SOX compliance checklist for ApexSQL Audit

The Sarbanes-Oxley Act (SOX) of 2002 is mandatory to all organizations regardless of their size and all must comply ant it serves “to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws.” 1

The Sarbanes-Oxley Act is arranged into eleven titles. As far as SQL SERVER compliance is concerned, the most important sections are 302 (15 U.S.C. 7241: Corporate Responsibility for Financial Reports) and 404 (15 U.S.C. 7262: Management Assessment of Internal Controls)

SOX Act does not reference any detail about technical implementation, and this is why several different standards of IT controls implementation exists. The most widely adopted IT related standard are COSO (Internal Control Integrated Framework) recognized by U.S. Security and Exchange Commission and COBIT 4.1 (Control Objectives for Information and Related Technology) created by ISACA 

While COSO provides the high-level insight in the components of an IT framework control required for meeting SOX compliance without providing details on how to execute the framework, COBIT 4.1 addresses more details and offers controls for addressing financial reporting to meet operational and compliance directives

ApexSQL Audit, in some cases in combination with other tools that exist in ApexSQL DBA, is designed to cover both frameworks controls related to SQL Server

COSO requirements supported by ApexSQL Audit:

Based on the COSO framework, there are five essential components for effective internal control that comprises 17 internal control principles:

Control environment

  • Demonstrates commitment to integrity and ethical values
  • Exercises oversight responsibility
  • Establishes structure, authority, and responsibility
  • Demonstrates commitment to competence
  • Enforces accountability

Risk assessment

  • Specifies suitable objectives
  • Identifies and analyzes risk
  • Assesses fraud risk
  • Identifies and analyzes significant change

Control activities

  • Selects and develops control activities
  • Selects and develops general controls over technology
  • Deploys through policies and procedures

Information and communication

  • Uses relevant information
  • Communicates internally
  • Communicates externally

Monitoring

  • Conducts ongoing and/or separate evaluations
  • Evaluates and communicates deficiencies

COBIT 4.1 control objectives supported by ApexSQL Audit:

Plan and Organize

  • PO2 Define the Information Architecture

Acquire and Implement

  • AI3 Acquire and Maintain Technology Infrastructure
  • AI6 Change Standards and Procedures
  • AI7 Install and Accredit Solutions and Changes

Delivery and support

  • DS3 Manage Performance and Capacity
  • DS4 Ensure Continuous Service
  • DS5 Ensure System Security
  • DS9 Manage the Configuration
  • DS10 Manage Problems
  • DS11 Manage Data
  • DS13 Manage Operations

 

