbox compliant. I'm totally lost. First off, I'm from Canada and I manage the IT system of a company that has their HQ in Canada. I have been "googgling" for 5 hours on what are the requirements to be Sarbox compliant. I have printed well over 100 pages of documents that I intend to read. I have parsed quickly most of the documents but haven't exactly found the requirements in a concise format. So far, I have determined that a secure backup system must be in place for all data and data must be kept for a period of 5 years (one doc said 7 years). Now, the data changes daily which is normal but am I expected to keep a different tape for each day for 5 years ? I currently have 2 week rotation of tapes and 4 monthly tapes... I'm also using NTBackup. Is it sufficient ? That's seems reasonable but I don't think it's compliant. Data must be protected from hackers (includes having firewalls, anti-virus, anti-spyware...) thats ok but do certain firewalls don't qualify. For example, I have a Cisco Pix but if I had a linksys, does it make a difference. Does the configuration of the firewall render it or not compliant ? There's also mention that monitoring any and all data transfert ie : instant messaging, emails, copied data through the network, WiFi. Do I need a data sniffer ? It mentions about keeping all emails so I need some sort of real time archiving because if an email is received and deleted the same day before it's backed up to tape, then I'm screwed ? I also saw something about patch management. I do it manually now (every second tuesday of the month). Does it qualify or do I need Shavlik or WUS. I've got bits and pieces of info. For those of you who managed to get your networks compliant, where and how did you get it to that point ? Is there a book that I can buy that has all this info just for the IT systems or some document I can download. Should I hire an outside company to do the checking (just for the IT system). I know that Price Waterhouse Coopers is the accounting firm that does the accounting audits but that's about it. The CFO wants the report by September and we have 3 months to apply the corrections needed for a deadline of December. Am I approaching this the wrong way ? I'm sure this will give me plenty of experience because very little time, similar laws will be passed in Canada and I will be doing this same process for 3 or 4 more companies.
Thanks
akwong
Not exactly a problem of Windows but didn't know which forum to post message. The CFO of one of my clients asked that we prepare the network to be Sarbox compliant. I'm totally lost. First off, I'm from Canada and I manage the IT system of a company that has their HQ in Canada. I have been "googgling" for 5 hours on what are the requirements to be Sarbox compliant. I have printed well over 100 pages of documents that I intend to read. I have parsed quickly most of the documents but haven't exactly found the requirements in a concise format. So far, I have determined that a secure backup system must be in place for all data and data must be kept for a period of 5 years (one doc said 7 years). Now, the data changes daily which is normal but am I expected to keep a different tape for each day for 5 years ? I currently have 2 week rotation of tapes and 4 monthly tapes... I'm also using NTBackup. Is it sufficient ? That's seems reasonable but I don't think it's compliant. Data must be protected from hackers (includes having firewalls, anti-virus, anti-spyware...) thats ok but do certain firewalls don't qualify. For example, I have a Cisco Pix but if I had a linksys, does it make a difference. Does the configuration of the firewall render it or not compliant ? There's also mention that monitoring any and all data transfert ie : instant messaging, emails, copied data through the network, WiFi. Do I need a data sniffer ? It mentions about keeping all emails so I need some sort of real time archiving because if an email is received and deleted the same day before it's backed up to tape, then I'm screwed ? I also saw something about patch management. I do it manually now (every second tuesday of the month). Does it qualify or do I need Shavlik or WUS. I've got bits and pieces of info. For those of you who managed to get your networks compliant, where and how did you get it to that point ? Is there a book that I can buy that has all this info just for the IT systems or some document I can download. Should I hire an outside company to do the checking (just for the IT system). I know that Price Waterhouse Coopers is the accounting firm that does the accounting audits but that's about it. The CFO wants the report by September and we have 3 months to apply the corrections needed for a deadline of December. Am I approaching this the wrong way ? I'm sure this will give me plenty of experience because very little time, similar laws will be passed in Canada and I will be doing this same process for 3 or 4 more companies.
Thanks
akwong
![[noevil]](/data/assets/smilies/noevil.gif "[noevil] [noevil]")