This article provides an overview of SOX 404 control Ensure System Security.

The typical SOX 404 IT controls for Ensure System Security are outlined below.

Access Provisioning
There may be multiple access provisioning processes for persons at the operating system, database and application layers as well as for personal, shared and system accounts.

Description: A documented access provisioning process exists and is enforced.

Control Objective: Accounts are appropriately provisioned to reduce the risk of unauthorised access.

Typical Evidence:

  1. There is a documented process for provisioning and modifying access.
  2. The process defines how the request should be made.
  3. The process prevents an individual approving their own access.
  4. The process describes how the access will be granted.

Access Reviews
There may be multiple access reviews for persons at the operating system, database and application layers as well as for personal, shared and system accounts.

Description: A documented access review process exists and is enforced.

Control Objective: Accounts are appropriately reviewed to reduce the risk of unauthorised access.

Typical Evidence:

  1. There is a documented process for reviewing and modifying access.
  2. The review should occur at least quarterly.
  3. The process documents the role validating account access.
  4. The process describes how access will be amended in the event of a change.

Access Deprovisioning
There may be multiple access deprovisioning processes for persons at the operating system, database and application layers as well as for personal, shared and system accounts.

Description: A documented access deprovisioning process exists and is enforced.

Control Objective: Accounts are appropriately deprovisioned to reduce the risk of unauthorised access.

Typical Evidence:

  1. There is a documented process for deprovisioning.
  2. The process defines how the deprovisioning request should be made.
  3. The process defines how quickly an account should be deprovisioned.
  4. The process describes how the access will be removed.

Password Complexity
There will be multiple passwords requiring complexity to be evaluated: domain, application, database, operating system etc.

Description: A documented process exists and is enforced for allocating passwords.

Control Objective: Applications have adequate password controls.

Typical Evidence:

  1. A documented process exists and is enforced for allocating passwords.
  2. The process requires that userids must be unique and tied to an individual.
  3. The process requires that temporary passwords expire upon first use.
  4. The process requires that passwords must expire at least annually.
  5. The process requires that organisational password complexity standards must be followed.
  6.  The process requires that account lock-out must occur after 10 failed attempts.

For more information please contact Morland-Austin at info@morland-austin.com.