Contact Us +1-202-802-9399 U.S. Headquarters

SOX Compliance Solutions

Sarbanes-Oxley Compliance

Achieving Sarbanes–Oxley (SOX) compliance is a considerable challenge for many public companies. There are no mandated “best practices” to guide organizations to compliance, and a significant amount of money is spent annually in the attempt to pass the compliance audit. The only guiding principles that exist are rules mandating that information be transparent, tamper-proof, audited and logged. So the question becomes: How do companies achieve these mandates?

The SOX Act places the responsibility of compliance on C-level executives, such as CEOs, CFOs, and CIS/CISOs. Unfortunately for C-level groups, their work does not directly include the granular data relevant for SOX mandates. Instead, it’s administrative-level employees who deal with accessing and storing sensitive financial and accounting information on a daily basis.

Impact of SOX compliance for IT

The SOX IT compliance mandate creates two main problems for IT teams: the first is placing controls that help employees protect confidential information during day-to-day work, and the second is tracking those controls in order for C-level executives to ensure the company passes the SOX compliance audit.

The IT infrastructure and network security of a company is integral to protecting confidential information and preparing for a SOX audit. Thycotic is used by companies worldwide as part of their overall IT security and compliance strategy. Organizations use Thycotic products to bring control and accountability to IT privileged accounts, end-user accounts and overall group control. These strategies ensure full auditing, restrictions to user access, secure user authentication and easy auditor access for regular verifications.

Managing your privileged IT accounts

IT accounts, such as IT admin accounts or application/service accounts, each grant a specific level of access on the network. Typically IT teams share these credentials amongst themselves to gain access to equipment as needed. This makes it very difficult to know who exactly is accessing which device and to restrict access amongst IT staff.

The second security issue is the potential for hundreds, if not thousands of accounts, each with their own password. To improve security posture, each password should be quite long, comprised of random characters, and changed regularly. For many organizations this means serious man-hours wasted by highly-paid IT professionals performing manual password changing on these accounts.

Key solutions for IT teams

Thycotic developed Secret Server Password Management Software specifically to address compliance for IT departments. The tool creates a centralized, encrypted location for password storage, the ability to restrict access by role, full auditing of credential usage and automatic password changing.

Add your security policy to Secret Server to automatically change passwords at required times, enforce password length and complexity requirements, and ensure sensitive systems maintain a high level of access control and oversight over privileged accounts.

Start Your 30-Day Free Trial
Secret Server

Improving security for end-user accounts

Securing end-user accounts is very important for overall network security, especially because of their susceptibility to malware and employees’ penchant for using weak passwords. To fortify a network, these accounts must have strong, regularly rotated passwords. Often the number one problem with a strong end-user password policy is the more complex an employee’s password is, or the more often they’re required to change it, the more likely they are to forget it!

Key solutions for end-user password resets

Security rules for end-user passwords, such as length, complexity and rotation requirements add protection to the network, but can quickly increase help desk cost when employees forget their login credentials. Added costs can include expanding help desk staff to field high-volume password reset calls, or missed deadlines when employees cannot log in to the network.

Password Reset Server eliminates the need for employees to call the help desk to reset their AD password. Now, they can simply answer security questions through Password Reset Server and automatically reset their password any time of the day, from any location. IT security teams can also configure Password Reset Server to enforce password length and complexity requirements, ensuring password compliance is met by all employees.

Start Your 30-Day Free Trial
Password Reset Server

Controlling Active Directory group management

In addition to controlling account credentials and enforcing stronger password practices, it is important for organizations to limit risk from internal threats, such as disgruntled employees. One key solution is locking down access to company resources. For example, making sure employees in the marketing department only have access to marketing files and cannot access payroll files. This can be done by adjusting permissions in Active Directory (AD). Typically, the IT department will make AD changes, but from a security standpoint, this adds potential for error since the IT administrator is not always familiar with the complexities of each department’s AD groups and may inadvertently assign an employee to the wrong group.

Key solutions for AD group management

Active Directory (AD) group management may not be the first topic that comes to mind when creating a security policy. However, it is an important example of how system design can produce errors ripe for exploitation later on. Delegating one point of contact in IT to make AD group changes is a typical practice in most organizations. That person is responsible for adding newly hired employees to the appropriate AD group. For example, a new marketing associate would be given access to marketing files and email distribution lists. But without being privy to specific department workflows, the IT admin might mistakenly sign up the new employee for the wrong access. This problem typically gets worse as employees change teams, roles and responsibilities within the organization.

Auditing and restricting access not only applies to critical systems and servers, but controlling security within AD group management as well. These controls can easily be added through Group Management Server, a tool that enables non-IT team leaders to make AD group changes for their department. With Group Management Server, the marketing manager can add new employees to the marketing AD group, or make changes within that group. For security, all changes are audited and each manager’s ability to make changes is restricted to their direct AD groups.

Start Your 30-Day Free Trial
Group Management Server