1

Does an application that manages access controls to a suite of tools (Jenkins, Nexus, BitBucket) in a SOX environment need to be considered a SOX application?

The app itself only deals with data in transit and uses authentication to properly restrict how the app is used to manage the the SOX tools settings. The app also has an append only log for audit purposes and to build the state for administrators to view(event sourcing).

Lastly, all the tools make up a CI/CD pipeline are in a SOX environment so that they can deploy artifacts to VMs in the SOX environment.

Adgezaza
  • 125
  • 5

1 Answers1

1

If the apps can be used to push app modifications to your production environment with regard to financial applications, they will be subject to SOX. Considering your Bitbucket, Jenkins and Nexus all are used for ensuring certain controls (e.g. controlled deployment to prevent pushing unauthorised code), they may be considered as part of the control environment.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196