A Sarbanes-Oxley Act (SOX) IT Compliance Primer

Image

At the turn of the most recent century, the financial world was in a moment of unregulated growth, which lead to some serious corporate misdeeds in the United States. This presented the opportunity for two senators to enact a new law to ensure accurate and reliable financial reporting for public companies in the US. The result was the Sarbanes-Oxley Act (SOX) of 2002. But what does financial reporting have to do with cybersecurity and IT compliance? A lot, as it turns out, now that financial systems are ruled by servers, databases, complex ERP applications, and the people who run them. While the bill is far-reaching, the section of Sarbanes-Oxley that most affects IT is section 404. It requires “Management Assessment of Internal Controls,” which is a tiny portion of the legislation and a huge part of any audit.

What the Auditors Are Seeking

Auditors need to know that IT controls regarding financial systems and processes are in place and assure the effectiveness of those controls. In practical IT terms, this means they want to know that controls are in place to manage risk to that data, and to ensure accountability for the controls to protect the data as comprehensively as possible. Some primary control areas are:

• Change Management
• Physical and Logical Access Management
• Disaster Recovery (backups, business continuity planning)
• Automated Processes (scheduled jobs)

Auditors are concerned with policy and process, and they will want to see evidence that they are working effectively. A great example is change management. Companies need to show that a change is authorized, implemented by an appropriate person, and tested before it is deployed into production. Each part of the process reduces the risk of change introducing harm or fraud within the financial system, and any problems are easily rectified or rolled back. An auditor looks for evidence that this process is occurring, which means IT staff need to produce things like service desk tickets, approvals, and change reports. The review process is thorough, so auditors will request sample sets from all changes in the system. Be prepared to produce a lot of documentation. Change management is only one area of the SOX IT controls – each control requires a review of the evidence, so audits can mean a lot of work for IT staff.

Easing the Audit Burden

SOX is an ever-present entity. Controls must operate continuously throughout the year, and an auditor needs to see that change or access management in January is also operating well in all the other months. Be prepared to pull evidence on a regular basis or produce something for a given day or month. While the audits produce a yearly report, it is not uncommon to have audit-related activities throughout the entire twelve-month period. This can put a lot of stress on an already-burdened IT staff. One key to reducing that load is automation – any control that can be both automated and generate easily-consumed reports is a big win for IT and auditors alike. For systems like Active Directory, database servers, or applications with a common database backend, it’s relatively easy to check for and report on change using a tool like Tripwire Enterprise. As an added security benefit, alerts for critical systems can be sent whenever a monitored change occurs, such as a user being added or privileges elevated. When an auditor requests a sample of active and terminated users, a monitoring tool can corroborate access controls, and if your organization happens to use an ITSM tool like ServiceNow or Jira, it’s possible to demonstrate end-to-end change management from request through to completion. No more digging through email or ticketing systems. The same is true of application changes.

Auditors want to ensure that changes to applications and processes follow proper change control, and for that, File Integrity Monitoring (FIM) is your friend. By being able to report change all the way through the system with simple reports, it’s easy for an auditor to get comfortable with an organization’s change controls. Those same controls provide security and operational assurance beyond an audit, as it’s important to know what changed, when, and whether the change was authorized.

While it’s one thing to have all the controls and tools in place, it’s another to have a security analyst manage them. Reports take time away from other duties, and there are many other things to do on any given day. Often, an administrator isn’t available to run, administer, and tune tools, even if automation sounds like a great idea. In that case, a managed service may be worth looking into. It reduces the Total Cost of Ownership (TCO) and frees up time for security professionals to focus on other projects. Tripwire ExpertOps has the compliance experience to help organizations through audits, including Sarbanes-Oxley.

Clean SOX

It may seem like one more thing to do, but compliance actually provides security and operational benefits if approached with the right attitude. Applying the CIS Critical Security Controls will get you a long way toward compliance, as well as preventing a vast majority of cyber-attacks. Good, mature change management processes ensure quality updates with less downtime, and being able to prove your work is a great test of the controls in place. Sarbanes-Oxley compliance itself helps ensure the public has access to reliable financial information and is a preventative control against fraud.

Having a clean SOX report is a great way to know that the controls your organization has in place are validated by a trusted third party and areas of weakness or gaps can be remediated. Rather than an onerous obligation, treat your audits as health checks on your environment and use them for operational and security improvements.

For more information about how Tripwire can ease the audit burden for Sarbanes-Oxley compliance, come over to our SOX IT Compliance page.

You can also learn more about the main regulations financial services organizations need to comply with and tips to go beyond simple compliance for powerful cybersecurity with our latest guide: https://www.tripwire.com/resources/guides/financial-services-cybersecurity-regulations