Sarbanes-Oxley

Compliance Solutions

Sarbanes-Oxley

Simplify documentation management and reporting

Public companies subject to Sarbanes-Oxley (SOX) legislation must document internal controls for financial reporting (ICFRs) related to key financial reporting systems. These controls generally include regular backup of data within key systems, and validation of backup processes. While every company defines the exact structure of its own ICFRs, certain expectations are common across any companies.

Rocket Servergraph for SOX compliance

Rocket® Servergraph Professional has robust security controls and backup management capabilities that enable a company to comply with SOX requirements for its key financial reporting systems.

Relevant criteria and capabilities

SOX Control Examples

Rocket Servergraph Professional Capabilities

Administrative system access is restricted to appropriate personnel.

System administration is performed through the separate administration client, with access restricted to designated administrative users.

Servergraph is agentless and only requires a read-only service account to operate, preventing unintentional or unauthorized modification of network systems and data.

Users attempting to access the system are authenticated during login.

Servergraph supports unique user IDs for all individuals accessing the system, and uses LDAP integration with Active Directory credentials. Passwords are required for all users attempting to log into the system. Local credentials are stored in encrypted hash format.

Detailed, customizable permissions can be configured for each user to support the rule of least privilege and segregation of duties.

Daily incremental backups and weekly full backups of all financial reporting applications are performed.

Servergraph collects information from backup software, hardware, and processes in your environment to document that all data backups are operating in accordance with your organizational policies.

Traps, reports, and alerts are customizable to capture relevant information for all of your backup control requirements.

Backup collection logs and reports are retained within Servergraph for a fully configurable duration to maintain historical evidence.

Management validates that backups are completed successfully and investigates errors. Reports and alerts can be automatically distributed to any individuals, supporting segregation of duties and facilitating review and monitoring processes.
Backup systems are monitored to ensure availability for business continuity / disaster recovery capabilities. The Server Monitor feature shows real-time statistics and alerts for backup systems, such as storage utilization and disk capacity.
Rocket Aldon Lifecycle Manager for SOX Compliance

Rocket® Aldon Lifecycle Manager (LM) has robust security controls  available to enable a company to design and implement controls to comply  with SOX requirements.

Relevant criteria and capabilities

SOX Control Examples

Rocket Aldon Lifecycle Manager Capabilities

Access additions and modifications to the system are approved by an individual with appropriate authority.

The Rocket® Aldon Community Manager (CM) module supports automated, system-driven workflows that may include access request, authorization, and provisioning processes.

Workflows can be assigned to Security Server administrators for LM, as well as administrators for any other system in use at an organization.

Access for terminated employees is removed on a timely basis.

The CM module can also support workflows for termination and offboarding processes that include the removal of system access that is no longer needed.

Workflows can be assigned to Security Sever administrators for ALM, as well as administrators for any other system in use at an organization.

Administrative system access is restricted to appropriate personnel.

System administration is performed through the separate Security Server module, with access restricted to designated administrative users.

Reports are available showing all users with their associated access capabilities.

Users attempting to access the system are authenticated during login.

LM and its associated modules (Lifecycle Manager IBM i Edition (LMi), Lifecycle Manager Enterprise Edition (LMe), CM, and Security Server) support unique user IDs for all individuals accessing the systems.

Passwords are required for users to access each system. LMi also supports integration with IBM i user credentials, and CM supports LDAP integration with Active Directory credentials.

User accounts and their associated access rights within the system are validated by an independent reviewer on a periodic basis. Reports are available showing all users with their associated access capabilities.
Changes to user accounts, access rights, or system parameters are reviewed by an independent reviewer on a periodic basis. Reports are available showing all administrative activity performed within the system, including the modification of user access and roles.
System changes or development activities must be requested and approved by an individual with appropriate authority. CM supports workflows for changes and development activities such as requests, approvals, testing, acceptance, and any other stages required by an organization’s policies.
Changes to code are reviewed by an independent reviewer prior to being approved or promoted.

Access for individual users to access, modify, or approve code can be assigned for specific projects, release versions, and environments.  Developers can be restricted from making changes to software in testing or production. The ability to migrate between development, test, and production environments can also be restricted to appropriately segregated users.

Changes made to code are highlighted by the Harmonizer module, which supports formal, independent reviews of code changes before promotion to ensure that changes are in accordance with an approved work order.

All changes are tested and approved prior to being introduced to the production environment.

LM supports multiple development environments that are customizable by the organization, such as development, test, staging, and production.

Emergency changes can be allowed, but this requires approval of a retroactive merge to the development environment.

Changes introduced to the production environment are monitored and reviewed to ensure that no unauthorized changes are made.

The Harmonizer module highlights changes to code, supporting formal, independent reviews of code changes before promotion to ensure that changes are in accordance with an approved work order.

All actions within LM and its associated modules, including code changes and promotions, are fully logged and reportable.

Questions? Call us: U.S. +1 855-577-4323