Role Based Access Control

Role Based Access Control RBAC

RBAC and Sarbanes-Oxley Compliance

The Sarbanes-Oxley Act establishes a set of requirements for financial systems, to deter fraud and increase corporate accountability. For information technology systems, regulators may need to know who used a system, when they logged in and out, what accesses or modifications were made to what files, and what authorizations were in effect. IT vendors responding to Sarbanes-Oxley (SOX) requirements have adopted RBAC as central to compliance solutions because RBAC was designed to solve this type of problem.

Sarbanes-Oxley Act of 2002 and Impact on the IT Auditor, IT Knowledgebase - comprehensive introduction to Sarbanes-Oxley requirements
Compliance: Thinking outside the Sarbox, NetworkWorldFusion, February 7, 2005 - experience with SOX compliance in a number of firms
Rules and policies vs. actual practice, NetworkWorldFusion, February 7, 2005 - identity management and role based access
"Information Risk": A New Approach to Information Technology Security, Sys-con.com, Nov. 29, 2004 - risk management aspects
Implementing Sarbanes-Oxley, WebSphere Journal, November 26, 2004 - a case study of implementing SOX compliance
Addressing the Key Implications of Sarbanes-Oxley, The Business Forum, 2004 - implications for corporate IT systems
Solving Sarbanes-Oxley: A Business Intelligence Perspective, DMReview, December, 2003 - business intelligence approach

Project Links

Overview FAQs Publications Presentations

Additional Pages

RBAC Library Role Engineering and RBAC Standards RBAC and Sarbanes-Oxley Compliance RBAC Case Studies

Contacts

RBAC Inquiries
rbac-info@nist.gov

David Ferraiolo
david.ferraiolo@nist.gov

Rick Kuhn
d.kuhn@nist.gov
(301) 975-3337

Ramaswamy "Mouli" Chandramouli
mouli@nist.gov
301-975-5013

Topics

Security and Privacy: access control

Related Projects

Attribute Based Access Control
Policy Machine

Created November 21, 2016, Updated June 22, 2020