|
With the SOX Section 404 compliance deadline extended from July 2006 to the company's first fiscal year, ending on or after July 15, 2007, eligible organizations should begin considering where to focus their compliance efforts. The earlier deadline probably would have resulted in organizations resorting to the “meets requirements” approach that most of them took the first time around. Now that you have more time, take this opportunity to assess your progress and results of your efforts, and make a wish list for how you can adjust and improve your architecture so your compliance efforts are done right the first time for continuous compliance.
The U.S. Sarbanes-Oxley Act of 2002 has not only affected financial processes and controls, but also IT governance and operations, especially Section 404 -- Management Assessment of Internal Controls. Early on, organizations struggled to put the internal processes and infrastructure in place to address the compliance needs for Sarbanes-Oxley. For many companies the cost of compliance is eating into earnings. It’s become clear that traditional IT management approaches and conventional security models for managing Sarbanes-Oxley compliance are not sufficient in helping with the challenges. Now, with the extended deadline, organizations are realizing that this is the opportune time to assess compliance efforts and explore more effective technology options for a long term, on-going solution for your compliance program.
Many organizations are taking advantage of the extension by moving toward Identity Management (IdM) projects for the security and efficiencies it brings, as well as improving their existing IdM with identity auditing and identity control solutions for continuous compliance. The automated controls that identity auditing and identity control provide work with the existing infrastructure and enforce control on all interactions, as well as reliable control of who has access to what. In addition they include the ability to log and audit who accessed the data, and when. Finally, they extend pervasive identity for comprehensive control to every identified IT asset in your organization, from laptop to network, to all applications. When everything in an enterprise has an identity and a means to audit and control those identities, then suddenly identity becomes the link between IT and business operations and the “meets requirements” approach is no longer acceptable.
Effective Internal Controls are Integral for Risk Mitigation and Operational Health
The key concept of Section 404 is the effectiveness of internal controls. Many organizations are attempting to address this requirement by compiling a massive amount of system data from log files and system reports. It is, however, usually difficult to analyze this data. Auditors usually give their approval, but what happens if the data points to potential problems? That just adds additional risk to the situation.
The goal of risk management is to protect a company’s operational and financial well-being -- a significant compliance concern. Securing the continuing operations and critical IT assets of an organization has always been a challenge, and with today’s increasing interchanges and operational complexities, it is even more difficult.
Often the first and most difficult step in achieving compliance is the manual process of identifying the users, assets, and applications necessary for provisioning. This required preliminary work is extremely tedious and expensive. In addition, the manual information gathering process is recurring as well as fallible, exposing systems to risk and straining organizational IT resources. As demonstrated in the IT compliance maturity model below (Figure 1), the internal control structure must be automated and continuous in order to reduce operational risk to an acceptable level. There are, however, few automated IT tools which can reduce the errors caused by manual methods.
Figure 1: IT compliance maturity model
Most executives feel they have fulfilled the primary IT requirements of Sarbanes-Oxley through their extensive manual IdM processes which provided a broad (although not entirely accurate) perspective of their IT infrastructure. Some have tweaked their IdM processes, adding access control layers. The majority, however, understand that these measures are not a final solution because they are not automated and have to be repeated. In addition, the multiple layers of IT solutions -- system management, network security, and IdM -- has resulted in a challenging array of products, connections, skills, and knowledge gaps that increases risk and limits the ability to implement new applications and IT services securely. An automated solution that reduces manual processes and streamlines automated activities is required to make compliance to Section 404 more successful.
Add Identity Auditing and Identity Control to Your Wish List
Fundamentally, in order to satisfy Sarbanes-Oxley requirements, organizations must be prepared to disclose information on who their users are and what they have access to, as well as the interactions between users, assets, and applications. They must also show evidence that internal controls are working, and that the organization responded appropriately when policy violations occurred.
Identity auditing and identity control are two types of automated controls which can significantly decrease manual IT audit activity, while reducing the vulnerability of critical areas. These controls involve the ability to inject a digital identity at the network layer -- extending identity to include users as well as assets, applications, transactions, and data -- providing organizations with information about who is accessing what assets from where, in and outside of the enterprise. With this comprehensive perspective, an organization is able to create accurate reports, protect critical assets, and ensure compliance, at less cost and with a reduction of risk.
By attaching identity to every user and interaction and extending it to include assets and applications, risk factors are significantly reduced and the system is continuously monitored for compliance. This pervasive identity approach, in effect, becomes the foundation for IT operations, linking to business initiatives and processes. Such an identity-focused process makes the role of identity central and provides a more effective long-term solution.
