Fourth in a series.
In a recent interview, Alex Bakman, CEO of Ecora Software Corp., in Portsmouth, N.H., offered his top five tips for IT administrators when preparing for a Sarbanes-Oxley (SOX) audit.
1. Select a set of controls -- and test repeatedly. The essence of the SOX audit is to prove that you do what you say you do. The Sarbanes-Oxley Act doesn't require people to have a specific set of IT controls, but whatever set of controls you pick, you need to demonstrate that you have a credible way of testing them.
2. Develop a sound password policy. This involves establishing password duration and password aging policies and requiring complex passwords. Many organizations are guilty of allowing users to create obvious passwords, such as the name of a pet.
3. Review permissions. The first thing auditors do is go into "shares" to find out who has access to what. You should review shares with an eye toward whether such permissions are in line with documented policies.
4. Validate access control lists. Test credentials against critical line-of-business systems. Auditors will look to see if your lists for who should have access to an application really govern who has access.
5. Plug database holes. Review database management systems and be able to validate that from a DBMS-authorization perspective that there are no holes. A common problem that auditors look at involves how many production systems that are housing sensitive data are running with the full credentials.