SOX ControlLevel of Support & Supporting FeaturesApexSQL Audit Provides
COBIT 4.1 PO2 – Define the Information Architecture
COSO – Control Activities
PO2.4 Integrity managementSupportsApexSQL Audit can report and alert on all unauthorized, accidental and malicious, data modifications reducing the risk of data integrity violation. ApexSQL Trigger and ApexSQL Log ensures the before-after data auditing allowing full tracking of data changes. If required, all data changes can be rolled back to a previous state
COBIT 4.1 AI3 – Acquire and Maintain Technology Infrastructure
COSO – Control Activities
AI3.2 Infrastructure resource protection and availabilitySupportsEnsures continuous auditing of configuration and changes of software infrastructure that is related to SQL Server in order to protect assets and safeguard availability
AI3.3 Infrastructure maintenanceSupportsApexSQL Audit can audit all user activities configuration changes and changes of privileged/trusted users
AI3.4 Feasibility test environmentSupports with ExceptionsApexSQL Audit ensures auditing and documenting all changes and activities in test environments to ensure smooth replication and  successful auditing capability for production environment
COBIT 4.1 AI6 Change standards and procedures
COSO – Control Activities, Risk Assessment, Monitoring
AI6.1 Change standards and proceduresSupportsApexSQL Audit ensures that all SQL Server related changes will be collected and documented for reporting
AI6.3 Emergency changes SupportsApexSQL Audit can track, collect and document all changes even those performed in emergency situations at the system level, regardless of the management tool used to make these changes
AI6.4 Change status tracking and reportingFull information of every change: who changed what, when, and where with ability to automatically collect these changes and provides comprehensive real time alerting and reporting to ensure that unauthorized changes aren’t occurred
AI6.5: Change Closure and DocumentationSupportsApexSQL Audit can audit and report on all SQL Server changes ensuring the real time updating on all aspects of changes and that they will be viewable in reports and created documentation
AI7 Install and Accredit Solutions and Changes
COSO – Control Activities, Information and Communication, Monitoring)
AI7.4 System and data conversionSupportsFully featured auditing and reporting of all user activities including access to sensitive data and recording of configurations and who changed what, when, and where across the entire SQL Server infrastructure
AI7.7: Final acceptance test SupportsEnsures results of the testing process are easily reviewed and evaluated via comprehensive reporting on all SQL Server infrastructure changes
AI7.8  Promotion to productionSupportsApexSQL Audit has the ability to record all changes made to the production system and report on them, ensures easily reviewing of these changes and ensuring that all implemented changes conforms to the implementation plan
AI7.9 Post-implementation reviewSupportsEnsures easy post implementation review based on the ability to audit all changes and report on whether the change management, installation and accreditation processes were performed effectively and efficiently
COBIT 4.1 DS3 Manage Performance and Capacity
COSO – Control Activities, Monitoring
DS3.5 Monitoring and reportingSupportsContinuously monitor the performance and capacity of IT resources via ApexSQL Monitor. Reporting ability can be used for moderating performance and resources availability
COBIT 4.1 DS4 Ensure Continuous Service
COSO – Control Activities, Information and Communication, Control Environment
DS4.3 Critical IT resources.Comprehensive auditing, alerting and reporting on any type of login/user privileges, access rights, and access policies to register all security violations. Additionally, using ApexSQL Log, unauthorized, malicious, and or accidental data and/or schema changes can be rolled back
COBIT 4.1 DS5 Ensure Systems Security
COSO – Control Activities, Information and Communication, Monitoring
DS5.3 Identity managementSupportsApexSQL Audit ensures auditing and reporting on every security privilege changes, operations with user accounts and any unpermitted new users creation, existing user deletion or altering including real time alerting
DS5.4: User account managementSupportsApexSQL Audit can track all changes to login/user accounts, any change of privileges, including auditing of all activities performed by both, regular and privileged user activities.
DS5.5 Security testing, surveillance and monitoringSupportsFully featured auditing and reporting on all user activities including access to sensitive data and recording of configurations and who changed what, when, and where across the entire SQL Server infrastructure, with ability for real time alerting on any SQL Server event
COBIT 4.1 DS9 Manage the Configuration
COSO – Control Activities
DS9.1 Configuration repository and baseline
DS9.2 Identification and maintenance of configuration items
DS9.3 Configuration integrity review
SupportsCentralized collection, archiving, and consolidation of all data. ApexSQL Audit doesn’t prevent audit data alterations but makes such attempts to tamper fully evident with ability to alert on any attempts. Auditing and reporting for all configuration changes
COBIT 4.1 DS10 Manage Problems
COSO – Control Activities, Information and Communication
DS10.2 Problem tracking and resolutionSupportsApexSQL Audit can audit all SQL Server activities and precisely reporting via custom reports, which ensures tracking, analyzing and investigating the issues and pinpointing the issues root cause
COBIT 4.1 DS11 Ensure Systems Security
COSO – Control Activities, Information and Communication, Monitoring
DS11.2 Storage and retention arrangementsPartially supportsAll backup and restore operations can be proactively audited to help ensure compliance with organizational policies, with ability to be alerted and reported on any backup/restore operation
DS11.5 Backup and restorationSupportsApexSQL Audit can audit all backup and restore activity and generate full report on backup/ restore activity including, who, when and what including the information of successful and unsuccessful backup/restore attempts. With ApexSQL Manage procedure for backup data on regular basis can be ensured
DS11.6 Security requirements for data managementSupportsApexSQL Audit can audit all DML changes on SQL Server, including the real time alerting and reporting. Additionally, via ApexSQL Trigger and ApexSQL Log, ApexSQL ensures full before-after data changes, reporting including the recovery of all unintended and/or malicious data changes
COBIT 4.1 DS13 Manage operations
COSO – Control Activities, Information and Communication
DS13.3 Problem tracking and resolutionSupportsApexSQL Audit ensures continuous auditing of all SQL Server events chronologically Including auditing of all changes recording all configuration states across the entire SQL Server environment, and thus allowing reviewing, analyzing and if needed, reconstructing of all SQL Server operations

 

For Appendix on meaning of category assessments e.g. supports, click here