Solutions

Additional Resources

Home  |  Solutions  |  IT Security & Compliance

Sarbanes-Oxley Compliance & Auditing

Satisfy SOX auditors with simplified reporting that shows who has access to audited business systems, what they can do, and what actions they have performed

The Challenge

The Sarbanes-Oxley (SOX) Act of 2002 set strict standards for financial reporting by U.S. public companies. Under the act, corporate executives are held responsible for establishing internal control procedures to ensure the accuracy of financial reporting, and violations are subject to criminal penalties that include fines and jail time. SOX Section 404 mandates an annual assessment by an independent auditor of the effectiveness of a public company's control procedures, and corporate IT departments are usually tasked with managing these audits.

Whether they are following control frameworks such as COSO/COBIT, or are defining their own procedures, IT compliance managers have three very broad bases to cover:

  • Ensuring that systems holding financial data can be accessed only by those whose job function requires it
  • Limiting those with access to just the specific privileges they need to perform their job
  • Keeping a log of all activity occurring on the audited system to ensure those controls are working and to monitor for suspicious behavior

While access to corporate accounting and business applications may be well managed, many SOX audits are revealing that IT organizations are at risk because of the level of access granted to users of the Linux and UNIX systems on which those applications are running. Before SOX, many IT organizations found it easiest to share a system's root password with backup operators, database administrators or application developers who needed access. Not only did the sharing of these superuser accounts mean they could not prove exactly who was accessing an audited system, they also recognized that these individuals had the power to perform malicious acts such as altering data or inserting backdoor accounts.

The Centrify Solution

Centrify helps IT organizations simplify their SOX auditing requirements with a cost-effective solution that leverages technology already in house: Microsoft Active Directory. The Centrify Suite provides you with the tools to:

  • Associate all access rights and privileges on audited systems to individual Active Directory accounts, providing the individual accountability required by SOX auditors
  • Implement role-based security and access controls along with centralized reporting of who has access to what systems
  • Limit super user privileges to just the set of commands they need to perform their jobs
  • Capture detailed audit trails of all user actions, and system responses, for inspection by SOX auditors

Learn More

White PaperUsing Microsoft Active Directory to Address Sarbanes-Oxley (SOX) Compliance in Heterogeneous Environments (by Robert Francis Group)
White PaperImplementing Detailed User-Level Auditing of UNIX and Linux Systems Using Centrify DirectAudit
White PaperCentrify DirectControl & Regulatory Compliance
Customer StoryResearch in Motion Turns to Centrify to Meet SOX Auditing Requirements
WebinarThe 60-Minute IT Compliance Formula (with Security Expert Rolf von Roessing)

Next Steps

Product Information

Contact Us

View a 5-Minute Demo
3-Part Webinar Series What Gartner Says About Using Active Directory for Centralized Authentication, Auditing and SSO
White Paper Centralized Identity and Access Management with Active Directory View
Now
Video Chalktalk Library Detailed overviews of Centrify solutions and technology

There are many other top drawer vendors building on MIIS as well. For example, Centrify showed a demo of their Linux product, which includes management agents for Linux/Unix, and does WS-Federation with ADFS—incredible.

Kim Cameron
Identity and Access Management Architect
Microsoft Corp.
Author of identityblog.com