Complying with the new Sarbanes-Oxley regulations can be time consuming and expensive without the right tools. Altiris engineer Darin Bunker spells out how Altiris technologies can ease the SOX squeeze.
Table of Contents
Altiris and Sarbanes-Oxley
For many public companies, the overall effort, including cost, related to maintaining compliance with industry and/or government mandates and laws is difficult. Keeping on top of all the latest requirements is a full time job for management and compliance officers. A combination of implementing processes and applying technology is a must to stay compliant. Altiris provides a wide-range of IT software solutions to meet this challenge.
Altiris solutions solve the most common and critical IT SOX compliance issues and deficiencies. After the first years of modifying business processes and internal controls to meet the demands of Sarbanes-Oxley (SOX), a few key IT areas have emerged to become the focus of management's time and attention. At the heart of IT SOX compliance issues are the methods used to grant and maintain user's access to company systems and data. These Altiris solutions provide controlled administration of user access, stability of change management, security for company IT assets and maintenance of company compliance.
Implementing Altiris software will help companies strengthen existing control processes and give management the tools they need to ensure that IT SOX compliance issues are resolved and managed on an ongoing basis.
IT SOX Overview
When the United States government passed the Sarbanes-Oxley Act (SOX) in 2002, it required publicly traded companies to ensure that their internal controls relating to business processing and reporting were in place and providing sufficient information for management. This requirement created a drastic increase in number of resources and expenses of adhering to compliance. It also created a challenging situation for IT departments and staff since Information Technology (IT) is at the forefront in providing access and administration to systems used to provide financial processing and reporting.
To help provide guidance to public companies a governing board was created, Public Company Accounting Oversight Board (PCAOB). Among other guidance provided by the PCAOB, this board helped with oversight of appropriate controls for IT infrastructure, processes, and administration. However, it is important to note that effective business process controls are more important and relied on more than the IT controls to be discussed in this document. That being said, having strong IT controls helps strengthen the business process controls and thereby provides management with greater assurance concerning the overall control environment. This also means that having a weak business control supported by a weak IT control could elevate the overall deficiency to a more serious matter.
During the first years of implementing stronger internal IT controls to comply with SOX requirements, there was a broad focus on strengthening all aspects of the IT control framework within the control environment. However, this approach was very resource intensive and the benefit gained by stronger controls as they related to their corresponding risk that the IT control would fail, caused both internal and external auditors to agree that more emphasis should be placed on those controls that are deemed to directly affect access to critical financial IT systems and data. This focus allows both internal and external parties to direct limited resources toward those controls listed as higher risk.
Altiris has designed and developed many systems that help both public and non-public companies alike address the common IT internal controls issues that have been high-lighted because of the Sarbanes-Oxley Act. Implementation of Altiris Software Solutions reduces the cost of SOX compliance since manual internal controls will be automated, which saves time and resources. The following list of Altiris products give management, as well as IT departments, the tools they need to resolve many IT SOX related control deficiencies:
- Altiris Helpdesk Solution
- Altiris Local Security Solution
- Altiris Security Expressions
- Altiris Monitoring Solution
- Altiris Application Control Solution
- Altiris Endpoint Security Solution
- Altiris Quarantine Solution
Common IT SOX Issues
The purpose of this document is to discuss those areas of the IT control framework where more emphasis has been directed from the first years of establishing SOX compliance. Using a more focused risk based approach to the control framework, both internal and external auditors have identified a subset of the entire control framework that is directed to those internal controls that directly affect the access granted to users and administrators of the financial system. The following list, to be addressed in this document, is a sample of the most common critical controls identified in the subset of overall IT framework controls:
- Provisioning (Granting) and De-provisioning (Removing) of Access Accounts - Segregation of Duties
- Monitoring of Change Control Requests
- Restriction of Financial Office Documents (Spreadsheets and Critical Reports)
- Inappropriate Access to Company IT Assets
- Ongoing Monitoring (Periodic Reviews) of Users System and Application Access
Each of the following sections of this document will describe the issue with each of the control areas defined above and provide details on how those issues can be resolved by implementing Altiris products, which will enable the control to establish logging and appropriate audit trails that document the evidence of the control.
