COMPANY
ABOUT CFENGINE
WHAT IS CFENGINE?
PEOPLE
PARTNERS
USER REFERENCES
CONTACT US
HISTORY OF CFENGINE
ABHORING PATENTS
JOB OPPORTUNITIES
PRODUCTS
CFENGINE NOVA
ORION CLOUD PACK
DEMO VIDEOS
CFENGINE COMMUNITY
LICENSE OFFERS
LICENSE FOR CONSULTANTS
FAQ
SUPPORT
REGISTER A TICKET
SUPPORT SERVICES
TRAINING
CONSULTANCY
THE ENGINE ROOM
VISION
EXAMPLES
USE CASES
GREEN IT
>COMPLIANCE
SERVER LIFE-CYCLE
WHITE PAPERS
NEWSROOM
CFENGINE NEWS
CFENGINE IN THE MEDIA
PRESS RELEASES
CFTIMES
RSS FEEDS


Some Cfengine Users

CFENGINE NOVA AND SOX-404

Assessment of internal control

The purpose of Sarbanes-Oxley (SOX) is to ensure organizational data (financial in particular) is properly handled. The responsibility for this is in the hands of the management that face severe penalties if their organization dosen't comply with the act. External auditors are involved in conducting SOX-audits to ensure compliance.

It is the management that defines the appropriate processes and controls to ensure compliance. Best practice is to base these processes on a suitable framework, like

Independent of framework chosen, Cfengine can help automate IT-controls that will be defined as part of the SOX 404-section that has to do with internal control - internal control over Financial Reporting (ICFR).

Cfengine and SOX-404

Cfengine offers server-life cycle automation, from building new machines according to pre-defined policies to deployment and management of the application to the final monitoring and reporting of the overall status. To learn more about the BDMA-model (Build, Deploy, Manage, Audit), please click here or download the Special Topic Handbook on the BDMA-model here (requires login).

There are especially two (broad) areas where Cfengine can contribute widely to your organization's SOX-process:

  • Security and change management

Change management is important to ensure proper process around system changes and unauthorized changes. Security can't be compromised, and if they are, they must immediately be reported and restored. To see how Cfengine handles change management this, please read our special topic handbook (login required). Looking at our PCI-DSS and ISO 27000, compliance section, we present several ideas on how to use Cfengine to enhance the security.

  • Testing of Controls, Monitoring and Communication

SOX is supposed to be a top-down process, where management suggests processes to ensure there are sufficient controls to prevent fraud, misuse, and/or loss of financial data/transactions. These processes must be controlled and tested (internally and by auditors) frequently and reported on. Results of tests and communication of deficiencies must be reported to defined stakeholders.

By designing applicable processes as promises, and involving the appropriate stakeholders in the promises, most of these requirements can automatically be taken care of by Cfengine. Through the knowledge map, Cfengine can report on tests, it can monitor all kinds of activities and finally any stakeholder that needs to be updated, can be informed using preferred ways of communicating (email, online reports, sms). To see how the Knowledge Map can support testing, monitoring and the communication, please see our general introduction video to the Knowledge Map.