We frequently deal with companies that have to be compliant to SOX regulations. This often has a big impact on the IT department, particularly with regards to managing access rights. We find in these scenarios there are three very common issues which tend to arise:
Workflow and validations on access rights:
Whether it concerns regular active directory user accounts, NTFS rights, active directory groups, e-mail or application authorisations, all requests and validations have to comply with SOX regulations. This can often mean that, in order to create each user account, the IT department needs sign off from the person making the request, as well as the validating manager and the IT Management.
Traditionally this had to be done by a manual, paper driven process –and many companies still use this outdated method. This means that every time a SOX audit takes place, the IT department has to spend weeks sorting through the papers with the auditor. However, an automated workflow management system (As provided with software like UMRA, User Management Resource Administrator) can automate these steps and make SOX audits a piece of cake for the IT department.
With UMRA there's no risk of papers getting lost in the audit process or people having to wait for their access rights, as the solution will automatically alert the appropriate staff, who can validate a request before it is sent to IT.
In order to comply with regulations, all requests for access and granting of access must be traceable. This is a standard feature of the Tools4ever's Identity and Access Management suite.
Segregation of Duty:
In order to comply with some SOX requirements, certain tasks must be done by separate members of staff. For example an order placed by person X must be validated by person Y. This has consequences for access management as permission to use certain data, or the access rights within an application must be tightly controlled.
The access management system must block or alert personnel whenever two permissions are being granted to the same user. This is easy to achieve with the reporting and provisioning mechanisms in Tools4ever's identity and access management solutions. The solution only needs to know which permissions cannot be combined and it will then automatically manage and audit these requirements.
Feel free to contact your Tools4ever office if you have any questions about SOX compliancy, and Access Management workflows.