The Sarbanes-Oxley Act (SOX) of 2002 is mandatory to all organizations regardless of their size and all must comply ant it serves “to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws.”
The Sarbanes-Oxley Act is arranged into eleven titles. As far as SQL SERVER compliance is concerned, the most important sections are 302 (15 U.S.C. 7241: Corporate Responsibility for Financial Reports) and 404 (15 U.S.C. 7262: Management Assessment of Internal Controls)
SOX Act does not reference any detail about technical implementation, and this is why several different standards of IT controls implementation exists. The most widely adopted IT related standard are COSO (Internal Control Integrated Framework) recognized by U.S. Security and Exchange Commission and COBIT 4.1 (Control Objectives for Information and Related Technology) created by ISACA
While COSO provides the high-level insight in the components of an IT framework control required for meeting SOX compliance without providing details on how to execute the framework, COBIT 4.1 addresses more details and offers controls for addressing financial reporting to meet operational and compliance directives
ApexSQL Audit, in some cases in combination with other tools that exist in ApexSQL DBA, is designed to cover both frameworks controls related to SQL Server
COSO requirements supported by ApexSQL Audit:
Based on the COSO framework, there are five essential components for effective internal control that comprises 17 internal control principles:
Control environment
- Demonstrates commitment to integrity and ethical values
- Exercises oversight responsibility
- Establishes structure, authority, and responsibility
- Demonstrates commitment to competence
- Enforces accountability
Risk assessment
- Specifies suitable objectives
- Identifies and analyzes risk
- Assesses fraud risk
- Identifies and analyzes significant change
Control activities
- Selects and develops control activities
- Selects and develops general controls over technology
- Deploys through policies and procedures
Information and communication
- Uses relevant information
- Communicates internally
- Communicates externally
Monitoring
- Conducts ongoing and/or separate evaluations
- Evaluates and communicates deficiencies
COBIT 4.1 control objectives supported by ApexSQL Audit:
Plan and Organize
- PO2 Define the Information Architecture
Acquire and Implement
- AI3 Acquire and Maintain Technology Infrastructure
- AI6 Change Standards and Procedures
- AI7 Install and Accredit Solutions and Changes
Delivery and support
- DS3 Manage Performance and Capacity
- DS4 Ensure Continuous Service
- DS5 Ensure System Security
- DS9 Manage the Configuration
- DS10 Manage Problems
- DS11 Manage Data
- DS13 Manage Operations
| SOX Control | Level of Support & Supporting Features | ApexSQL Audit Provides |
| COBIT 4.1 PO2 – Define the Information Architecture COSO – Control Activities |
||
| PO2.4 Integrity management | Supports | ApexSQL Audit can report and alert on all unauthorized, accidental and malicious, data modifications reducing the risk of data integrity violation. ApexSQL Trigger and ApexSQL Log ensures the before-after data auditing allowing full tracking of data changes. If required, all data changes can be rolled back to a previous state |
| COBIT 4.1 AI3 – Acquire and Maintain Technology Infrastructure COSO – Control Activities |
||
| AI3.2 Infrastructure resource protection and availability | Supports | Ensures continuous auditing of configuration and changes of software infrastructure that is related to SQL Server in order to protect assets and safeguard availability |
| AI3.3 Infrastructure maintenance | Supports | ApexSQL Audit can audit all user activities configuration changes and changes of privileged/trusted users |
| AI3.4 Feasibility test environment | Supports with Exceptions | ApexSQL Audit ensures auditing and documenting all changes and activities in test environments to ensure smooth replication and successful auditing capability for production environment |
| COBIT 4.1 AI6 Change standards and procedures COSO – Control Activities, Risk Assessment, Monitoring |
||
| AI6.1 Change standards and procedures | Supports | ApexSQL Audit ensures that all SQL Server related changes will be collected and documented for reporting |
| AI6.3 Emergency changes | Supports | ApexSQL Audit can track, collect and document all changes even those performed in emergency situations at the system level, regardless of the management tool used to make these changes |
| AI6.4 Change status tracking and reporting | Full information of every change: who changed what, when, and where with ability to automatically collect these changes and provides comprehensive real time alerting and reporting to ensure that unauthorized changes aren’t occurred | |
| AI6.5: Change Closure and Documentation | Supports | ApexSQL Audit can audit and report on all SQL Server changes ensuring the real time updating on all aspects of changes and that they will be viewable in reports and created documentation |
| AI7 Install and Accredit Solutions and Changes COSO – Control Activities, Information and Communication, Monitoring) |
