Five Strategies For Enhancing SOX Compliance Through Effective Identity Hygiene

1 year ago 38

Rita Gurevich is the founder and CEO of SPHERE.

getty

In 2002, Congress passed the Sarbanes-Oxley (SOX) Act to prevent corporate fraud and safeguard investors against inaccurate financial reporting. Lawmakers developed the SOX Act in response to high-profile financial scandals in the early 2000s, and it applies to all public company boards and accounting firms in the U.S.

Two of SOX's key sections mandate that 1) a company's CEO and CFO personally certify the accuracy and completeness of financial statements (section 302) and 2) management and auditors implement internal controls and procedures for reporting (section 404). Failure to meet these regulations can result in legal and financial repercussions.

While SOX is a financial law, it also has widespread IT and cybersecurity implications. The legislation is now over 20 years old, and our technological landscape has changed dramatically since its inception. The intent of the law is the same, but the actions companies take to remain compliant must evolve. To say with confidence that you are protecting the integrity of your financial data, you first need to know which systems and individuals have access to sensitive information.

SOX Compliance Begins With Identity Hygiene

We are navigating unprecedented complexity in our business tech environments. In the past, you could meet SOX requirements simply by monitoring the application that generated your financial reports. In today's hybrid world of cloud and on-prem solutions, it's a challenge even to keep track of how many systems touch your financial data. It's no longer enough to manage the application creating financial reports. That application writes to a database with associated permissions that lives on a server with its own permissions.

The upshot is that you have to defend the perimeter of a much larger attack surface than you did 10 or 20 years ago. It's critical to develop, document and maintain internal controls that can span numerous departments and systems and keep up with fast-evolving technologies and cybersecurity threats.

Since every login to every account is a potential security vulnerability, establishing a robust identity hygiene strategy should be your top priority. Identity hygiene verifies that the right people have the right access to the right information in your organization—which both strengthens your SOX compliance and your overarching security posture. By focusing on identity first, you ensure that you aren’t looking at compliance through a single lens; you’re evaluating it across the breadth of your systems and accounts.

Best Practices For Improving Identity Hygiene

1. Assess Your Environment

If you don't know what's going on in your IT environment, it's nearly impossible to get ahead of any problems. Conduct a risk assessment to understand which systems are in place and which are relevant to SOX requirements. Not every piece of hardware or software infrastructure will affect financial reporting systems. Start peeling back the onion to define the applications, servers and back-end databases that have contact with your financial data.

2. Determine Access Permissions

Audit who or what has access to all of the components that interact with your financial reporting systems. This list could include an accounting analyst's username and password for a certain application or a machine account that is used to keep a system up and running. Identify the level of access each person or machine has and if it is required for the work they are doing.

3. Clean Up Permissions

Validate how permissions are granted, and identify and eliminate any accounts that have outdated, unnecessary or excessive permissions. For example, you may find an orphaned account from an employee who changed roles or left the company or a shared account that multiple people in a department use to perform an activity. Clear out the clutter, making sure that you can connect every permission to a specific business need.

4. Establish Ongoing Controls

Assessment and remediation is an important one-time exercise, but you also need to implement controls that continuously monitor your systems for vulnerabilities or violations. Consider adhering to one of two respected cybersecurity frameworks, the ISO/IEC 27001 or the NIST CSF, to manage intelligent discovery and address problems before they escalate. These frameworks provide strategies that will contribute to SOX compliance and general cybersecurity health.

5. Use Automated Tools

Manually tracking permissions and controls is incredibly cumbersome and error-prone. Identity hygiene must be an ongoing, holistic practice to be effective. Look for technology that can automate workflows, detect risks, correct problems and maintain requirements over time.

If your company is governed by the SOX Act, compliance is not a choice. You have to follow the letter of the law or risk facing penalties or legal action. But you can choose how you approach SOX compliance. If you view compliance as an opportunity to reinforce your organization's security posture, it becomes far more valuable than just a regulatory checkbox. Today's tech environment is complex and constantly changing. By making identity hygiene the cornerstone of your SOX compliance strategy, you can leverage ongoing controls and automated tools to continuously assess your IT landscape, optimize permissions and protect your company's most important data.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


Read Entire Article