Link to home
Start Free TrialLog in
Avatar of Ravelstaff
Ravelstaff

asked on

Sarbanes-Oxley (SOX) Impact on Server Scenario

I need to determine the impact of SOX requirements on a server solution one of my clients asked me about today. They are a manufacturing business who has a server at one of their Engineering Departments (I believe that this server may be geographically removed from the company's primary IT/IS infrastructure). This "Engineering" server will be manually updated with manufacturing and material quantities data on a daily basis by one of the engineers. This information must then be uploaded into the company's financial management system (FMS) which then uses it for statistical analysis and financial reporting purposes. Since the financial systems are strictly subjected to SOX standards and requirements the question is should the Engineering server, where the initial data capture is done and eventually uploaded to the FMS, also be included in the SOX policy scope for the company?

I am not all that familiar with SOX compliance so I am hoping that someone here will be able to give me some good, sound advice on this urgently. At the moment I am not sure whether the data upload to the FMS will be done automatically or manually via a data file dump (does it make any difference?).

Any advice would be greatly appreciated!
Thanks.
Avatar of Goofytouy
Goofytouy
Flag of Uruguay image

Hi Ravelstaff

Hi Ravelstaff (previous answer escaped to my control).

You must think of SOX as a financial reports controller. Any thing that modifies or affects financial reports, fells in the scope of SOX.
So, in the scenario you have stated upwards, all of the process must adhere to SOX, in other words, the process of data entry fells instide the scope of SOX (data entry should be validated), the server fells inside the scope of SOX (C.I.A should be measured), and moreover, the data exchange it's going to fall inside the scope too (encription, etc. etc).

Hope this clarifies some of your doubts... If not, advice it, and I could be more granular.

Regards
M
Avatar of Ravelstaff
Ravelstaff

ASKER

Hi Goofytouy,

Thank you very much for your input. Your explanation does make sense and it does help a lot.

Since posting the initial question I have determined that the Engineering sever will be uploading the daily bill of materials data to the FMS middleware system via an encrypted connection from where the data will then be validated by means of a verification script to test the data file integrity (presumably using a hash of some sorts). So am I correct to conclude that, given your explanation, because the data is in fact going to affect the financial reporting in the end, once it has been validated and merged into the core FMS database, that the Engineering server that is remotely located clearly and definitely falls within the company's SOX compliance requirements scope?

This is how I am reading your interpretation so I just want to make sure that I got it straight before I make any recommendation to my client.

Thanks again for your time!
ASKER CERTIFIED SOLUTION
Avatar of Goofytouy
Goofytouy
Flag of Uruguay image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Makes perfect sense!
Thanks.