SOX and SQL Server

Question

Does anyone have any documentation or links pertaining to the granting of unnecessary rights outside of application needs and SOX compliance?

---

John M. Couch

Answer 1

As per my knowledge, Sarbannes –Oxley (SOX) is rather general in the description of what needs to be done and does not really say what companies need to do for a database to ensure the requirements are satisfied.

SQL 2005 (onwards) provides many data integration, data protection and security features that can help comply with various regulations including SOX but SOX does not dictate any specific feature to exist in a db platform so there isn’t really any such thing as db being compliant with SOX.

Improving Data Security by Using SQL Server 2005
This article looks at how Microsoft IT uses SQL Server 2005 to protect sensitive data. http://www.microsoft.com/technet/itsolutions/msit/security/sqldatsec.mspx

 

---

Balmukund Lakhani | Please mark solved if I've answered your question
--------------------------------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------------------------------------------------------------------
My Blog: http://blogs.msdn.com/blakhani
Team Blog: http://blogs.msdn.com/sqlserverfaq

Answer 2

The link didn't work. Outside of that, all the SOX integrations I have been involved with in the past have included data security in order to be compliant. This included procedures for providing access to the data, encrypting CC numbers..etc as well as restricting access to only needed functionality. This was done through SQL Server and Oracle. The problem is I no longer have the documentation I used during those audits...etc.

---

John M. Couch

Answer 3

Please refer the SQL Server White Paper: SQL Server 2008 Compliance Guide

It may helps you on  where to begin or how to automate the program using technology, specifically SQL Server.

It address the complaiance of SOX, PCI, HIPAA and GLBA using SQL Server 2008.

---

Sivaprasad S http://sivasql.blogspot.com Please click the Mark as Answer button if a post solves your problem!

Answer 4

There's also a case study describing Credit Suisse's efforts to become SOX compliant with SQL Server 2005.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=b0d4a6fe-c644-4bbb-b421-d920c280368c&DisplayLang=en

Il-Sung. 

---

This posting is provided "AS IS" with no warranties, and confers no rights.

Answer 5

From my experience, dealing SOX compliance can easily turn into a nightmare as it’s creators had nothing related to technology in mind, at all. Common opinion about it, I found on several online resources, is that it is written by lawyers, for lawyers.

Here are some resources that helped me understand it better, along with some implementation tips:
https://www.sec.gov/rules/proposed/s74002/card941503.pdf
http://solutioncenter.apexsql.com/how-to-implement-sox-compliance-requirements-for-sql-server-part-1/
http://solutioncenter.apexsql.com/how-to-implement-sox-compliance-requirements-for-sql-server-part-2/

Hope this helps