There are Red Sox, White Sox, and Fox in Socks. At the turn of the century, a new SOX entered our lexicon: The Sarbanes-Oxley Act of 2002. This financial regulation was a response to large corporate misdeeds at the time, most notably Enron misleading its board through poor accounting practices and insufficient financial oversight.
The regulation seeks to ensure accurate and reliable financial reporting for public companies in the United States. But what does financial reporting have to do with cybersecurity and IT compliance?
What does Sarbanes-Oxley have to do with cybersecurity and compliance?
A lot, as it turns out, now that it’s no longer en vogue to have scribes with long feather quills scribbling out numbers in giant paper books. Financial systems are now ruled by servers, databases, complex ERP applications, and the people who run them, much to the detriment of the quill, ink and abacus peddlers of the world (and much to the benefit of the IT auditors…).
While the bill is far reaching, the section of Sarbanes-Oxley that most affects IT is section 404. It requires “Management Assessment of Internal Controls,” which is a tiny portion of the legislation and a huge part of any audit. Auditors need to know that the controls are actually in place and assure the effectiveness of the controls with regard to the financial systems and processes.
In practical IT terms, this means they want to know that data flowing through the system can’t be tampered with and controls are in place to manage risk to that data.
Some primary control areas are:
- Change Management
- Physical and Logical Access Management
- Disaster Recovery (backups, business continuity planning)
- Automated Processes (scheduled jobs)
Auditors will be concerned with policy and process and they will want to see evidence that they are working effectively. A great example is change management. Companies will need to show that change is authorized, implemented by an appropriate person, and tested before it is deployed into production.
Each part of the process reduces the risk of change introducing harm to the financial system, and any problems are easily rectified or rolled back. An auditor will look for evidence that this process is occurring, which can mean IT staff needs to produce things like service desk tickets, approvals, and change reports.
The review process is thorough so auditors will be pulling a sample set from ALL changes in the system. Be prepared to produce a lot of documentation. Change management is only one area of the SOX IT controls – each control and category requires a review of the evidence so audits can mean a lot of work for IT staff.
Easing the Audit Burden
Like painting the Golden Gate Bridge, SOX audits never end. Controls must operate continuously throughout the year, and an auditor needs to see that change or access management in January is also operating well in all the other months. Be prepared to pull evidence on a regular basis or produce something for a given day or month.
While the audits produce a yearly report, it is not uncommon to have audit-related activities throughout the period. This can put a lot of stress on an already-burdened IT staff. One key to reducing that load is automation – any control that can both be automated and generate easily consumed reports is a big win for IT and auditor alike.
For systems like Active Directory, database servers, or applications with a common database backend, it’s relatively easy to check for and report on change using a tool like Tripwire Enterprise. As an added security benefit, alerts for critical systems can be sent whenever a user is added or privileges elevated.
When an auditor requests a sample of active and terminated users, a monitoring tool can corroborate access controls, and if your organization happens to use an ITSM tool like ServiceNow or Jira, it’s possible to demonstrate end-to-end change management from request through to completion. No more digging through email or ticketing systems!
The same is true of application changes. Auditors want to ensure that changes to applications and processes followed proper change control and, once again, file integrity monitoring (FIM) is your friend. By being able to report change all the way through the system with simple reports, it’s easy for an auditor to get comfortable with an organization’s change controls. Those same controls provide security and operational assurance beyond an audit, as it’s important to know what changed, when, and whether the change was authorized.
While it’s one thing to have all the controls and tools in place, it’s another to have a security analyst manage them. Reports do take time from other duties, even if they are at the ready and there are many other things to do on any given day. It’s possible that an admin isn’t available to run, administer, and tune the tools even if automation sounds like a great idea.
In that case, a managed service may be worth looking into. It reduces the total cost of ownership (TCO) and frees up time for security professionals to focus on other projects. Tripwire ExpertOps has the compliance experience to help organizations through audits, including Sarbanes-Oxley.
It may seem like one more thing to do, but compliance actually provides security and operational benefits if approached with the right attitude. Applying the CIS top 20 Critical Security Controls will get you a long way toward compliance, as well as preventing a vast majority of cyber-attacks. Good, mature change management processes ensure quality updates with less downtime, and being able to prove your work is a great test of the controls in place.
Sarbanes-Oxley compliance itself helps ensure the public has access to reliable financial information and is a preventative control against fraud. Having a clean SOX report is a great way to know that the controls your organization has in place are validated by a trusted third party and areas of weakness or gaps can now be remediated. Rather than an onerous obligation, consider your audits health checks on your environment and use them for operational and security improvements.
For more information about how Tripwire can ease the audit burden for Sarbanes-Oxley compliance, see: https://www.tripwire.com/solutions/compliance-solutions/sox-it-compliance/