Download full paper
This paper discusses the ways that Cloakware Password Authority™ helps IT organizations meet the requirements of Sarbanes- Oxley (SOX) assertion and attestation compliance processes.
Position paper
Achieve SOX compliance: Privileged password management
This paper discusses the ways that Cloakware Password Authority™ helps IT organizations meet the requirements of Sarbanes-
Oxley (SOX) assertion and attestation compliance processes.
The challenges of complying with the relevant sections of the
SOX legislation are broad and complex for any IT organization.
For IT organizations, SOX is all about the controls that
are in place to protect the financial reporting process.
Perhaps one of the most obvious, yet overlooked weaknesses of most IT systems is the thousands of unmanaged, hard-coded passwords used by scripts and applications within the datacenter. If you haven’t solved this threat hiding in plain sight in your own organization, it puts at risk all of the collected data that forms the foundation of your financial and business reporting.
The costs associated with attempting to manually change data center passwords and the potential costs of system outages caused by password change errors has created an environment of audit exception reports. Internal and external auditors are aware of this issue and are stopping the practice of issuing exception forms in favor of seeking a means of remediation.
In short, you’re going to have to start managing your hardcoded passwords. The question is, how?
A brief primer on password management
Password management falls into the broad category of Identity and Access Management (I&AM). To date, most I&AM projects have focused on the human user identity. Password Authority and this paper focus on password management issues for unattended identities such as those used in application-toapplication (A2A) transactions. Managing user passwords is a simple problem to solve compared to the challenges of managing unattended A2A passwords.
The table below shows the three types of password-enabled accounts and the password characteristics of each.
Isolated Privilege End user accounts (attended)
|
Elevated Privilege Administrator accounts (attended)
|
|
Elevated Privilege Application-to-application accounts (unattended)
|
SOX gives guidance; Password Authority enables compliance
According to the Securities and Exchange Commission (SEC),
definitions and internal controls must provide reasonable assurance
for preventing or promptly detecting the unauthorized
acquisition, use, or disposition of company assets that could
have a material effect on the financial statements. The continued
use of hardcoded passwords, the sharing of elevated-privilege
passwords, and the lack of policy for adequate password
management within the data center and applications create big
risks to an organization’s ability to confidently claim compliance
with the SEC guidance.
Password Authority delivers both “preventive” and “detective”
controls that contribute to a SOX assertion and attestation.
The following table gives a high level view of how Password
Authority assists with specific Sarbanes-Oxley requirements.
Section |
Subject |
Compliance requirement |
| SOX 302 |
|
|
| SOX 404 |
|
SOX 302: Verifiable and auditable financial reports
Most financial reporting systems leverage commercial databases
as repositories for storing and protecting the data used to create
financial reports. Some systems encrypt the managed data, but
all incorporate access controls for authenticating users, administrators
and applications. If the authentication process is questionable,
then even using encryption adds dubious security...
> Download paper for full text