-1
Does an application that manages access controls to a suite of tools (Jenkins, Nexus, BitBucket) in a SOX environment need to be considered a SOX application?
The app itself only deals with data in transit and uses authentication to properly restrict how the app is used to manage the the SOX tools settings. The app also has an append only log for audit purposes and to build the state for administrators to view(event sourcing).
Lastly, all the tools make up a CI/CD pipeline are in a SOX environment so that they can deploy artifacts to VMs in the SOX environment.
You will need to edit your question, and not use an acronym because the one you choose has an entirely different meaning. – Ramhound – 2018-04-02T13:26:12.350
Do you mean SOX? Updated. – Adgezaza – 2018-04-02T13:39:23.447
You tell me. You used the tag: "SoX (Sound eXchange) is a computer program for audio manipulation", but given the context of your question, it does not match up. Which is the reason you must edit your question in order to clarify it. Your title is confusing. – Ramhound – 2018-04-02T13:42:19.700
Still smells a lot of Acronym Overload. You might want to actually give people at least a link to whatever SOX is as well as what a "CI/CD pipeline" is. Is SOX an actual application or application set or is it just some "rules"? https://en.wikipedia.org/wiki/Information_technology_controls#IT_controls_and_the_Sarbanes-Oxley_Act_(SOX) suggests that it is some US federal law which is not particularly useful information for context in your question. How does any of this apply to a "SOX environment"?
– Mokubai – 2018-04-02T15:37:56.170