The Sarbanes-Oxley Act of 2002, is a United States federal law enacted on July 30, 2002 in response to many major corporate and
accounting scandals. The Act is commonly called “SOX”.
S4 SOX Compliance
Without security, there can be no compliance. Security
provides the necessary checks and balances to eﬀectively
implement compliance programs such as SOX.
Conduct periodic reviews to ensure that contractors’ roles and
access rights are appropriate and in line with agreements.
The two most important sections for information security and compliance in SOX are sections 302 and 404. COBIT is used by many
companies as a framework supporting IT speciﬁc eﬀorts towards complying with SOX sections 302 and 404. However, there are certain
aspects of COBIT that are outside the boundaries of SOX regulation. COBIT currently delineates ﬁve domains and thirty-seven processes.
These processes are then further speciﬁed into practices. In this report of S4’s applicability and support towards SOX compliance, we
focus on the practices and activities pertinent to that.
S4, SOX, and the COBIT Framework
S4 identiﬁes authorization bypass vulnerabilities
which is an eﬀective way to audit access rights.
In the speciﬁc case of acquisition of infrastructure, facilities and
related services, include and enforce the rights and obligations
of all parties in the contractual terms. These rights and
obligations may include service levels, maintenance
procedures, access controls, security, performance review,
basis for payment and arbitration procedures. (APO10.02)
S4 identiﬁes third-party integrations to Salesforce
thus providing an eﬀective way to audit data access
and the associated security controls.
Capture information on IT risk events that have materialized, for
inclusion in the IT risk proﬁle of the enterprise. (APO12.03)
S4 identiﬁes risk associated with custom
development and the output from S4 can be
captured in a risk register.
Undertake regular reviews of the eﬀectiveness of the ISMS (info
security mgmt system) including meeting ISMS policy and
objectives, and review of security practices. Take into account
results of security audits, incidents, results from eﬀectiveness
measurements, suggestions and feedback from all interested
S4 is a full-spectrum application security platform
which should be used on a regular basis to review the
eﬀectiveness of ISMS.