Provisioning and De-provisioning of Access Accounts
The main focus of granting and removing user access accounts is to ensure that only appropriate users and processes have access to those systems where required. Generally this IT control becomes an issue over time since the process of granting and removing rights is on-going. Since the steps are completed over and over again for configuring user's access, it is important to ensure that each time the process is initiated, approved and finalized that all steps are completed the same for each user. Generally, when control deficiencies are evident with this IT control, a manual process has been utilized over a period of time and various tasks, for whatever reason, were skipped or ignored. This makes it difficult for management to obtain a level of assurance that appropriate user access has been maintained in the environment.
Additionally, maintenance of Segregation of Duties are a key control procedure to ensure that only appropriate users have access to those rights and responsibilities that do not compromise internal controls. Many times users are mistakenly granted access to critical system and/or application functionality against Segregation of Duties rules.
To solve these issues a formal process is required to ensure compliance each time the controls are initiated. Altiris Helpdesk Solution provides functionality to create standard work-flows which automate the process of both granting and removing user access to ensure that all steps and tasks are documented, approved and completed according to management's intentions. These workflow processes will create tasks to be completed by individual departments and/or administrators and provide for clear documentation of steps and approvals, thereby giving strength to the control and assurance that specific tasks will not be skipped or ignored. Also, Business Rule Alerts can be configured to notify administrators if granting of additional system and/or application access will violate Segregation of Duties.
Monitoring of Change Control Requests and Systems
A main concern for both management and auditors is the modification of the critical financial systems components (installed files) and data. Management needs to be provided with assurance that those systems related to financial processing are not compromised by malicious code or configuration changes. Therefore, it is necessary to provide controls to ensure that any change to critical applications or systems is restricted to only those changes appropriately approved.
Since many systems were implemented pre-Sarbanes-Oxley, the capabilities to demonstrate that systems have not changed during a given time period has been either difficult or non-existent. This issue makes it challenging for company management to ensure that unauthorized access or changes had not occurred to their financial system configurations and data during their financial period.
To tackle the issue of confirming Change Control activities, Altiris provides Security Expressions Solution. This solution allows for detail logging and auditing of targeted systems to give administrators and/or auditors that ability to obtain all changes occurring to specific system and/or application files during a specified period of time.
For further assistance in confirming that all changes made to critical systems are documented and approved, Altiris Monitoring Solution provides functionality to notify appropriate personnel when changes occur to the monitored environment. This gives administrators real-time data to help react and protect the integrity of IT assets.
Restriction of Financial Spreadsheets/Critical Reports
Undoubtedly one of the most interesting internal control issues with restriction of access to financial data and manipulation is related to the spreadsheets used by accounting and/or finance departments. Spreadsheets are a critical tool used by these departments in processing their business related requirements, including transacting daily, monthly and period financial closing. Historically, accounting/finance departments would distribute their tasks among the employees who would create their own spreadsheet files containing sensitive financial data and/or calculations and store them either locally on their machines or a central file server. Often during the initial analysis to determine the necessary IT control changes to comply with SOX requirements a review would be conducted of the financial system data and it would be discovered that these files were not protected or restricted appropriately. Additionally, there is also increased risk of unrestricted access to sensitive financial data if these spreadsheets were on a laptop that was missing or stolen.
Altiris, in conjunction with one their partners have created a solution to solve this issue for securing spreadsheets. Altiris Application Control Solution allows administrators to configure a policy for a specific groups of users (i.e. accounting and/or finance departments) to encrypt every file produced by an application on a machine of a specific type, such as ".xls" or by a specific MIME type "Excel Spreadsheet". This technology utilizes the windows build-in EFS encryption, which ensures that only those users with EFS encryption enabled will be able to view and gain access. Also, if the spreadsheet files are on a missing or stolen laptop the files could not be extracted by unauthorized parties.
Inappropriate Access to Company IT Assets
To increase integration and provide functionality, financial systems generally need to reside on the corporate network. This configuration increases the risk of unauthorized access since the financial systems would be exposed to anything else on that network. IT controls are defined to ensure that only authorized personnel have access to company systems, including data.
