S4 SOX Compliance

The Sarbanes-Oxley Act of 2002, is a United States federal law enacted on July 30, 2002 in response to many major corporate and

accounting scandals. The Act is commonly called “SOX”.

S4 SOX Compliance

Without security, there can be no compliance. Security

provides the necessary checks and balances to eﬀectively

implement compliance programs such as SOX.

Conduct periodic reviews to ensure that contractors’ roles and

access rights are appropriate and in line with agreements.

(APO07.06)

COBIT ACTIVITY

S4 CAPABILITY

Background

The two most important sections for information security and compliance in SOX are sections 302 and 404. COBIT is used by many

companies as a framework supporting IT speciﬁc eﬀorts towards complying with SOX sections 302 and 404. However, there are certain

aspects of COBIT that are outside the boundaries of SOX regulation. COBIT currently delineates ﬁve domains and thirty-seven processes.

These processes are then further speciﬁed into practices. In this report of S4’s applicability and support towards SOX compliance, we

focus on the practices and activities pertinent to that.

S4, SOX, and the COBIT Framework

S4 identiﬁes authorization bypass vulnerabilities

which is an eﬀective way to audit access rights.

In the speciﬁc case of acquisition of infrastructure, facilities and

related services, include and enforce the rights and obligations

of all parties in the contractual terms. These rights and

obligations may include service levels, maintenance

procedures, access controls, security, performance review,

basis for payment and arbitration procedures. (APO10.02)

S4 identiﬁes third-party integrations to Salesforce

thus providing an eﬀective way to audit data access

and the associated security controls.

Capture information on IT risk events that have materialized, for

inclusion in the IT risk proﬁle of the enterprise. (APO12.03)

S4 identiﬁes risk associated with custom

development and the output from S4 can be

captured in a risk register.

Undertake regular reviews of the eﬀectiveness of the ISMS (info

security mgmt system) including meeting ISMS policy and

objectives, and review of security practices. Take into account

results of security audits, incidents, results from eﬀectiveness

measurements, suggestions and feedback from all interested

parties. (APO13.03)

S4 is a full-spectrum application security platform

which should be used on a regular basis to review the

eﬀectiveness of ISMS.

Conduct internal ISMS audits at planned intervals. (APO13.03)

COBIT ACTIVITY

S4 CAPABILITY

S4 goes beyond regular intervals and is able to identify

vulnerabilities on an on-going basis.

Maintain user access rights in accordance with business

function and process requirements. Align the management of

identities and access rights to the deﬁned roles and

responsibilities, based on least-privilege, need-to-have and

need-to-know principles. (DSS05.04)

S4 identiﬁes ineﬀective access control management

settings that can lead to data breaches.

Administer all changes to access rights (creation, modiﬁcations

and deletions) to take eﬀect at the appropriate time based only

on approved and documented transactions authorized by

designated management individuals. (DSS05.04)

S4 enables continuous review of every change related

to conﬁgurations or code associated with a

Salesforce environment.

Identify and implement processes, tools and techniques to

reasonably verify compliance. (DSS06.06)

S4 identiﬁes security vulnerabilities that directly

impact SOX compliance.

Identify the boundaries of the IT internal control system (e.g.,

consider how organizational IT internal controls take into

account outsourced and/or oﬀshore development or production

activities). (MEA02.01)

S4 identiﬁes security vulnerabilities introduced by

third-party outsourced development. This includes risk

associated with third-party components installed or

downloaded from AppExchange.

Monitor and report on non-compliance issues and, where

necessary, investigate the root cause. (MEA03.04)

S4 is a full-spectrum application security platform

which should be used on a regular basis to review the

non-compliance issues and help investigate root causes

for vulnerabilities.

www.digitsec.com | info@digitsec.com | +1.206.659.9521

DigitSec, Inc. -  st Ave S, Suite B, Seattle, WA 8, USA

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Sign up to get updates and security insights from DigitSec