The best way to understand how Tango/04 solutions specifically address SOX issues is through the COBIT control objectives that have been identified by the Information Systems Audit and Control Association (ISACA) as relevant to SOX.

The following is a list of the SOX COBIT control objectives that are relevant to Tango/04 software, and thus move you towards SOX compliance.

Below each COBIT control objective, there is a description of how Tango/04 software helps achieve the control objective.

This list is not exhaustive: there are further COBIT control objectives that are relevant to SOX and are not included. For a complete list of the COBIT controls, visit www.isaca.org/cobit.

It is likely that your organization is not strictly following COBIT or any other governance framework. This documentation is still relevant for you though. The COBIT control objectives are very generic, and can be easily interpreted in any compliance project context.

AI3 Maintain Technology Infrastructure

AI3.7 Use and monitoring of Systems Utilities

Policies and techniques should be implemented for using, monitoring and evaluating the use of system utilities. Responsibilities for using sensitive software utilities should be clearly defined and understood by developers, and the use of the utilities should be monitored and logged.

Tango/04: use of specific programs or system service tools can be monitored and logged using Tango/04 software. Any violations of security policy produce instant alerts. Audit reports reveal usage patterns.

DS5 Ensure Systems Security

DS5.1 Manage Security Measures

IT security should be managed such that security measures are in line with business requirements. This includes:

• Translating risk assessment information to the IT security plans
  
• Implementing the IT security plan
  
• Updating the IT security plan to reflect changes in the IT configuration
  
• Assessing the impact of change requests on IT security
  
• Monitoring the implementation of the IT security plan
  
• Aligning IT security procedures to other policies and procedures

Tango/04: Periodic security audit reports reveal data access risks, and help ongoing monitoring of the security plan. The use of Business Views within Tango/04 software aligns security auditing to specific business processes.

DS5.2 Identification, Authentication and Access

The logical access to and use of IT computing resources should be restricted by the implementation of adequate identification, authentication and authorization mechanisms, linking users and resources with access rules. Such mechanisms should prevent unauthorized personnel, dial-up connections and other system (network) entry ports from accessing computer resources and minimize the need for authorized users to use multiple sign-ons. Procedures should also be in place to keep authentication and access mechanisms effective (e.g., regular password changes).

Tango/04: Procedures to keep authentication and access mechanisms effective include ongoing reporting of user profile creation, changes, and management of passwords. Reports from Tango/04 software provide this information to security officers.

DS5.5 Management Review of User Accounts

Management should have a control process in place to review and confirm access rights periodically. Periodic comparison of resources with recorded accountability should be made to help reduce the risk of errors, fraud, misuse or unauthorized alteration.

Tango/04: User profile monitoring and reporting allows easy tracking of access rights for all iSeries system users.

DS5.7 Security Surveillance

IT security administration should ensure that security activity is logged and any indication of imminent security violation is reported immediately to all who may be concerned, internally and externally, and is acted upon in a timely manner.

Tango/04: The real-time auditing functionality provides instant alerts and actions to prevent iSeries security violations.

DS5.11 Incident Handling

Management should establish a computer security incident handling capability to address security incidents by providing a centralized platform with sufficient expertise and equipped with rapid and secure communication facilities. Incident management responsibilities and procedures should be established to ensure an appropriate, effective and timely response to security incidents.

Tango/04: The central console provides a consolidated view of all systems and logical partitions, allowing incidents to be handled instantly via alerts, escalation, etc.

DS13 Manage Operations

DS13.3 Job Scheduling

IT management should ensure that the continuous scheduling of jobs, processes and tasks is organized into the most efficient sequence, maximizing throughput and utilization, to meet the objectives set in service level agreements. The initial schedules as well as changes to these schedules should be appropriately authorized.

Tango/04: Tango/04 automatically tunes iSeries job priorities to ensure maximum system throughput. A log is kept of all system resource usage, for SLA reporting.

DS13.4 Departures from Standard Job Schedules

Procedures should be in place to identify, investigate and approve departures from standard job schedules.

Tango/04: System monitoring identifies any departures from standard job schedules, alerting system operators for investigation.

DS13.6 Operations Logs

Management controls should guarantee that sufficient chronological information is being stored in operations logs to enable the reconstruction, review and examination of the time sequences of processing and the other activities surrounding or supporting processing.

Tango/04: system monitoring captures all job start and finish information on the iSeries (QHST) for operations logging. Tango/04 Data Monitor for iSeries provides record-level audit trail capabilities.

M2 Monitoring

M2.1 Internal Control Monitoring

Management should monitor the effectiveness of internal controls in the normal course of operations through management and supervisory activities, comparisons, reconciliations and other routine actions. Deviations should evoke analysis and corrective action. In addition, deviations should be communicated to the individual responsible for the function and also at least one level of management above that individual. Serious deviations should be reported to senior management.

Tango/04: any potential security control violation is identified and can be analyzed through audit reports or even instant alerts.

M2.2 Timely Operation of Internal Controls

Reliance on internal controls requires that controls operate promptly to highlight errors and inconsistencies, and that these are corrected before they impact production and delivery. Information regarding errors, inconsistencies and exceptions should be kept and systematically reported to management.

Tango/04: any potential security control violation is identified and can be analyzed through audit reports or even instant alerts. In particular, the alerting capabilities ensure any security issue is identified before serious damage can occur.

M2.4 Operational Security and Internal Control

Operational security and internal control assurance should be established and periodically repeated, with self-assessment or independent audit to examine whether or not the security and internal controls are operating according to the stated or implied security and internal control requirements. Ongoing monitoring activities by management should look for vulnerabilities and security problems.

Tango/04: any potential security control violation is identified and can be analyzed through audit reports or even instant alerts. Security audit reports can also be provided to external auditors.