No announcement yet.

Sarbanes-Oxley Audit. HELP!!!!

  • Filter
  • Time
  • Show
Clear All
new posts

  • Sarbanes-Oxley Audit. HELP!!!!

    Our company is preparing for a test audit in a week and a real audit by the end of the year. We have hired a consulatant, and to be as polite as I can: I'm not impressed.

    I ask questions like "What specifically needs to be shown in the security log?" I get answers like "The report needs to show any problems that might have occured."

    I tried pinning him down and asking about specific event IDs for example, and got a deer in the headlights answer. The bottom line is that this person knows the very broad requirements, but none of the specific requirements of a Windows Server 2003 environment.

    The auditor at the end of the year, unfortunately is not the some "consultant" we have helping us right now.

    So, I am getting set up for failure at this point is my feeling.

    I desperately need a specific list of what is audited in a Windows Server 2003 enviroment. I need to know where the auditors go and what they look at so I can pass this audit. I need to know what reports are needed and the best way to generate them.

    So far all I seem to be able to find are generalities.

    Any help anyone can offer would be great.

  • #2
    Re: Sarbanes-Oxley Audit. HELP!!!!

    Why are you so desperate to pass the audit?
    Why is it worse to fail the audit?
    I would say: Let them do there job and see what happens...
    Last edited by Dumber; 11th September 2007, 19:27.
    Technical Consultant

    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"


    • #3
      Re: Sarbanes-Oxley Audit. HELP!!!!

      Well, I'm not sure what to say Windows Server specific (new guy), but I've gone through SarBox since the law was enacted. Here's something to keep in mind: No one really knows what to do with this law. Each time I've gone through an audit (about 8 or 9 now), I've never been asked the same thing twice, and there always seems to be some new piece of info they want. It's almost at the whim of the audit team themselves.

      That being said, here are some basic data that I've had to supply in the past (from a financial / investment standpoint):
      • Transaction summaries
      • Transaction errors
      • Transaction corrections

      On the server log side, it's important to know WHO has access, WHAT LEVEL of access they have, and WHEN they've used it.

      Since you've got little or no guidance on this, you may want to develop some different queries that you can run on a moment's notice, so you can provide whatever info the auditor wants.

      Hope that helps in some way. This SarBox thing is far from resolved, and it's an issue across the board for just about everyone involved, from the people performing the audits to the firms being audited themselves.
      They keep getting younger, don't they baby...

      Compaq Presario PC: Windows Server 2003 R2 Standard / Intel Celeron 2.6 ghz / 1 gb RAM
      HP m7470n Media Center PC: Windows XP Pro Media Center 2005 / AMD Athlon 64 X2 Dual Core 4200+ 2.19 ghz / 2 gb RAM
      Toshiba Satellite M35 Special Edition: Windows XP Pro SP2 / Intel Pentium M 1.70 ghz / 1 gb RAM
      Gateway FMC-901 Media Center PC Windows XP Pro Media Center 2005 / Intel Pentium 4 3.0 ghz / 512 mb RAM