Compliance – Audit Reporting Requirements (SOX, HIPAA, GLBA and PCI)
March 2, 2012SOX, HIPAA, GLBA and PCI requirements:
|
SOX Audit Reports |
|
| User Logons | Sec 302(a)(4)(C) and 302(a)(4)(D) require user accesses to the system, be recorded and monitored for possible abuse. |
| User Logoffs | Sec 302(a)(4)(C) and 302(a)(4)(D) require user accesses to the system, be recorded and monitored for possible abuse. |
| Logon Failures | Shows all unsuccessful login attempts by users. |
| Object Access | Comply with internal controls Sec 302(a)(5) for any access violation. |
| Account Management | Sec 302(a)(6) – Significant changes in the internal controls. Changes in the security configuration settings such as adding or removing a user account to an administrative group. |
| Audit Log Access | Sec 302(a)(4)(C) and 302(a)(4)(D) – review and audit access logs require procedures of regular reviews of system activity such as audit logs. |
| Audit Policy Changes | Comply with internal controls Sec 302(a)(5) by tracking the event logs for any changes in the security audit policy. |
|
HIPAA Audit Reports |
|
| User Logons | Log-in Monitoring: Procedures for monitoring log-in attempts and reporting discrepancies (164.308(a)(5)(ii)(C). |
| User Logoffs | Compliments user logons report to analyze user activities. |
| Logon Failures | All unsuccessful login attempts. |
| Object Access | Required by 164.308(a)(1)(ii)(D) – Information system activity review. |
|
GLBA Audit Reports |
|
| User Logons | GLBA compliance requirements explicitly state the need to monitor user access to systems. |
| User Logoffs | Compliments user logons report to analyze user activities. |
| Logon Failures | Complements the user logon report. |
|
PCI DSS Audit Reports |
|
| User Logons | Required for PCI DSS 10.2.1 (Implement automated audit trails to reconstruct the required events). |
| User Logoffs | Complements the user logon report. |
| Logon Failures | Required for PCI DSS 10.2.4 (Implement automated audit trails to reconstruct the required events). |
| Object Access | Required for PCI-DSS 10.2.7 – Creation and deletion of system level objects, identifies when a given object (File, Directory, etc.) is accessed, the type of access (e.g. read, write, delete) and whether or not access was successful/failed, and who performed the action. |
| Audit Policy Changes | Required for PCI-DSS 10.2.3 – Access to all audit trails, lets organizations to comply with internal controls by tracking the event logs for any changes in the security audit policy. |
European Payment Council (EPC)
hwww.bestitdocuments.com