Sarbanes-Oxley Act
The Sarbanes-Oxley Act is a result of a large number of U.S. accounting scandals over a relatively short period of time, beginning with the collapse of Enron in October 2001. Companies are now estimated to spend an average of $3 million each in their compliance efforts. The most prominent area is known as Section 404, which mandates that management establish and report on their control structure and that management assertions be audited by an external firm at least annually. So what exactly is a control structure? It is a system of checks and balances that ensure the accuracy and integrity of a company's financial data. In today's world, controls are primarily implemented within a company's IT infrastructure, so compliance with Section 404 means implementing a lot of information security processes and technologies.
Business Problem
The most common problems facing companies in their compliance efforts are:
- Defining the scope of the systems affected
- Access control and user management
- Maintaining compliance with configuration policies across all their systems
- Collecting and analyzing audit logs
Relying on guidance from the government and auditors, most companies have turned to CobiT (Control Objectives for Information and related Technologies) for help in implementing IT controls. CobiT lays out best practices for IT controls, but it is up to each company to determine which controls make sense for their organization. With NetIQ solutions and professional services, you can identify, implement and automate your most critical controls.
The NetIQ Solution
NetIQ's Security Solution offers a number of products and features that can enhance an institution's information security program and facilitate compliance with the data protection requirements of the Sarbanes-Oxley Act. Specific benefits include:
- Performance Management – Meet service level commitment, end-user expectation and business-driven IT performance objectives, while reducing your operating costs.
- Security Management – Monitor your diverse security environment, resolve incidents and satisfy log management requirements without consuming all your time and resources.
- Configuration Management – Demonstrate IT compliance with policies and regulations through security configuration management, regulatory mapping and reporting.
- Change Control – Control and audit system changes to assure the integrity of your distributed IT infrastructure through time-based, task-specific permissions management.
- Windows Administration – Delegate and automate administrative tasks to streamline your work, while maximizing your return on Windows and Active Directory.
Key Features
NetIQ offers a range of products that help organizations define, manage and report a consistent set of internal controls over their corporate data and systems.
- Automated management & audit of your Windows environment. NetIQ Security Administration Suite helps you manage information access by managing Active Directory permissions for user accounts, groups and computer accounts, controlling file and folder permissions throughout the file system and monitoring changes to group policy-permissions in real time. Real-time monitoring and audit of changes to Active Directory are provided through NetIQ Change Guardian for Active Directory, along with detailed reporting on changes for auditors and management
- Simplification and centralization of the management of security devices. NetIQ Security Manager brings together best-of-breed security point products into a central security console, enabling real-time notification and response to suspicious activity detected by remote security sensors. NetIQ Security Manager can alert the institution to non-compliant firewall configurations or out-of-date virus signatures in addition to real-time intrusion alerts. NetIQ Security Manager can also allow you to collect, easily review and query all of your audit logs.
- Availability of the organization's critical systems. If a majority of your controls over financial reporting are implemented through your IT systems, then those systems must be up and running or employees will be forced to circumvent your regular control structure. The NetIQ AppManager Suite provides you with the ability to monitor, troubleshoot, and address the performance and availability needs of your entire financial reporting infrastructure, as well as tracking data for trending and capacity planning purposes.
- Separation of duties between key personnel managing corporate IT assets. Both NetIQ Secure Configuration Manager and NetIQ Security Manager provide a rich delegation model for the audit and enforcement of security responsibilities. Security Administration Suite can manage Active Directory and Group Policy without granting administrator privileges to any employees.
