Userlock and FileAudit by IS Decisions can both help you address the requirements of SOX by allowing you to control and monitor system access and identity.
System Access Control & Authorization
« Ensure that only people who are authorized to use the system can access it. »
Do you give all users unique login credentials?
Ensures that nobody can log on to the system without uniquely identifiable credentials.
Do you enforce the secure use of passwords and verify a person is the one claimed?
Strengthens unique network login credentials with context-aware access restrictions and user reminders, which help verify that a person seeking access to the network and the information within is genuinely who they say they are.
Do you restrict users from sharing logins?
Prevents concurrent logins with the same set of user credentials — helping to eradicate dangerous password sharing practices.
Can you attribute session duration and actions on the network to individual users?
Helps administrators verify all users’ identity at any time, making users accountable for any activity — malicious or otherwise.
User Account Management
« Control accounts that are used to access systems that support financial reporting.»
System Monitoring & Reporting
« Monitor, record and examine security events in information systems including invalid login attempts, requests for inappropriate access and access to specific information. »
More on the effect of SOX on information security
Sections 302 and 404 indirectly force the scrutiny of information security controls for SOX compliance.
Section 302 states that the CEO and CFO must assess and report on the effectiveness of internal controls around financial reporting.
Section 404 states that a corporation must assess and report on the effectiveness of its internal controls.
The wording of both is broad and does not provide specific guidance as to which controls must be assessed.
Using COSO and COBIT a specific set of IT control objectives for SOX:
To help further with internal control guidance, PCAOB have selected a framework created by the Committee of Sponsoring Organizations (COSO). COSO provides general guidance such as control environment, risk assessment, control activities, information and communication and monitoring. In addition more specific guidance is provided by Control Objectives for Information and related Technology (COBIT).
Both frameworks complement each other and are often used in tandem for the purposes of compliance with SOX sections 302 and 404. IS Decisions solutions address certain requirements of both frameworks.
COBIT® is a trademark of ISACA registered in the U.S. and other countries.
COBIT Framework is not contained within IS Decisions products.