SoX - Config changes and logs
SummarySoX requirements Configuration changes and privileged user logging
We've been acquired by a US company, so we now have to comply with SoX. We've got a team of consultants who've identified some gaps in our controls, and some potential remediation, but the requirements are a bit woolly.
One gap references a review of all configuration changes being able to be tracked to our change management process - the part we don't have covered is the ability to extract a full population of configuration items/configuration changes. Our consultants also haven't defined what 'configuration changes' entails so struggling a bit here too! I was looking at using 'Manage Audit Policies', however have been told that this wont be an effective control due to users with privileged access having access to: