What are the most important IT considerations for complying with Section 404 of the Sarbanes-Oxley Act of 2002? By July 15, all U.S. companies under $75 million in annual revenue must demonstrate they know the answer to that question, because that's the deadline for complying with Section 404.However, due to the lack of specific directives and knowledge, many companies are struggling with how to reach compliance by that date-let alone wondering how they will afford continued compliance year after year.
Here are six tips that will help you manage specific areas of compliance with Section 404:
* All event logs and event files must be saved for as long as seven years.
This sounds straightforward, but it is dangerously deceiving if you consider there is the potential for up to 65,000 different types of events that can occur, each with a specific message attached. Multiply this by the number of servers you are tracking, taking into consideration your number of employees, and the task becomes incredibly daunting.
Just knowing which events are specific to SOX is an extremely important first step. For example, an "account lockout"-in which a user account is disabled when a certain number of failed log-on events occur-is an event of interest to auditors and important to 404 compliance.
For every account lockout, however, there are thousands of other similar events that don't apply to Section 404 and must be filtered.
The sheer volume of unfiltered events gobbles up server space, making it difficult, costly and time consuming to easily find the important information needed to provide forensic evidence. Companies must accurately implement the event "rules" that focus on providing evidence required in Section 404 compliance, while filtering out the "noise."
* Any "user account" privilege change on a server containing financial data must be recorded.
Having an automated process to collect and track events such as user privileges and account changes helps reduce unauthorized tampering and access to financial data.
* Any access, or attempted access, to a server containing financial data must be recorded.
If an executive is testifying about the validity of financial documents, he or she cannot claim that they "had no knowledge of data being changed." Section 404 compliance controls must provide the audit trail that will prove or disprove the validity of a company's financial documents through what is known as an "object access" report for the specific directory or file.
Companies should be tracking and monitoring object access events tied to vital company information. An object access report will identify when a given object (a file, directory, etc.) is accessed, the type of access (read, write, delete), whether or not access was successful or failed, and who performed the action.
* Total awareness of any security breach is mandatory.
As organizations set up their Section 404 compliance systems, they're learning that security policy breaches are occurring often and must be addressed.
For example, a systems administrator from a major insurer reports that with the installation of an automated SOX software system, he discovered a number of previously undetected security breaches taking place-and immediately put the new policies, procedures and controls into place to prevent future breaches.
He now has the controls in place to monitor his security mechanisms for compliance with Section 404.
* The ability to respond to a policy security breach is mandatory.
This means that management must immediately and automatically be alerted to critical security breaches according to the policies set forth. Auditors require different levels of response based on the severity of the breach, from audit only, to e-mail alerts-all the way up to pager alerts for serious security or information threats.
* Once control of the financial data is established, the organization must demonstrate year-over-year improvement on its monitoring and response system.
Keep in mind that throughout Sarbanes-Oxley compliance efforts, you'll be dealing with both internal and external auditors who will have their own sets of auditing parameters. Therefore, the IT auditing software you use must be flexible enough to change as the auditors dictate different items to track and report, and as compliance rules become more and more demanding.
The good news is there are "SOX in a box" applications available that wade through the thousands of events that occur and identify those that need to be tracked for compliance.
Millions of dollars are being spent on consultants to establish policies. With the automated systems available today, every company can begin to save significant money, improving security and protecting its shareholder value.
Systems exist today costing only hundreds of dollars per server that can be set up in a few hours, provide a quick return on investment, generate automatic compliance reports in seconds, and integrate into your IT controls initiatives and infrastructure.
Brian McDonnell is the CEO of RippleTech, Conshohocken, Pa.
