ACCESS MANAGEMENT AND SOX COMPLIANCY/AUDIT

When talking with IT management on Identity and Access Management issues, we regularly meet companies that have to be compliant with SOX regulations. This usually has a big impact on the organization of processes, but also on the IT department, especially concerning the management of access rights. Three of the most common issues are:

Workflow and validations on access rights:
Whether it concerns a regular active directory user accounts, NTFS rights, active directory groups, e-mail or application authorizations, all the requests and validations have to comply with the SOX regulations which may mean that in order to create one user account the IT department needs the signature of the requester, the validating manager and the IT director.

We have seen companies where this process was entirely managed by paper driven processes, and each time at a SOX audit, the IT department would spend weeks of digging through the papers with the auditor. An automated workflow system such as UMRA (User Management Resource Administrator), can automate the
se validation steps and make the SOX audit a piece of cake for the IT department.
Instead of papers getting lost in the process and having people waiting for their access rights UMRA will automatically alert the right validators who with a simple action can validate a request before it is sent automatically to the next validator or IT for granting.

Traceability:
Naturally all requests for access and granting of access should be traceable in the identity and access management solution. This is a standard feature of the Tools4ever Identity and Access Management suite.

Segregation of Duty:
This aspect of SOX compliancy requires that certain tasks cannot be performed by one and the same person. For example an order may be placed by person X but this should be validated by person Y. This can have consequences for access management, in the sense that it requires the access to certain data, or the access rights within an application must be tightly controlled.

In terms of access management and authorization management this means that the access management system must block or alert whenever two of such authorizations are being granted to one and the same user. This is easy to realize with the reporting and provisioning mechanisms in the Tools4ever identity and access management solutions. We only have to know which of the authorizations cannot be combined and then the solution will manage and audit the requirement automatically.

Feel free to contact your Tools4ever. office if you have any questions about SOX compliancy, and Access Management workflows.