SOX reality check: Provisioning systems
Sarbanes-Oxley requires that companies institute internal controls over the processes that may affect the accuracy of financial reports. One of the key aspects of these internal controls is the ability to regulate and audit access to important corporate applications and systems. In today's world, the mechanisms that authenticate users and manage privileges are shared across the enterprise.
As a result, account management and access control can't be localized to the financial applications but must be managed consistently across the corporation. However, while some of the account services are centralized, there are always systems and applications that don't integrate with the corporate environment. In the face of these complications, a corporation must be able to prove that only authorized individuals are allowed access to the systems and applications that affect its financials.
Identity management and provisioning systems can help organizations meet the requirements of Sarbanes-Oxley by consolidating and facilitating the provisioning, management, and auditing of system and application accounts across an enterprise. One of the most helpful aspects of identity management systems is that they automate the notification and approval workflow that is necessary when creating and modifying accounts. Organizations must ensure that there is appropriate separation of duties, that supervisors, information owners and information custodians are notified of changes to accounts and privileges, and that accounts and privileges are re-certified periodically. Without an automated centralized system, the communications, reporting and auditing can become unmanageable.
A growing number of software companies provide identity management solutions. Some of the most prominent products are CA Identity Manager, Courion's Enterprise Provisioning Suite, Hewlett-Packard OpenView Identity Management, IBM Tivoli Identity Manager, Microsoft Identity Integration Server, Novell Identity Manager, , Sun Java System Identity Manager and Oracle Xellerate Identity Provisioning. All these solutions are designed to be the centerpiece of identity management in the enterprise. There are a number of features that are important in choosing an identity management solution, particularly when regulatory compliance is a driving factor. An organization must consider:
Ease of integration with critical systems and applications
The more easily existing systems and applications integrate with the identity management system, the better the corporation can rely on the identity management system to automate account creation, management and reporting. Virtually all identity management systems integrate with prominent account systems like Active Directory or LDAP. The question is whether financial applications and home grown systems can be integrated as well.
Ease of integration of existing databases
User databases are often distributed throughout an organization. Being able to import or integrate with these databases is an important measure of a product's ability to adapt to an organization. Support for an organization's preferred database technology or technologies (e.g., Oracle, SQLServer, DB2) is also important to avoid the cost and nightmare of introducing new technology.
Identity management solutions need to be compatible with the platforms an organization depends on. For most large organizations, convenient and rich integration with mainframe, Unix and Windows technologies is required.
Authorization and policy flexibility
Identity management systems need to be able to accommodate the authorization or entitlement models of an organization, not force an organization to change its model to match the system. On the other hand, identity management systems may provide an opportunity to unify the various systems and applications that currently have inconsistent or even conflicting models. Organizations need to assess the needs of various systems and applications and determine if the identity management system supports their current and/or future models.
The ability to report on the accounts and privileges associated with individuals or groups in a flexible and customizable manner is critical to SOX compliance. All of the identity management solutions listed above include flexible reporting features either in an integrated package or via a third party mechanism like Crystal Reports. In addition to account status and history reporting, it is useful to have a system that is able to scan accounts for compliance with policy (e.g., appropriate separation of creation and approval privileges), and report exceptions both in regular reports and asynchronously in alerts. Organizations should look at the kinds of reports that auditors require and ensure that the identity management system can provide the necessary information.
- Support for workflow, including provisioning, de-provisioning and authorization certification
SOX requires a documentation trail to justify all creation, deletion and changes to user accounts and privileges. Just as important is proof that the right people were notified and required to approve those changes. Identity Management systems provide workflow engines that integrate with e-mail systems to notify interested parties. They also require and track approvals before changes are actually implemented.
As time goes on, larger organizations (at least) will likely find that it is nearly impossible to meet all of the SOX requirements without some kind of centralized automated identity management and provisioning solution. Whether it is an off-the-shelf system, a customized solution or a combination, Identity Management systems appear to be part-and-parcel of regulatory compliance.
01 Feb 2006