Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, June 14, 2005

Identity Auditing is the Key to Maintaining SOX Compliance

The Sarbanes-Oxley Act (SOX) has profoundly affected IT governance and operations, especially Section 404: Management Assessment of Internal Controls.  Organizations of all sizes are struggling to put the processes and infrastructure in place to address SOX compliance needs.

Analysts project 2005 compliance related IT spending in the range from $1.5 billion to $5 billion.  Early indications are that for many companies the cost of compliance is eroding profit margins.  No one can predict what the impact of meeting SOX compliance requirements will be.

A new method for addressing SOX compliance needs is required; one that integrates into the existing infrastructure while providing new levels of control and visibility that will make the IT component of compliance continuous and ongoing.  Compliance is driving innovation, and much of the innovation is focused on the role of identity and the ability to monitor and control interactions by identity.

A driving concept of section 404 of SOX is effectiveness of internal controls.  Manual processes are expensive, recurring, and prone to errors, exposing risk and depleting resources required to roll out new business initiatives.  Most, however, acknowledge that these measures are incomplete and realize that they’ll be back at it again.  The most important component of compliance concerns the management of risk. Risk management addresses how a company protects its operational and financial well-being.

The deployment of so many IT infrastructure solutions has led to a nearly unmanageable collection of products, connections, skills and knowledge gaps that increase risk while compromising and limiting the ability to roll out new services.  Many organizations are trying to address this requirement.  Unfortunately, it’s nearly impossible to analyze this amount data if one tries to collect everything.
The problem is that SOX expects organizations to take an aggregated look at their IT environment, and the related business processes.  In preparing to meet SOX regulations, organizations should be able to answer the following questions confidently: Can you clearly state who all your users are, their access? Do you have audit trails for users, assets and applications? Do you have verifiable evidence? Did you took appropriate action when a policy infraction occurred, and how fast can you provide this information? A company that can’t answer these questions affirmatively should consider a new method.

With the adoption of identity management (IdM) and user provisioning solutions, the role of identity is clearly becoming central to managing users’ interactions.  Two types of automated controls—identity auditing and identity control—dramatically drive down manual IT audit activity while reducing critical areas that can be compromised.  In such an environment identity extends beyond users to include assets, applications, transactions and data.  Injecting identity at the network layer provides IT organizations with the knowledge of who is accessing what assets from where, both within and across enterprise boundaries.  It uses this visibility to protect critical assets and ensure compliance, as well as the reporting to prove it, resulting in the simultaneous reduction of cost and risk.  Such pervasive identity becomes the foundation for identity auditing and control by providing full visibility into the business transactions and establishing unequivocal proof of authorized actions and the response and control of unauthorized, illegal behavior.

Automation ultimately requires the ability to inject identity and track its activity and transactions across an enterprise and beyond, and to integrate this ability with existing IT infrastructure.  It helps not only to enable successful compliance, but also to control the ongoing costs of maintaining compliance.  And, as we continue to witness merger and acquisition activity in the IdM space, new and innovative identity-focused companies and technologies are emerging whose products are rapidly maturing through deployment experience.

Posted on 06/14