Sarbanes-Oxley Solutions
The Sarbanes-Oxley Act is a result of a large number of U.S. accounting scandals over a relatively short period of time, beginning with the collapse of Enron in October 2001. Companies are now estimated to spend an average of $3 million each in their compliance efforts. The most prominent area is known as Section 404, which mandates that management establish and report on their control structure and that management assertions be audited by an external firm at least annually. So what exactly is a control structure? It is a system of checks and balances that ensure the accuracy and integrity of a company's financial data. In today's world, controls are primarily implemented within a company's IT infrastructure, so compliance with Section 404 means implementing a lot of information security processes and technologies.
Business Problem
The most common problems facing companies in their compliance efforts are:
- Defining the scope of the systems affected
- Access control and user management
- Maintaining compliance with configuration policies across all their systems
- Collecting and analyzing audit logs
Relying on guidance from the government and auditors, most companies have turned to CobiT (Control Objectives for Information and related Technologies) for help in implementing IT controls. CobiT lays out best practices for IT controls, but it is up to each company to determine which controls make sense for their organization. With NetIQ solutions and professional services, you can identify, implement and automate your most critical controls.
The NetIQ Solution
NetIQ's Security Solution offers a number of products and features that can enhance an institution's information security program and facilitate compliance with the data protection requirements of the Sarbanes-Oxley Act. Specific benefits include:
- Performance Management – Meet service level commitment, end-user expectation and business-driven IT performance objectives, while reducing your operating costs.
- Security Management – Monitor your diverse security environment, resolve incidents and satisfy log management requirements without consuming all your time and resources.
- Configuration Management – Demonstrate IT compliance with policies and regulations through security configuration management, regulatory mapping and reporting.
- Change Control – Control and audit system changes to assure the integrity of your distributed IT infrastructure through time-based, task-specific permissions management.
- Windows Administration – Delegate and automate administrative tasks to streamline your work, while maximizing your return on Windows and Active Directory.
Key Features & Benefits
NetIQ offers a range of products that help organizations define, manage and report a consistent set of internal controls over their corporate data and systems.
- Out-of-the-box compliance with Section 301 requirements. VigilEnt Policy Center offers anonymous incident reporting to make complying with Section 301 requirements simpler.
- Tools to facilitate a separation of duties between key personnel managing corporate IT assets. Both NetIQ Vulnerability Manager and NetIQ Security Manager provide a rich delegation model for the audit and enforcement of security responsibilities. Security Administration Suite can manage Active Directory and Group Policy without granting administrator privileges to any employees.
- Simplification and centralization of the management of security point products. NetIQ Security Manager brings together best-of-breed security point products into a central security console, enabling real-time notification and response to suspicious activity detected by remote security sensors. NetIQ Security Manager can alert the institution to non-compliant firewall configurations or out-of-date virus signatures in addition to real-time intrusion alerts. NetIQ Security Manager can also allows you to collect, easily review and query all of your audit logs.
- Verification that company policies are documented, implemented and enforced. In addition to creation and automation of security policies through VigilEnt Policy Center, NetIQ Vulnerability Manager can audit for on-going policy compliance and includes several Sarbanes-Oxley checkup templates, while NetIQ Security Manager can provide real-time notification of security policy violations.
- Provide secure and automated management & audit of your Windows environment. NetIQ's Security Administration Suite helps you manage information access by managing Active Directory permissions for user accounts, groups and computer accounts, controlling file and folder permissions throughout the file system and monitoring changes to group policy-permissions in real time. Real-time monitoring and audit of changes to Active Directory are provided through NetIQ Change Guardian for Active Directory, along with detailed reporting on changes for auditors and management.
- Ensure availability of the organization's critical systems. If a majority of your controls over financial reporting are implemented through your IT systems, then those systems must be up and running or employees will be forced to circumvent your regular control structure. The AppManager Suite provides you with the ability to monitor, troubleshoot, and address the performance and availability needs of your entire financial reporting infrastructure, as well as tracking data for trending and capacity planning purposes.
- Deliver on-going risk analysis and present custom views of key metrics. In order to make Sarbanes-Oxley compliance a truly sustainable program, you must assess the IT security risk in your environment using models that factor in the nature of compliance exceptions and vulnerabilities, along with the business value of IT assets. The ability of the NetIQ Risk and Compliance Center solution to provide in-depth reporting, along with executive overviews, makes it easy to spot potential problems before they impact services or security.
