Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
I have been tasked with getting our business intelligence in compliance with SOX. Does anyone know what this would consist of in terms of what I need to do? Can anyone point me in the direction of a document or something?
Ugh... what a chore...
Basically, SOX is about demonstrating that you: a) have procedures, and b) follow them. For the most part, it's up to you what the procedures are. Some of the major points to consider:
1. Segregation of duties. Developers should be as much out of production as possible. Administrators should be the only people allowed to move applications into "production", etc...
2. Obviously, separating production, test and development environments and securing them.
3. Defining a process of maintaining user rights and access to applications. Typically, any changes to the user rights need to be authorized by the application owner.
4. Defining the Change Management process for the applications - who initiates, who approves, how to communicate it out, etc...
You can save a lot of your time if you clearly define the scope of what applications need to be compliant. If certain analytic applications are not an integral part of your business cycles, you might be able to exclude them from the compliance requirements, and save a lot of time on meaningless documentation. Since QlikView is clearly a "read only" process, it is often possible to exclude most of the applications out of the scope of compliance.
best,
Oleg
Ugh... what a chore...
Basically, SOX is about demonstrating that you: a) have procedures, and b) follow them. For the most part, it's up to you what the procedures are. Some of the major points to consider:
1. Segregation of duties. Developers should be as much out of production as possible. Administrators should be the only people allowed to move applications into "production", etc...
2. Obviously, separating production, test and development environments and securing them.
3. Defining a process of maintaining user rights and access to applications. Typically, any changes to the user rights need to be authorized by the application owner.
4. Defining the Change Management process for the applications - who initiates, who approves, how to communicate it out, etc...
You can save a lot of your time if you clearly define the scope of what applications need to be compliant. If certain analytic applications are not an integral part of your business cycles, you might be able to exclude them from the compliance requirements, and save a lot of time on meaningless documentation. Since QlikView is clearly a "read only" process, it is often possible to exclude most of the applications out of the scope of compliance.
best,
Oleg