White Papers for Sarbanes-Oxley (SOX)

Achieving Regulatory Compliance for Identity Management Control

BMC Software

Today, most, if not all, financial processes are supported by information technology (IT) systems.
Consequently, IT plays a primary role in compliance with the provisions of legislation and standards
such as Sarbanes-Oxley (SOX) and Basel II. Given the proliferation of SOX-style legislation globally,
this paper will use SOX as a reference for IT regulatory compliance requirements.

Section 404 of SOX has the greatest relevance for and impact on IT. The section requires a company
to attest to the adequacy and effectiveness of its internal controls for financial reporting. It deals
with the controls that maintain the integrity of processing and reporting of financial data. Within
Section 404, there are two fundamental IT control areas that are critical to compliance: 1) identity
management (IDM) and 2) change and configuration management (CCM). The inability to control who
has access to systems and who makes changes to the underlying systems infrastructure is a material
weakness.

A July 2005 CIO Magazine article underlines the importance of identity management and change and
configuration management in compliance. The article lists, in order of decreasing frequency, the top
five IT control weaknesses reported by auditors,:
1. Failure to segregate duties within applications, and failure to set up new accounts and terminate
old ones in a timely manner.
2. Lack of proper oversight for making application changes.
3. Inadequate review of audit logs.
4. Failure to identify abnormal transactions in a timely manner.
5. Lack of understanding of key system configurations.
As can be seen, the most frequently occurring weakness deals with identity management and the
second with change and configuration management. This paper specifically addresses IDM controls.

This paper examines the general IT controls described in SOX Section 404 as well as the Control
Objectives for Information and related Technology (CobiT) established for those general IT controls,
focusing on those that relate to IDM. It also identifies the need for a systems-based identity
management solution and provides criteria for selecting such a solution. Finally, the paper presents
the Business Service Management (BSM) Identity Management Route to Value from BMC Software,
a solution that meets the criteria.

View the White Paper

Share or bookmarklet this web page at: