|
|
|
Features
< Back
Sarbanes Oxley : Auditing : Thought Leader
SOX Changes on the Way?
Maybe, But the Cost and Efficiency Benefits of Automating Compliance Will Still Matter
By
Kurt Johnson
|
|
Kurt Johnson
Vice President of Corporate Development
Courion
|
The Sarbanes-Oxley (SOX) Act. The mere mention can send shivers through the souls of IT organizations. The November elections caused many who follow SOX to suggest it was in need of an ?extreme makeover.? Political voices including Vice President Dick Cheney, New York State Attorney General Eliot Spitzer and former Federal Reserve Chairman Alan Greenspan have all questioned if SOX has outlived its usefulness in its current state. Despite what changes lay ahead, for now, SOX continues to be a significant area of concern for organizations that are already stressed with limited IT resources and growing IT demands and requirements.
Those who have accepted SOX as a business reality ? or perhaps a necessary evil -- understand that that it won?t be going away any time soon. They understand that ensuring information technology (IT) policies are enforced is just good business sense. They also realize that it beats developing policies and having them sit idly by in a binder on the CIO?s shelf, which can expose a company to significant security risks. Having strong internal controls that are enforceable can add efficiency and security to the entire organization. For instance, compliance efforts to date have provided considerable information about a company?s control environment and its business processes. As a result, companies are beginning to understand more clearly how their business processes work, how these processes interact with one another, and how they can be made more effective and efficient.
With renewed focus on controls over application access, companies are beginning to recognize and appreciate the benefits that can be leveraged from their SOX investment. Here we will discuss the key benefits to be gained from a proactive approach to regulation and how enterprise-wide provisioning can facilitate SOX compliance by:
? Ensuring that users only have access to those systems and applications required for their jobs
? Identifying and eliminating segregation-of-duty (SoD) violations
? Ensuring access to protected systems is completely revoked when workers leave the company
? Eliminating the need to share personal authentication information with help desk or information security staffs for password reset or account access requests
? Ensuring complete, accurate audit trails for all changes in access rights
? Supporting policy awareness training and testing
Understanding and Controlling Employee Access
One common theme across many SOX audits is the ability to establish strong controls over who has access to what, why they have access, and how they got it. Firm policies around what entitlements users have, and proof that those policies are being followed, is a core ingredient to demonstrating strong internal controls over financial applications and other critical corporate resources.
Compliance includes both certifying the accuracy of financial statements and ensuring key business processes are under control. SOX section 302 focuses on the CEO/CFO certifying the accuracy of their financial statements. Section 404 speaks to the requirement of an annual assessment of internal controls over financial reporting and obtaining attestation from external auditors. Enterprise-wide provisioning is proving to be a key ingredient to helping companies meet the requirements of sections 302 and 404 which require CEOs and CFOs to demonstrate their business processes are under control.
In order to meet these new audit requirements, organizations need to demonstrate sound processes and controls around how users get access, how access changes, and ultimately how access is removed once someone leaves the organization. Automated user provisioning is at the core of building a sustainable, consistent, and enforceable solution to address these issues.
The Challenge of Enterprise Provisioning
There are a number of security challenges facing organizations today. More and more users need access to corporate resources including employees, contractors, consultants, partners, and even customers. Each of these people require different levels of access and are accessing corporate resources from numerous locations, including various remote locations. At the same time people are utilizing different assets including desktops, laptops, kiosks, PDAs, mobile phones, and more. Due to these challenges, many companies dedicate significant resources to ensuring that people have the access they need, when they need it, but not enough time has been spent addressing whether or not users SHOULD have access to various resources. Regulations such as SOX are helping raise visibility of this critical issue: What resources should users really have access to?
One thing is certain - a user?s identity is at the core of all business transactions. It identifies who a user is, where they are located, what their job is, what projects they are working on, and more. Each of these characteristics will have an impact on what corporate resources an individual is entitled to and what they are allowed to do within those resources. One major area of focus for SOX is to ensure that policies are in place to control that only certain people with appropriate responsibilities have access to financial applications and to identify what they are allowed to do within those applications.
Managing these various data points is a complex task for system and application administrators. When a request comes in for a new hire, it gets dispersed to multiple people to grant access to various systems and applications. The information being delivered on the request is assumed by the recipients to be accurate, but since it?s a manual process, it?s often fraught with errors.
Numerous factors drive the complexity of a manual provisioning process. Every request is compounded by the constant change that happens within an organization. Examples of routine changes are:
? New hires
? Relocations
? Transfers
? Promotions
? Projects ending
? Contractor contracts terminating
? Terminated employees
Each of these day-to-day changes, though seemingly routine, create complexity for accurate provisioning. Many organizations take two to three weeks to set up access for new employees. Some of the biggest findings in SOX audits are issues related to various moves, adds, and changes of current users. When someone changes jobs and needs new access to perform that job function, organizations are usually pretty good at getting that person the new access they need (though not always in a timely fashion). What many organizations are notoriously poor at doing is removing the access of an employee who no longer needs the applications they had access to from their previous job. This ?access-creep? builds up over time, leaving many users with access not appropriate for their current function. Equally as risky is the ?orphan account? issue. These are accounts that exist for users who are no longer with an organization, another serious SOX audit finding.
If these day-to-day changes were not bad enough, businesses also go through major changes that have a multiplicative effect to the complexity of provisioning and access. These include major events such as:
? Mergers
? Acquisitions
? Divestitures
? Major application rollouts
? Infrastructure updates
All of these require provisioning efforts on a massive scale. With an acquisition, IT departments are forced to set up new accounts for hundreds or thousands of new employees to grant access to the resources they need to do their job as soon as the acquisition is completed. Major application rollouts require numerous accounts to be provisioned as an application is deployed into production. Divestitures require accounts to be disabled and access revoked for staff no longer employed by the company. These examples of mass scale provisioning cases are often highly manual, and given the serious time pressure, at risk for serious errors. These errors can lead to people having access that they should not have.
Take for example one company that was undergoing a major SAP rollout. The company had thousands of employees who needed access as soon as the system went live. When the IT managers looked in the user directory, they discovered the organization had five times as many accounts as employees. To identify which accounts were valid and corresponded to actual employees was too burdensome a task. As a result, when they went live with SAP they had set up accounts for all users in the directory, knowing full well that nearly 80 percent of those accounts would not be valid. You may be shocked by the blatant disregard to policy and lack of strong IT controls, but the business pressure was so great this is what they were forced to do. And they probably aren?t alone.
Enterprise Provisioning and SOX Compliance
In response to these issues, an automated enterprise provisioning solution can solve many of the related challenges. Instead of any provisioning request becoming a fractured set of multiple requests, an enterprise provisioning solution can track all the necessary actions as a single event. Policy dictates what access a specific user should get based on his or her role in the organization, as well as any information such as job title, location and project. The system uses this data to identify proper access and automatically facilitates the set up. This can change the time it takes to get new users set up from weeks -- to minutes. Any approvals an organization requires can be fully automated and tracked. It also ensures that no account is set up before the proper access has been approved. In addition, system and application access can be gated until a user passes a policy awareness training and testing program. The system will track who has taken such training, and not grant them access until they formally sign a security policy or pass a security awareness exam.
This process ensures that inappropriate access cannot be granted either by special favors or inadvertent access creation. For example, if you?re a marketing manager, you have no ability to grant access to financial system applications. If you?re an accounts payable manager, you?re unable to grant access to the vendor approval system. In addition to ensuring policy is followed, it also eliminates segregation of duty (SoD) conflicts. SoD violations can be identified and the system can prevent any SoD violation from occurring, or require special approval before access causing an SoD violation is established.
More importantly, an automated provisioning process ensures that proper access is granted throughout the various day-to-day changes, as well as during large scale changes. As people change roles, new entitlements are automatically granted, but more importantly, previous access is immediately terminated. When employees leave an organization, or a contractor completes a project, one click of the button will automatically disable all their access.
Organizations that have deployed an automated user provisioning solution remark how much easier their SOX audits go. Instead of sifting through reams of system logs and access files, the auditors can quickly see what access people have through the provisioning system. Auditors can see exactly how access is set up and managed on an ongoing basis to feel confident that the policies not only exist, but are being enforced through automation.
