I think ASSP may be considered SOX compliant if you are grabbing and
archiving the logs. SOX is something I do for a living.
Sarbanes compliance is very much related to the evaluation by your
auditor. If you have good controls and policies around anything, it can
used in a Sarbanes environment.
For Sarbanes compliance around ASSP here are a couple of things I can
think of that you should probably have:
1) A solid back and restore procedure
a) Evidence that you test this periodically
b) a DR procedure (have a spare ready to go if the primary fails)
2) Good documentation that explains ASSP's role in your email
a) Mail flow diagrams
b) Explanation of your RegEx rules
3) A good change control procedure
a) Have a test platform
4) Documentation explaining who has access, etc.
5) A job that archives the ASSP log files
I would probably forward all your SPAM email to a generic mailbox with
some type of retention policy. Then, you should have a policy that that
mailbox is reviewed on a recurring basis to see if there are false
positives, etc.
One area that may be a snag is that there is only one "admin" login to
ASSP. However, it logs the IP from where the admin logged in from. So
you would need mitigating controls (a firewall, ACLs on your router, or
a host based IDS like Black Ice) restricting where someone could log in
from. For compliance, ASSP really needs separate logins for each admin.
LDAP / Active Directory authentication would be a huge plus.
Part of the recurring procedures should include a review of the logs.
Maybe search for admin logins and tie those back to the IP and who was
logged in at the time.
Remember to have a policy that produces evidence that these reviews are
occurring. Perhaps screen shots tied to a ticket in your helpdesk system.
But again, compliance depends on your auditor and whether they will
accept the software's roles and the controls around its use.
Regardless of what you do, you should produce the evidence that you're
following procedures. Think about how to reproduce the evidence in your
audit and document that as well. That way, you don't have to go back to
square one and try and remember how to show who the admins are that
logged in and why.
Ultimately, talk to your auditor after you've done your best effort to
implement the necessary controls around ASSP.
Hope this helps,
Chris
Pascal Dreissen wrote:
>
> I am not sure but is there ANY open source initiative SOx compliant ?
>
> Since the processes they describing aren't easy to do in open source
> projects if you ask me!
> --
> Met vriendelijke groet / Best regards,
>
> Pascal Dreissen
>
>
> Citeren Elvar <[EMAIL PROTECTED]>:
>
> > Can anyone tell me if ASSP is sarbanes-oxley compliant? I heard schools
> > will be forced to use a spam filter that conforms to that and I have
> > assp running at some schools I do work for.
> >
> >
> >
> > Thanks,
> > Elvar
> >
> >
> >
> >
> -------------------------------------------------------------------------
> > Take Surveys. Earn Cash. Influence the Future of IT
> > Join SourceForge.net's Techsay panel and you'll get the chance to
> share your
> > opinions on IT & business topics through brief surveys - and earn cash
> >
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV>
> > _______________________________________________
> > Assp-user mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/assp-user
> >
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> ------------------------------------------------------------------------
>
> _______________________________________________
> Assp-user mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/assp-user
>
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user
