SOX Compliance Data Center

Hey guys,

We have to move a server for one of our clients to a data center. They requested for it to be SOX compliant, it's essentially an email and file server that will only be used for DR. The data center is SSAE16 already.

What do we need to ensure compliance to pass an audit?
LVL 4
Cobra25Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
SOX in simplified form means to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures. As long as theses can be proven min, the compliance is within grab. It is focus a lot of the financial recordings diligence and data safekeeping controls in place.You can catch below for a glance on the data protection to be as baseline compliant

Identify data that comes under the purview of act.
Section 103: Create processes for retention of data of the last 7 years.
Section 104 & 802: Get the data audited by third-party audit firms. Retention of audit data of last 5 years. In case of non-maintenance, fine and/or penalty could be imposed.
Section 105(B): Easy and quick accessibility of stored data when needed. In case the court asks for any past data records, they must be readily available.
Section 404: Build up internal controls for protection of data.
Monitoring of possible insider information leaks as well as tampering/destruction attempts.
http://www.lifelinedatacenters.com/data-center/sarbanes-oxley-data-centers/

As for SSAE 16 achievement, it is good as minimally it can covers the two types stated below which essentially is also known as SOC 1 audit.  Just need to make sure the report covers the above mentioned aspects to start of engagement
Type 1 – A data center’s description and assertion of controls, as reported by the company.
Type 2 – Auditors test the accuracy of the controls and the implementation and effectiveness of controls over a specified period of time.
It should be good as it also revolves showing of data protection. But do note that some can demand more stringent with additional of covering SOC 2 gives additional resiliency and assurance for the attestation of the effectiveness of the operational controls in the DC. I will say it is doing a custom fit to the DC but still very much same and just to be more surgical on the controls in place that the assessment is not time bound based on period but assess if built to be robust standing and stay effective. It covers two key aspects too.
Type 1 – A data center’s system and suitability of its design of controls, as reported by the company.
Type 2 – Includes everything in its Type 1, with the addition of verification of an auditor's opinion on the operating effectiveness of the controls.
Just need to balance the requirement in your use case and primarily the DC as a DR may not necessary be of such high resiliency as minimal compliance is achieve and can ask for example hosted in same env too for stronger justification. The focus should also be in the infra and system itself to be harden and protection of the email confidentiality, availability and integrity too..
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cobra25Author Commented:
Very good info!

Do you think encryption would be necessary? How about access logs?
0
btanExec ConsultantCommented:
in fact, encryption is definitely a must to protect data on wire and at rest rather than keeping it in plain and based on access control. the compliance check will be hunting this down so do consider this esp for the email part, there Secure MIME or even PGP email for such consideration.  

Access log is more for follow up if breach or anomalies kick in there can be timely escalation (need some one or system to watch it too). Also log retention period for audit compliance will commensurate too based on business requirement critical to fulfil the annual security check or review..
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.