Beyond Provisioning: The Importance of Automated Compliance Verification and Attestation
SOX compliance does not end with an automated provisioning system. This is just one aspect of building automation to help ensure that key processes are established, followed and enforced. Auditors are also looking at what processes are in place to formally verify user access and attest to any variances from policy. For that reason an automated access verification and attestation solution becomes a key addition.
Most organizations handle employee access verification manually. Reams of reports are printed showing what users have access to. These complex, technical logs are shared with line-of-business (LOB) managers for their signature. LOB managers often do not understand what is on these reports (can we really expect them to understand what a RACF LPAR is?). Given this, just how useful are these access verification processes? How comfortable can an organization be that the line-of-business truly understands what access an individual has and if that access is appropriate?
An automated compliance management solution can greatly ease this burden. Such a system will identify all access users have across a variety of different systems and resources. It will show who actually has accounts, and what specific rights an individual has within those various accounts. Moreover, it will identify what access an individual SHOULD have. This can be based on their job function, title, location, project, or any other data that is pertinent to the establishment of a formal access policy. Multiple views can be run so a LOB manager can see all of their employees, their respective access and entitlements, and how those compare against policy, highlighting any variances. An application administrator, meanwhile, can view data for a specific application (such as the financial systems) and see who has access, what job functions they are in, and, again, identify any variances from policy. Meanwhile a chief compliance officer can view this information for the organization as a whole.
In addition to variance from access policies, an automated compliance solution, like an automated provisioning solution, can also identify SoD conflicts. It can clearly highlight users who have an SoD violation such as check writing and vendor approval capability. A sophisticated solution should also enable cross-application checking so that SoD violations do not occur as the result of access rights granted on two separate systems. Individual administrators would have no visibility into the potential of an SoD conflict, but an automated solution looking across applications can clearly highlight any areas of concern.
The system should not only show where problems exist, but it should be actionable and force the user to take specific steps based on these variances. Once variances from policy have been identified, the system will force the person running the compliance check to make a decision on how they want to handle it. They can approve the variance and add comments such as ?the person is working on a special project and needs financial system access? so an audit trail exists and the variance is formally attested to by the business owner. Or, perhaps this variance came from access that was needed in a prior job or project. The system should enable the manager to immediately revert the access to bring them back within policy. Managers should also be forced to attest to all users within policy to ensure that their access is still appropriate.
The ROI of Compliance
Return on Investment (ROI) is not often applied to compliance projects. Organizations have come to accept the fact that being in compliance, and demonstrating compliance, is a necessary expense that the organization must absorb. One chief information security officer stated that the only ROI he is concerned about related to SOX compliance was ?Risk of Incarceration? -- and that cost was not an issue.
One of the key benefits, and effective measurements, of an automated provisioning and compliance solution is the dramatic reduction in cost required to pass an audit as it relates to user access. Automating the provisioning process can eliminate numerous administrators who were burdened by the task of setting up, modifying, and disabling user accounts. One Courion customer found it took more than 70 full time equivalents to handle provisioning for more than 30,000 employees and contractors. Through automation, the number of security administrators charged with this task has been reduced to only a handful.
Similarly, the amount of time and manual effort required to analyze system and application logs to identify which users had access to what is significant. This has added additional stress to already thin IT resources. By automating the verification and attestation process, IT staff can go back to performing the jobs they were hired to do.
Summary
Despite the cries for reform gaining volume from Capitol Hill, SOX as we know is here to stay for the foreseeable future. As a result, organizations hoping for change must realize that merely having an automated provisioning and compliance solution in place will not guarantee SOX compliance. Moreover, merely passing an audit and being in compliance does not mean that an organization is truly secure. And simply automating bad processes will not lead to success.
It is critical that organizations identify the key policies and processes necessary for a secure provisioning practice. An automated provisioning and compliance solution can help an organization drastically reduce the effort involved in going through a SOX audit as it pertains to user access. Beyond managing day-to-day and large scale provisioning processes, a complete SOX compliance solution should also help drive the process to ensure employee access is appropriate and any variance from policy is identified and acted upon immediately. It is an effective vehicle for ensuring a more secure and efficient compliance processes, that also support sound business practice.
Kurt Johnson
Vice President of Corporate Development
Courion
Kurt Johnson is Vice President of Corporate Development at Courion Corporation
|
|
|
|
|
