SoX & Compliance

Sumner Blount writes: Over the past several years, a number of factors have conspired to cause the security of information to become a critical business issue that's core to the operation of most companies. These factors include the recent corporate financial scandals, the rise of terrorism, and the increased concern over the privacy of user information. With security and privacy becoming more important everyday, the failure to maintain security over sensitive information could result in irreparable damage to a company's reputation.

These trends have resulted in new governmental regulations relating to financial reporting, security, and privacy. The importance of regulatory compliance has now become a critical boardroom issue. Companies that don't comply with these regulations risk legal action, as well as stiff fines and restrictions. As a result, regulatory compliance has become one of the top business drivers and the concern of security officers at most large enterprises.

Most new regulations don't prescribe specific technologies that have to be used to achieve compliance. In fact, many regulations can be met only with improved procedures and processes, some of which might not even involve new technology. Still, many corporations are finding that the old "paper and pencil" approach to regulatory compliance might get them through initial compliance relatively unscathed, but it's not a viable long-term solution. They are finding that full compliance is immeasurably easier if a common way of managing all their users and their access to confidential resources is implemented.

Classification of Major Regulations
Governmental regulations cover a wide range of target areas. However, the regulations that impact the IT infrastructure generally fall into one of three major categories:

• Governance - These regulations deal with issues related to the transparency and accuracy of financial records, the retention of records in the corporation, and requirements of disaster recovery and business continuity. In some cases (notably Sarbanes-Oxley), this type of regulation was heavily driven by corporate scandals and financial fraud. In short, they are intended to ensure that proper controls exist to guarantee that corporate reporting is accurate, timely, and complete.
• Privacy - These regulations are often specific to a single vertical market and dictate how a customer's personal information must be handled. There are regulations that specify what type of personal information may be kept, how it's handled (including who, if anyone, it may be given to), and what actions are required in the event of a breach of established privacy restrictions.
• Security - The role of security regulations is to protect a corporation's critical infrastructure, as well as to protect against certain external threats. Although security is a key element of many regulations, there are very few that focus exclusively on security issues, and they tend not to be formal regulations, but simply frameworks and policies that represent "best practices." In general, these regulations specify how users will be identified, how their access to sensitive resources must be controlled, and how that access can be tracked and audited.

Some regulations focus only on one of these areas. However, others include requirements that span areas, sometimes including each one of the above areas.

Figure 1 lists the major governmental regulations that most companies are required to comply with.

Table 1 summarizes the intent and purpose of each of these major regulations.

Common Requirements for Regulatory Compliance
Each of these regulations is targeted at addressing different problems, often for a different category of company. Still, there are a number of common requirements on IT in almost all of them. This commonality is important because it allows a single compliance effort to leverage its efforts across the range of regulations an individual company must comply with.

More specifically, the types of issues addressed by these regulations include:

1. User Authentication - How are users identified to a system? How secure is the method used? Are there adequate procedures for creating, managing, and changing user passwords? Are there password policies that ensure strong and changing passwords?
2. User Authorization - How strong and flexible is your method for ensuring that only properly authorized users have access to protected data and applications? Are these controls reviewed regularly to identify role conflicts that would lead to unauthorized access? Are there clearly defined rules for the treatment and processing of private information (health, financial, etc)? Are there controls so that the owners can grant or withhold permission for various people to view their information? Are users removed from the system automatically when the need arises (such as after an inactive period or inappropriate user behavior)?
3. User Administration - Do you have clear processes and controls in place to create access rights for each user? Are the necessary approvals part of the defined process? Is there an automated workflow mechanism in place to ensure that this approval process is done consistently and formally? Are there controls to ensure that individuals can't expand their access rights inappropriately? When someone leaves the company, are their access rights terminated immediately? Are there regular reviews of all user accounts to ensure that they're correct and appropriate?
4. Auditing and Reporting - Are there comprehensive capabilities to provide real-time auditing of all important security events as well as user access? Will segregation of duties be enforced consistently so that one person doesn't have (for example) the ability to both initiate and approve a request? Will inappropriate or suspicious access be identified and corrected quickly? Are there controls to recognize attempted breaches? Are breaches identified and resolved quickly? Are there regular procedures to review all system activity to ensure that problems are identified quickly?

How Identity Management Can Aid Regulatory Compliance
The secure management of users and their access to sensitive resources is a cornerstone of almost all the major regulations that companies need to be concerned with. An integrated approach to identity and access management (IAM) across an enterprise can therefore be an important element of any regulatory compliance strategy. In fact, a centralized and automated way of dealing with user identities and their access rights is virtually a requirement for any sustainable and cost-efficient compliance effort.

Add Your Feedback

In order to post a comment you need to be registered and logged in.

Register | Log in

Please wait while we process your request...