To help give management assurance that employee workstations and laptops are configured according to corporate standards and the appropriate security has been enabled to protect data and processing, Altiris provides the following solutions:
Local User Administration
To increase efficiency in IT department processing the use of Imaging Technology have been applied to provide the same computer configuration to everyone in the company. However, this also causes a security risk since all users will have the same administrative password installed from the base image. Furthermore, during help desk resolution, this Administrative password might be used and provided to the user and others which could cause a major security risk if not changed after an issue resolution.
Altiris Local Security Solution has been developed to provide IT administrators the ability to automatically cycle local administrator system passwords (workstations and laptops) on a definable reoccurring interval. This means that even if unauthorized individuals obtain a local administrator machine account password it will only provide them access for a pre-defined, limited period of time.
Additionally, Altiris Local Security Solution provides functionality to restrict the creation of any new local administrators on the managed corporate computers. Even if an unattended corporate computer is modified by any unauthorized parties by adding a new user to the local administrators group it would be identified by the Local Security Solution and removed.
Mobile Systems Risk
Any company that has the need to provide users the ability to work in locations other than their protected corporate network runs the risk that those computers could be placed in a more vulnerable environment. To address this issue, Altiris Endpoint Security Solution works to automatically identify the network wherein the machine is located and configure a firewall along with other system security settings to provide enhanced security when the computer is in an unknown environment. This means that administrators will have more control over security even if the machine is not on the managed corporate network.
Endpoint client settings window allows users to view which site they are connected too and which security settings are configured for that area.
Click to view.
Running as Local Administrator
Due to the fact that many employees generally are unwilling to logon to and employ user accounts with less than administrative privileges on their machines (laptops and/or desktops), there is a heightened risk that malicious programs might obtain administrative access to their computers.
A new and innovative solution has been created using Altiris Application Control Solution to manage specific processes by limiting administrative rights. For example, if a user with administrative access is running an application like Internet Explorer, the Application Control Solution will remove administrative privileges from that one specific process while loading it into memory of the operating system. This means that even though the user is logged on as an administrator, when they visit a website with malicious Malware code that is executed in the Internet Explorer process, that code will be denied access to the administrative system activities.
A popup message displays in the System Tray to notify the user that administrative rights to the Internet Explorer process have been removed.
Click to view.
In some cases, financial systems have been identified which should be completely locked down and restricted from all other processing executables and/or configurations. Altiris Application Control Solution can also provide functionality to restrict any executable process, not previously defined, from running on a sensitive system. This allows administrators to obtain assurance that no other unapproved code or processing will be executed on sensitive system environments.
External Third-Party Access
Every company is faced with the need to provide external parties (i.e. contractors, consultants, vendors, etc.) access to a connection to the Internet. Providing this access to un-monitored computers increases the risk of infecting the entire network from outside sources. Therefore, Altiris Quarantine Solution provides administrators an automatic system of identification of non-managed machines that connect to the network and restrict access according to pre-determined configurations.
Ongoing Monitoring of Users Systems and Application Access
One of the primary lessons learned from strengthening the IT internal controls of a corporate environment for SOX compliance is the importance of ongoing monitoring of user access control activities. As pertaining to the granting and removing of user access (provisioning and de-provisioning) it is necessary to perform periodic audits of user access to ensure appropriateness. However, it is often difficult to get appropriate reviewers who should be performing these audits to complete them in a timely manner.
Altiris Helpdesk Solution provides management functionality to automatically create ticket requests that can be sent to access reviewers and continually follow-up with those users until the review is completed. This feature gives management the administration necessary to ensure that access to corporate networks and sensitive financial data is appropriate on an on-going basis.
Conclusion
The best way to provide a strong control environment that will allow management to obtain assurance that all internal controls are functioning according to requirements, is to use a combination of efforts to ensure compliance. Altiris products, working together, establish an infrastructure of logging, reporting, and tracking of access and modification to sensitive systems and data. Additionally, the cost savings in man-hours reduced by automating control activities helps curb the increasing expense of compliance. The suite of products identified in this article meet the need of IT SOX remediation and compliance requirements. These tools give administrators and management the information they need to make appropriate decisions and help ensure the safeguarding of IT assets.