How to Enhance SOX Compliance Through Effective Identity Hygiene
The Sarbanes-Oxley Act (SOX), a US federal law that mandates publicly traded companies to establish robust internal controls over their financial reporting, ensuring the accuracy and reliability of their financial statements to protect investors from fraudulent practices, which was passed in 2002 by Congress to prevent corporate fraud and safeguard investors against inaccurate financial reporting. Lawmakers developed the SOX Act in response to high-profile financial scandals in the early 2000s, and it applies to all public company boards and accounting firms in the U.S.
Even though SOX technically is a financial law, it also has widespread IT and cybersecurity implications. The legislation is now over 20 years old, and our technological landscape has changed dramatically since its inception. The intent of the law is the same, but the actions companies take to remain compliant must evolve. To say with confidence that you are protecting the integrity of your financial data, you first need to know which systems and individuals have access to sensitive information.
There are two of SOX’s key sections mandate:
1) a company’s CEO and CFO personally certify the accuracy and completeness of financial statements (section 302)
2) management and auditors implement internal controls and procedures for reporting (section 404). Failure to meet these regulations can result in legal and financial repercussions.
These are unprecedented complex times in our business tech environments. In the past, you could meet SOX requirements simply by monitoring the application that generated your financial reports. In today’s hybrid world of cloud and on-prem solutions, it’s a challenge even to keep track of how many systems touch your financial data. It’s no longer enough to manage the application creating financial reports. That application writes to a database with associated permissions that lives on a server with its own permissions.
It’s critical to develop, document and maintain internal controls that can span numerous departments and systems and keep up with fast-evolving technologies and cybersecurity threats.
Every login to every account is a potential security vulnerability so establishing a robust identity hygiene strategy should be your top priority. Identity hygiene verifies that the right people have the right access to the right information in your organization—which both strengthens your SOX compliance and your overarching security posture. By focusing on identity first, you ensure that you aren’t looking at compliance through a single lens; you’re evaluating it across the breadth of your systems and accounts.
Here are some of the best practices to improve Identity Hygiene within your organization:
Assess Your Environment – If you don’t know what’s going on in your IT environment, it’s nearly impossible to get ahead of any problems. Conduct a risk assessment to understand which systems are in place and which are relevant to SOX requirements. Not every piece of hardware or software infrastructure will affect financial reporting systems. Start peeling back the onion to define the applications, servers and back-end databases that have contact with your financial data.
Establish Ongoing Controls – Assessment and remediation is an important one-time exercise, but you also need to implement controls that continuously monitor your systems for vulnerabilities or violations. Consider adhering to one of two respected cybersecurity frameworks, the ISO/IEC 27001 or the NIST CSF, to manage intelligent discoveries and address problems before they escalate. These frameworks provide strategies that will contribute to SOX compliance and general cybersecurity health.
Determine Access Permissions – Audit who or what has access to all of the components that interact with your financial reporting systems. This list could include an accounting analyst’s username and password for a certain application or a machine account that is used to keep a system up and running. Identify the level of access each person or machine has and if it is required for the work they are doing.
Clean Up Permissions – Validate how permissions are granted, and identify and eliminate any accounts that have outdated, unnecessary or excessive permissions. For example, you may find an orphaned account from an employee who changed roles or left the company or a shared account that multiple people in a department use to perform an activity. Clear out the clutter, making sure that you can connect every permission to a specific business need.
Use Automated Tools – Manually tracking permissions and controls is incredibly cumbersome and error-prone. Identity hygiene must be an ongoing, holistic practice to be effective. Look for technology that can automate workflows, detect risks, correct problems and maintain requirements over time.
Compliance is not a choice if your company is governed by the SOX Act. You must follow the letter of the law or risk facing penalties or legal action. But you can choose how you approach SOX compliance. If you view compliance as an opportunity to reinforce your organization’s security posture, it becomes far more valuable than just a regulatory checkbox. Today’s tech environment is complex and constantly changing. By making identity hygiene the cornerstone of your SOX compliance strategy, you can leverage ongoing controls and automated tools to continuously assess your IT landscape, optimize permissions and protect your company’s most important data.
About the Author
Rita Gurevich is the CEO and founder of SPHERE, a leading identity hygiene company redefining how organizations identify and remediate critical identity-related issues. Rita began her career at Lehman Brothers where she oversaw the distribution of technology assets after the organization’s bankruptcy in 2008. From this experience, Rita observed firsthand the challenges surrounding maintaining strong inventories, the implications of mismanaged access and quickly realized the need for swift and agile solutions to find and fix these types of problems.
Leave a Reply