Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Not applicable
‎2012-06-04 11:43 AM

SOX Compliance and QV

I have been tasked with getting our business intelligence in compliance with SOX.  Does anyone know what this would consist of in terms of what I need to do? Can anyone point me in the direction of a document or something?

1,460 Views
0 Likes
1 Solution

Accepted Solutions
Oleg_Troyansky
Partner Ambassador/MVP
Partner Ambassador/MVP
‎2012-06-04 12:37 PM

Ugh... what a chore...

Basically, SOX is about demonstrating that you: a) have procedures, and b) follow them. For the most part, it's up to you what the procedures are. Some of the major points to consider:

1. Segregation of duties. Developers should be as much out of production as possible. Administrators should be the only people allowed to move applications into "production", etc...

2. Obviously, separating production, test and development environments and securing them.

3. Defining a process of maintaining user rights and access to applications. Typically, any changes to the user rights need to be authorized by the application owner.

4. Defining the Change Management process for the applications - who initiates, who approves, how to communicate it out, etc...

You can save a lot of your time if you clearly define the scope of what applications need to be compliant. If certain analytic applications are not an integral part of your business cycles, you might be able to exclude them from the compliance requirements, and save a lot of time on meaningless documentation. Since QlikView is clearly a "read only" process, it is often possible to exclude most of the applications out of the scope of compliance.

best,

Oleg

Oleg Troyansky
Call me for expert support, performance tuning, advanced training and more!

View solution in original post

833 Views
1 Reply
Oleg_Troyansky
Partner Ambassador/MVP
Partner Ambassador/MVP
‎2012-06-04 12:37 PM

Ugh... what a chore...

Basically, SOX is about demonstrating that you: a) have procedures, and b) follow them. For the most part, it's up to you what the procedures are. Some of the major points to consider:

1. Segregation of duties. Developers should be as much out of production as possible. Administrators should be the only people allowed to move applications into "production", etc...

2. Obviously, separating production, test and development environments and securing them.

3. Defining a process of maintaining user rights and access to applications. Typically, any changes to the user rights need to be authorized by the application owner.

4. Defining the Change Management process for the applications - who initiates, who approves, how to communicate it out, etc...

You can save a lot of your time if you clearly define the scope of what applications need to be compliant. If certain analytic applications are not an integral part of your business cycles, you might be able to exclude them from the compliance requirements, and save a lot of time on meaningless documentation. Since QlikView is clearly a "read only" process, it is often possible to exclude most of the applications out of the scope of compliance.

best,

Oleg

Oleg Troyansky
Call me for expert support, performance tuning, advanced training and more!
834 Views