• Get involved.
    We want your input!
    Apply for Membership and join the conversations about everything related to broadcasting.

    After we receive your registration, a moderator will review it. After your registration is approved, you will be permitted to post.
    If you use a disposable or false email address, your registration will be rejected.

    After your membership is approved, please take a minute to tell us a little bit about yourself.
    https://www.radiodiscussions.com/forums/introduce-yourself.1088/

    Thanks in advance and have fun!
    RadioDiscussions Administrators

A question about Sarbanes-Oxley laws and server/tape backups...

S

spinjector

Can someone enlighten me a bit about what the SOX laws say about server backups?

I some specific questions...

- Do the backups have to be on tape? Or can they be saved to any reliable media/system?

- What's said about offsite storage? I'm assuming the same reliability/safety issues still apply?

- What about retention? Do the laws specify a length of time that the backups should be saved?

~Thanks.
 
The recommendations note you should specify a retention period for electronic records but does not specifically note a time period. Clear as mud.
 
spinjector said:
Can someone enlighten me a bit about what the SOX laws say about server backups?
Click to expand...

As an old IT and IT auditor person, let me add a few comments:

SOX applies only to Public companies although Private companies should follow the same data handling procedures to protect their interests.

You don't say which servers you are backing up so I assume your question to refer to servers that process business transactions or are involved with business applications (typically financial but also may include HR, inventory etc.).

If you are a Public company you undoubtedly are required to be audited periodically. The Auditors should have made recommendations if there are issues in this area. If your financial Auditors are not including IT business practices within their audit scope you should have an experienced IT Auditor review your IT processes.

spinjector said:
I some specific questions...

- Do the backups have to be on tape? Or can they be saved to any reliable media/system?
Click to expand...

Data retention requirements should be driving this issue. Use a storage medium which will satisfy the retention period for the data type to be archived. Ensure the backup process is such that the data can actually be retrieved (and test this periodically) should the backup software change over time.

Magnetic tape is usually the storage media of choice due to its low cost, long life and ability to store large amounts of data but other media will work depending upon it's anticipated life span. Whatever media you choose it should be of the highest quality.

spinjector said:
- What's said about offsite storage? I'm assuming the same reliability/safety issues still apply?
Click to expand...

Regardless of type all backup media should be stored in an appropriate facility (temp and humidity controlled and fireproof) AND physically removed from the prime data source. No single catastrophe should be able to destroy both the original and backup copies. It goes without saying that security for the backup data should be at least as secure as for the original.

spinjector said:
- What about retention? Do the laws specify a length of time that the backups should be saved?
Click to expand...

That depends upon the legal requirement of the data itself and usually follows IRS and/or audit guidelines. For most business data I would think a minimum of three years is sufficient but retention periods for certain types of data may be longer. Consult your auditor for specific recommendations.
 
It is great to ask here what other people are doing, but in the end, these are questions your C-E-O has to ask his/her accounting firm and legal counsel. After the Enron debacle and other end-of-the-dot-com failures where corporate officers tried to claim they had no idea what is going on, Congress passed S-O-X required responsible parties to sign off that they had personal knowledge that nothing in their company records was in conflict with truth and reality. (Yes, this affects publicly held companies directly. If I am running a publicly held company, I may be demanding that the officers of my vendors and service providers give me the same kind of assurance that none of their people have secret deals with any of MY people.)

Here is where it got interesting. When this started out it seemed like the C-E-O and the president and the treasurer needed to sign such assurances. I was working for a public stock company when all this was put into place. Before it was over, the run-of-the-mill computer tech who had access to passwords control systems and the ability to back-up and restore files was having to sign the same kind of affidavit as the C-E-O.

I have a low-level, end of career space filler type of job at that time. My job description had some duties that were almost embarassing they were so entry level. But what I did for my department that was no where in writing was to serve as their "forensic data miner". When my bosses wanted information that was not available to them, and all they could get from I.T. was a tease that maybe such information could be included in a new report 3 or 4 years from now, I would run three or four standard printed reports that were authorized and available, stuff them electronically into my PC, and do my magic. Through the magic of relational databases, I would organize information that was not produced or sanctioned by the I.T. people who had a policy that every official, sanctioned data report MUST have the Sarbanes Oxley language as approved by corporate counsel and outside auditors. My reports had no official headers, no official footers, no SOX language. They were simply sheets of data that a sales vice president might accidentally show his favorite customer.

I was not well liked by the I.T. Department. But they humored me and tolerated me because I kept the sales vice-president out of the C-E-O's office with complaints about the I.T. department being incompetent.

All of that to say: we in this forum cannot give you the golden, magic answer to your question. We CAN give you some hints on the questions you need to ask, and hints on who may be able to answer your questions.
 
spinjector said:
Can someone enlighten me a bit about what the SOX laws say about server backups?

I some specific questions...

- Do the backups have to be on tape? Or can they be saved to any reliable media/system?

- What's said about offsite storage? I'm assuming the same reliability/safety issues still apply?

- What about retention? Do the laws specify a length of time that the backups should be saved?

~Thanks.
Click to expand...

The bottom line is this: If Sarbanes-Oxley is a concern for you, you are part of a large corporation. That corporation is already telling you what to do to comply with Sarbanes- Oxley.

If that's not happening, don't worry about it.
 
Remember, as someone said, SOX only requires that some assurances are available, and leave to the individual company what actions are to be used to accomplish these assurances. Thus, much of what you find yourself wading through was generated by your leagl and IT departments, hopefully in cahoots. Or, if you're unlucky and they're lazy, jobbed from some other company.

This can result in the 'bit you in the ass' syndrome when it's overdone. SOX merely wants 'data security'. This has been gerrymandered into some rather Draconian requirements for passwords. It is not uncommon- fact, it's downright common - to find that the 'eight to fifteen digit with three capitals and two non alpha characters, not in any dictionary and changed every 90 days' passwords required by some companies result is such an unmemorizable strig of characters that the user simply writes them on the border of the monitor, or on a Post-It <tm> thereto attached. Super secure, that is.
 
Thanks everyone. The security & reliability part is a no-brainer, but I wasn't sure about the retention period. At least now I know what questions to ask of which people.
 
Status
This thread has been closed due to inactivity. You can create a new thread to discuss this topic.


Back
Top Bottom