Financial compliance measures cause some companies to look again at lax systems access
by Scott Bury, contributing editor -- Manufacturing Business Technology, 8/1/2005 12:00:00 AM
Enterprise Strategy Group, a Milford, Mass.-based storage and information management analyst firm, reports 46 percent of IT managers have found active accounts belonging to ex-employees on their networks, even though 55 percent believe "access control is their organization's highest security priority in relation to Sarbanes-Oxley compliance."
But access control is "a complex problem," says Jon Oltsik, an author of the report. The more rights an employee has—to the network, e-mail, or applications—the more difficult is the network manager's job to grant access privileges, and to remove them when the employee leaves. Sarbanes-Oxley compliance also covers access to spreadsheets, databases, and other files created using financial information, even if they're outside the control of the IT manager.
"Identity management crosses so many boundaries that everyone owns part of it, and no one owns all of it," Oltsik says.
It gets even more complicated when outside companies have access to networks—for instance, when outsourcing IT development or payroll. Linking suppliers through a supply chain management system gives them access to at least part of the financial data, but the system's owner is still the one who must certify its security.
The first step to closing this particular system door, says Steve Yount, president of IT consulting firm Sarbox Solutions,Bellevue, Wash., is to evaluate what could fall within Sarbanes-Oxley rules: "anything directly or indirectly involved in financial data"—that is, accounts payable or receivable, transactions, inventory, costing, procurement, payroll—and determine who has access to those systems.
Strictly controlling administrator rights is the next step. "You have to ensure that supervisor or administrator rights aren't granted beyond where they should be granted," explains Robert Markham, principal analyst at Forrester Research,Cambridge, Mass.
Markham adds that businesses must take a multilayered approach. They should not only automate access control, but also the follow-up auditing process that provides proof the controls are working. It is this combination that guarantees the access door opens and closes when it should.
