Insufficient data from Andrew Fryer

The place where I page to when my brain is full up of stuff about the Microsoft platform

SQL Server SOX Compliance


At the SQL Server community evening last week I was asked whether SQL Server is or is going to be SOX compliant.  There are probably some of you thinking that we were discussing baseball so I should explain that Sarbannes Oxley (SOX) is a piece of financial compliance  legislation introduced in the US following the Enron and Worldcom scandals.

SOX has no specific requirements regarding audit.  Interpretation of SOX and applying that to the processes and people in a particular business typically result in the need to put access controls in place and demonstrate who can access what, and what access has been exercised.  The existing audit capabilities in SQL 2005 are fully capable of supporting such usage.  

Of course things get easier in SQL Server 2008 as there is a much more sophisticated audit capability to track changes to permissions and policies.  Change data capture can be enabled to record changes to key tables.  Finally it is very easy to develop reporting services reports on top of these to provide whatever the auditors and regulatory bodies need.


There is also an example you can reference about this here around Credit Suisse and SQL Server 2005.