Java Reference
In-Depth Information
13. Encrypt all nonconsole administrative access.
14. Maintain instructional documentation and training programs for customers, resellers,
and integrators.
he PA-DSS is a set of 14 requirements and is a subset of the PCI-DSS. he standard focuses
on implementing PCI-related controls for applications including encryption, key management,
logging, authentication and authorization, and password management. he PA-DSS also delves
into secure coding practices in detail and quotes speciic implementation requirements from the
OWASP Top Ten in Requirement 5 of the standard. he application development process is also
stressed in the standard with the requirements of the Secure Software Development Life Cycle,
separation of development and test environments, and so on.
5.3.2.3 SOX
he Sarbanes-Oxley Act, popularly known as SOX, is one of the most important compliance
requirements of publicly listed companies in the United States. It is governed by the PCAOB
(Public Company Accounting Oversight Board), which is an independent oversight body for
SOX. SOX arrived in the wake of several scams such as Enron and WorldCom. hese incidents
rocked the business world and caused a great deal of embarrassment for corporate America. All
these scams had something in common: these companies had misstated their inancial statements,
and this deception originated in the top management of the organizations in question, including
the CEOs and CFOs of some of these organizations.
SOX was the brainchild of two U.S. senators whose last names have been given to this act.
heir take on this was that shareholders and the general public need to be able to reairm their
faith in an organization's inancial statements. his involved establishing accountability from
the top management, as they had been intricately involved in the scams previously. SOX also
provided auditors with the teeth to ensure that the organization's control environment was
adequate to ensure the “true and fair” view of inancial statements. SOX is primarily concerned
with the integrity of the inancial statements and the environment in which they are processed
and created. he auditor assessing an entity for SOX needs to ensure that the environment in
which inancials are prepared is secure and, more importantly, an environment with controls
that can be relied on to ensure the integrity of information and lastly make sure that the inan-
cials are not misstated.
While SOX seems like a standard largely focused on the accuracy of the inancial statements,
which has little to do with application security, it is not so. To provide a true and fair view of
inancial statements, it must be ensured that the internal controls in the environment in which
they are processed are also of a certain quality for the auditor to trust the internal control. In the
present day, internal control greatly revolves around information technology, as most information
is initiated, processed, and stored in applications and systems, so internal controls around these
applications and systems becomes an important consideration. Authentication mechanisms and
authorization mechanisms become important to ensure that duties are segregated for the initiation
and approval of inancial expenditure. For instance, through an application, if an individual was
able to raise a request for expenditure and (self ) approve the same, then it would indicate that there
is a serious law in the internal control of the entity, perpetrated because of bad application design
and management. Integrity of data is the key in SOX, and controls to ensure integrity are vital to
ensure that inancial information is not tampered with.
Search WWH ::
Custom Search