There are Red Sox and White Sox and, of course, Fox in Socks, but in 2002, a new SOX entered our lexicon: The Sarbanes-Oxley Act of 2002. This financial regulation was a response to large corporate misdeeds at the time, most notably Enron misleading its board through poor accounting practices and financial oversight.
The regulation seeks to ensure accurate and reliable financial reporting for public companies in the United States. But what does financial reporting have to do with IT?
A lot, it turns out, since it’s no longer en vogue to have scribes with long feather quills scribbling out numbers in giant paper books. Unfortunately for the quill, ink and abacus peddlers of the world (and fortunately for the auditors), financial systems are now the domain of servers and databases running large ERP applications.
The section of SOX that most affects IT is section 404. It requires “Management Assessment of Internal Controls,” which is a tiny portion of the bill but a huge part of any audit. The reason for this is that an auditor wants to assure the effectiveness of internal controls with regard to the financial systems and processes.
In practical IT terms, this means they want to know that data flowing through the system can’t be tampered with and controls are in place to manage risk to that data.
Some primary control areas are:
- Change Management
- Access Management – physical and logical
- Disaster Recovery (backups, business continuity)
- Automated Processes (scheduled jobs)
While auditors will be concerned with policy and process, they will also want to see evidence of those policies and processes at work. A great example is change management; change should be authorized, implemented by an appropriate person, tested and deployed into production.
Each part of the process is to ensure that change does not introduce undue risk into the financial system, and any problems are easily rectified or rolled back. An auditor will look for evidence that this process is occurring, which can mean IT staff needs to produce service desk tickets, approvals, and change reports.
And by the way, the auditors will be grabbing a sample set from ALL changes, not just one so be prepared to produce a lot of documentation. This is only one area of the IT controls, so these audits can mean a lot of work for IT staff that isn’t part of core IT operations but is very important to the business as a whole.
Easing the Audit Burden
Like painting the Golden Gate Bridge, SOX audits never end. Controls must operate continuously throughout the year, and an auditor needs to see that change or access management in January is also operating in all the other months, so be prepared to pull evidence on a regular basis.
While the audits produce a yearly report, it is not uncommon to have audit-related activities throughout the year. This can put a lot of stress on an already-stressed IT staff. One key to reducing that load is automation – any control that can both be automated and generate auditor-friendly reports is a big win for IT and the auditor.
For a system like Active Directory, database servers or applications with a common database backend, it’s relatively easy to check for change and report on those changes using a tool like Tripwire Enterprise. As an added security benefit, add alerting for critical systems whenever a user is added or privileges elevated.
When an auditor requests a sample of the active and terminated users, a monitoring tool can corroborate access controls, and if your organization happens to use an ITSM tool like ServiceNow or Jira, it’s possible to demonstrate end-to-end change management from request all the way to completion. No more digging through email or ticketing systems!
The same is true of application changes. Auditors want to ensure that changes to applications and processes followed proper change control, and once again FIM is your friend. By being able to report change all the way through the system with simple reports, it’s easy for an auditor to get comfortable with an organization’s change controls. Those same controls provide security and operational assurance aside from an audit, as it’s important to know what changed, when, and whether the change was authorized.
While it’s one thing to have all the controls and tools in place, it’s another to have a security analyst manage them. Reports do take time from other duties, even if they are at the ready and there are many other things to do on any given day. It’s possible that an admin isn’t available to run the tools even if automation sounds like a great idea.
In that case, a managed service may be worth looking into. It reduces the total cost of ownership (TCO) and frees up time for security professionals to focus on other projects. Tripwire ExpertOps has the compliance experience to help organizations through audits, including SOX.
It may seem like one more thing to have to do, but compliance actually provides security and operational benefits if approached with the right attitude. Applying the CIS top 20 Critical Security Controls will get you a long way toward compliance, as well as preventing a vast majority of cyber-attacks. Good, mature change management processes ensure quality updates with less downtime, and being able to prove your work is a great test that controls are operational.
SOX compliance itself helps ensure the public has access to reliable financial information and is itself a preventative control against fraud. Having a clean SOX report is a great way to know that the controls your organization has put in place have been validated by a trusted third party and any areas of weakness or gaps can now be remediated. Rather than an onerous obligation, consider your audits health checks on your environment and use them for operational and security improvements.