Corporations that fall under the Sarbanes-Oxley Act (SOX) must ensure that financial data is uncorrupted, and that calls for the implementation of internal IT access controls. If access is not properly managed, it creates a double-jeopardy: both increased risk of security breaches with a lack of forensics to troubleshoot problems, and increased potential for material weakness in SOX IT general controls, which can increase corporations' audit expenses and even create negative external exposure.
When a company looks at implementing or expanding internal information access controls, it must consider more than compliance and security — it must also consider the impact on IT operations. Applications and systems support the revenue cycle for every company. When access is too tightly controlled, system outages may be extended while support personnel request the access they need to recover the applications or systems. Outages of revenue-generating systems can directly impact the business's ability to sell and support their customers. An outage during a business period-end could mean the difference between meeting and missing market expectations.
Security must balance the need for internal access management and SOX compliance with IT's need for access to support the infrastructure. But how? There is no "silver bullet" solution. Corporations must evaluate their environments and risks to establish an effective security policy and implementation plan. Policies should focus on basic guidelines for role-based access at the application, database and operating system levels. Trust employees, but give access appropriate to their function and have mechanisms to track and verify activity.
In most cases, organizations will need to do initial baseline remediation to bring their environment into compliance with their security access policy. It is critical that strong processes and controls are established to ensure and document ongoing access control over time.
Leslie K. Lambert is CISO of Sun Microsystems Inc. and a member of the Security Executive Council. For information about the Security Executive Council, visit www.csoexecutivecouncil.com/?sourceCode=std .