Incorporating pervasive identity in an enterprise improves the performance of existing security and IdM solutions. It also provides explicit proof of authorized actions, as well as the response and control of unauthorized and illicit behavior. These automated controls in effect become the framework for ensuring compliance with Section 404.
Recommendations for Building an Identity-focused Enterprise
First, organizations must adopt the vision that identities are not just users. In order to incorporate automated identity auditing and identity control, they must extend the concept of identity to include systems, servers, applications, data, and even transactions and events. Basically, everything should have an identity. When organizations analyze their business processes, they’ll notice that all organizational components can be assigned identities, allowing them to link corporate activities with the IT infrastructure.
Incorporating automated user provisioning helps organizations comply with Sarbanes-Oxley, as well as enhances their auditing processes and monitoring of IT-related user activities. Provisioning automates and streamlines the creation of user accounts and the assignment of user privileges, and it provides account permission data, making it a useful compliance tool. Previously, identity auditing has been a tedious and not poorly coordinated process. With IT infrastructures changing so frequently, often the information compiled is out-of-date by the time the task is completed. Effective identity auditing creates the crucial basis for successfully deploying user provisioning and determining the components that need to be associated, such as user-to-application or user-to-asset.
Most companies don’t know or can’t easily prove the interactions among users and assets. The reality is that many IT organizations don’t have the resources to process data and system logs, nor do they have the means to correlate information from disparate sources. Although newer security event management systems have improved, the fundamental problem of managing the data and automating its compilation still exists. They’re also identity blind.
Decision makers typically try to address identity issues with broad directory initiatives or ambitious user provisioning projects. Although directories and user provisioning systems are essential and require IdM components, there are several distinct challenges when using them. In addition, reporting on known resources invites compliance disaster since it's the unknown components that introduce risk.
Components of IdM, such as Single Sign-on, allow a user to authenticate once with access to several or all systems within their authorization. Federated Identity allows enterprises and service providers to securely link and exchange identity information across partner, supplier and customer organizations, while complying with privacy and industry regulations. And, vendors, such as Trusted Network Technologies, provide identity auditing services focused on helping companies assess what they have and what IdM solutions they need to protect their critical information.
Automation ultimately requires the ability to inject identity in every session a machine initiates, track its activity and transactions across an enterprise and beyond, and integrate this function into the existing IT infrastructure. Organizations must first determine all users, assets, and applications in an identity-focused and consistent manner, ensuring user provisioning solutions are not compromised by unknown activity and aligned with the overall IT environment. Only properly provisioned users and applications based on corporate policy should be able to communicate, providing full control of the interactions and an audit trail. Organization must also be able to confirm that all de-provisioned employees and users are eliminated and have no access to IT resources, reducing the risk of unauthorized access.
Identity control is the foremost component in the IdM arsenal guarding an enterprise's IT infrastructure. With identity control methods in place, organizations can monitor users, assets, applications, and transactions in real-time, and ensure identity-based user interactions are recognized and aligned with business process requirements. This ties business operations to compliance and ensures IT operates within business rules.
Finally, a third-party resource, such as a systems integrator who is experienced in these processes and methods, can ensure the user provisioning project is effective. Such resources are aware of their clients’ needs and are knowledgeable about best practices and emerging technologies such as automated identity management tools. By combining identity auditing with user provisioning, an effective framework for real-time, proactive IdM is created that is continuously compliant and operationally effective.
Make Your Section 404 Wish List a Reality
Eligible companies that are determined to take advantage of this extension are searching for better ways to address Sarbanes-Oxley compliance needs that can be incorporated into their existing IT infrastructure, while providing new levels of access control and visibility of network activities. Identity auditing and identity control enable organizations to eliminate the manual and complex information gathering processes, as well as provide reliable control of who has access to what. With the additional time from the extension, organizations can explore the innovative identity technologies that are emerging, and incorporate them in their existing infrastructure for a more effective long term solution.
Automation is the key to accelerate the compliance process and create clear tracking for future auditing and accountability. An identity-focused approach to Sarbanes-Oxley compliance helps not only to enable successful compliance, but also to control the ongoing costs of maintaining compliance. The key lesson learned from IdM deployments from the first year of compliance efforts is that IT components must be automated through IdM tools and made real-time so that in the years to come the IT audit results can be calculated in seconds rather than in millions of dollars.
About the Author:
Robert Ciampa is Vice President of Business Strategy for Trusted Network Technologies, a developer of identity auditing and access control solutions.
Go Back
|