||
| AI7.4 System and data conversion | Supports | Fully featured auditing and reporting of all user activities including access to sensitive data and recording of configurations and who changed what, when, and where across the entire SQL Server infrastructure |
| AI7.7: Final acceptance test | Supports | Ensures results of the testing process are easily reviewed and evaluated via comprehensive reporting on all SQL Server infrastructure changes |
| AI7.8 Promotion to production | Supports | ApexSQL Audit has the ability to record all changes made to the production system and report on them, ensures easily reviewing of these changes and ensuring that all implemented changes conforms to the implementation plan |
| AI7.9 Post-implementation review | Supports | Ensures easy post implementation review based on the ability to audit all changes and report on whether the change management, installation and accreditation processes were performed effectively and efficiently |
| COBIT 4.1 DS3 Manage Performance and Capacity COSO – Control Activities, Monitoring |
||
| DS3.5 Monitoring and reporting | Supports | Continuously monitor the performance and capacity of IT resources via ApexSQL Monitor. Reporting ability can be used for moderating performance and resources availability |
| COBIT 4.1 DS4 Ensure Continuous Service COSO – Control Activities, Information and Communication, Control Environment |
||
| DS4.3 Critical IT resources. | Comprehensive auditing, alerting and reporting on any type of login/user privileges, access rights, and access policies to register all security violations. Additionally, using ApexSQL Log or ApexSQL Recover, unauthorized, malicious, and or accidental data and/or schema changes can be rolled back | |
| COBIT 4.1 DS5 Ensure Systems Security COSO – Control Activities, Information and Communication, Monitoring |
||
| DS5.3 Identity management | Supports | ApexSQL Audit ensures auditing and reporting on every security privilege changes, operations with user accounts and any unpermitted new users creation, existing user deletion or altering including real time alerting |
| DS5.4: User account management | Supports | ApexSQL Audit can track all changes to login/user accounts, any change of privileges, including auditing of all activities performed by both, regular and privileged user activities. |
| DS5.5 Security testing, surveillance and monitoring | Supports | Fully featured auditing and reporting on all user activities including access to sensitive data and recording of configurations and who changed what, when, and where across the entire SQL Server infrastructure, with ability for real time alerting on any SQL Server event |
| COBIT 4.1 DS9 Manage the Configuration COSO – Control Activities |
||
| DS9.1 Configuration repository and baseline DS9.2 Identification and maintenance of configuration items DS9.3 Configuration integrity review |
Supports | Centralized collection, archiving, and consolidation of all data. ApexSQL Audit doesn’t prevent audit data alterations but makes such attempts to tamper fully evident with ability to alert on any attempts. Auditing and reporting for all configuration changes |
| COBIT 4.1 DS10 Manage Problems COSO – Control Activities, Information and Communication |
||
| DS10.2 Problem tracking and resolution | Supports | ApexSQL Audit can audit all SQL Server activities and precisely reporting via custom reports, which ensures tracking, analyzing and investigating the issues and pinpointing the issues root cause |
| COBIT 4.1 DS11 Ensure Systems Security COSO – Control Activities, Information and Communication, Monitoring |
||
| DS11.2 Storage and retention arrangements | Partially supports | All backup and restore operations can be proactively audited to help ensure compliance with organizational policies, with ability to be alerted and reported on any backup/restore operation |
| DS11.5 Backup and restoration | Supports | ApexSQL Audit can audit all backup and restore activity and generate full report on backup/ restore activity including, who, when and what including the information of successful and unsuccessful backup/restore attempts. With ApexSQL Backup, the procedure for backup data on regular basis can be ensured |
| DS11.6 Security requirements for data management | Supports | ApexSQL Audit can audit all DML changes on SQL Server, including the real time alerting and reporting. Additionally, via ApexSQL Trigger, ApexSQL Log or ApexSQL Recover, ApexSQL ensures full before-after data changes, reporting including the recovery of all unintended and/or malicious data changes |
| COBIT 4.1 DS13 Manage operations COSO – Control Activities, Information and Communication |
||
| DS13.3 Problem tracking and resolution | Supports | ApexSQL Audit ensures continuous auditing of all SQL Server events chronologically Including auditing of all changes recording all configuration states across the entire SQL Server environment, and thus allowing reviewing, analyzing and if needed, reconstructing of all SQL Server operations |
For Appendix on meaning of category assessments e.g. supports, click here
