Sarbanes-Oxley Compliance: Meeting Regulatory Requirements on IBM Servers

Welcome to Bytware's Sarbanes-Oxley information section, a collection SOX resources.


What is Sarbanes-Oxley?

In response to the corporate accounting scandals that started the new century, the US Congress passed legislation in 2002 aimed at holding executives accountable for the practices of their companies. Intended to put an end to accounting fraud, the Public Company Accounting Reform and Investment Act—better known as Sarbanes-Oxley (SOX)—establishes a long series of guidelines and regulations that publicly-traded companies must comply with. Some actions that must be taken fall under the responsibility of IT departments, while many others deal more with corporate atmosphere in general and have little to do with technology.


Deadlines for compliance with the Act have been extended from their original dates. The new dates are November 15, 2004, for publicly-traded companies with a $75 million+ cap, and June 15, 2005, for publicly-traded companies with a cap below $75 million. Private companies are not required to comply with Sarbanes-Oxley.


Can software mend all my woes?

Since creating the atmosphere for compliance involves a lot of cultural and operational issues that are not related to technology, there really is no "one-click" software solution that will make you "SOX-compliant." For matters that do pertain to IT, the basic tools that you need are already built into your iSeries. Third-party solutions can, however, enhance those built-in tools and help you improve your system of compliance in many ways. For more information on built-in tools and on specific objectives that Bytware solutions can help with, please download our free white paper "The Challenges—and Myths—of Sarbanes-Oxley Compliance."


How about a roadmap?

Sarbanes-Oxley is lengthy and complex. The language can be difficult to decipher. What you really need is a roadmap. Fortunately there are some resources that can help set you down the right path and guide you in setting up policies and procedures. Many companies are looking toward a set of guidelines from 1992 called “The Control Objectives for Information and Related Technology”, better known simply as COBIT, to help them create a plan. Our StandGuard and Messenger solutions—including StandGuard Anti-Virus—can help you meet the requirements outlined by these objectives. In our white paper, you'll find a list of the specific COBIT objectives that apply and information on how we can assist.


What is COBIT Objective DS5.19?

DS5.19 is a COBIT Objective that specifies steps to be taken in order to protect corporate systems from virus threats:

DS5.19: Malicious Software Prevention, Detection and Correction


“Regarding malicious software, such as computer viruses or Trojan horses, management should establish a framework of adequate preventative, detective, and corrective control measures, and occurrence response and reporting. Business and IT management should ensure that procedures are established across the organization to protect information systems and technology from computer viruses. Procedures should incorporate virus protection, detection, occurrence response, and reporting."


Does this mean that I need native anti-virus software on IBM i, AIX, and Linux?

Yes. To comply with COBIT Objective DS5.19—and in turn this aspect of Sarbanes-Oxley—publicly-traded companies should ensure that they have implemented measures throughout the organization, including on IBM servers (Power Systems, System i and System p) UNIX and AIX servers, Linux servers, and Windows PCs. Failure to cover all of these bases could lead to possible liability for violations of the Act.


Native anti-virus is easy. StandGuard Anti-Virus from Bytware is the only anti-virus product available designed to meet the requirements on System i.