Chris, your response on this topic is very helpful and I sincerely thank you for your time. I will definitely use this as a guide.
Kind regards, Elvar Chris Norman wrote: > I think ASSP may be considered SOX compliant if you are grabbing and > archiving the logs. SOX is something I do for a living. > > Sarbanes compliance is very much related to the evaluation by your > auditor. If you have good controls and policies around anything, it can > used in a Sarbanes environment. > > For Sarbanes compliance around ASSP here are a couple of things I can > think of that you should probably have: > 1) A solid back and restore procedure > a) Evidence that you test this periodically > b) a DR procedure (have a spare ready to go if the primary fails) > 2) Good documentation that explains ASSP's role in your email > a) Mail flow diagrams > b) Explanation of your RegEx rules > 3) A good change control procedure > a) Have a test platform > 4) Documentation explaining who has access, etc. > 5) A job that archives the ASSP log files > > I would probably forward all your SPAM email to a generic mailbox with > some type of retention policy. Then, you should have a policy that that > mailbox is reviewed on a recurring basis to see if there are false > positives, etc. > > One area that may be a snag is that there is only one "admin" login to > ASSP. However, it logs the IP from where the admin logged in from. So > you would need mitigating controls (a firewall, ACLs on your router, or > a host based IDS like Black Ice) restricting where someone could log in > from. For compliance, ASSP really needs separate logins for each admin. > LDAP / Active Directory authentication would be a huge plus. > > Part of the recurring procedures should include a review of the logs. > Maybe search for admin logins and tie those back to the IP and who was > logged in at the time. > > Remember to have a policy that produces evidence that these reviews are > occurring. Perhaps screen shots tied to a ticket in your helpdesk system. > > But again, compliance depends on your auditor and whether they will > accept the software's roles and the controls around its use. > > Regardless of what you do, you should produce the evidence that you're > following procedures. Think about how to reproduce the evidence in your > audit and document that as well. That way, you don't have to go back to > square one and try and remember how to show who the admins are that > logged in and why. > > Ultimately, talk to your auditor after you've done your best effort to > implement the necessary controls around ASSP. > > Hope this helps, > Chris > > > > Pascal Dreissen wrote: >> I am not sure but is there ANY open source initiative SOx compliant ? >> >> Since the processes they describing aren't easy to do in open source >> projects if you ask me! >> -- >> Met vriendelijke groet / Best regards, >> >> Pascal Dreissen >> >> >> Citeren Elvar <[EMAIL PROTECTED]>: >> >>> Can anyone tell me if ASSP is sarbanes-oxley compliant? I heard schools >>> will be forced to use a spam filter that conforms to that and I have >>> assp running at some schools I do work for. >>> >>> >>> >>> Thanks, >>> Elvar >>> >>> >>> >>> >> ------------------------------------------------------------------------- >>> Take Surveys. Earn Cash. Influence the Future of IT >>> Join SourceForge.net's Techsay panel and you'll get the chance to >> share your >>> opinions on IT & business topics through brief surveys - and earn cash >>> >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >> <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> >>> _______________________________________________ >>> Assp-user mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/assp-user >>> >> ------------------------------------------------------------------------ >> >> ------------------------------------------------------------------------- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to share your >> opinions on IT & business topics through brief surveys - and earn cash >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Assp-user mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/assp-user >> > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Assp-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/assp-user ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
