Sarbanes-Oxley Compliance and Identity and Access Management

A Bull Evidian White Paper Summary of Contents Introduction Sarbanes-Oxley Reference Framework IAM and Internal Controls over Financial Reporting Features Improve Efficiency with IAM Deploying IAM to Enforce SOX-mandated Controls IAM and Internal Controls: an Efficient Combination APPENDIX: IAM and COBIT Control Objectives

2013 Evidian The information contained in this document represents the view of Evidian on the issues discussed at the date of publication. Because Evidian must respond to changing market conditions, it should not be interpreted as a commitment on the part of Evidian, and Evidian cannot guarantee the accuracy of any information presented after the date of publication. This is for informational purposes only. EVIDIAN MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. We acknowledge the rights of the proprietors of trademarks mentioned in this book.

Contents Introduction... 4 Compliance with Regulations: an Opportunity... 4 Sarbanes-Oxley Reference Framework... 5 How to Choose Controls?... 6 The Case for (IAM) Tools 8 IAM and Internal Controls over Financial Reporting... 9 The Basics... 9 Assessing Internal Controls... 10 Implement the SOX Life Cycle more Efficiently with IAM 10 Improving your SOX Compliance Process with IAM... 10 Implementing IAM related Controls... 11 End-user: Identification... 11 End-User: Identity Assurance... 11 Administrator: Implementing the Authorization Process.11 Segregation of Duties... 12 Historical Data on Accesses and Access Management... 12 The Need for Flexibility... 13 Features... 14 IAM Features -Overview... 14 Producing Historical Data for Audit and Metrics... 15 Must Be Technology-independent... 16 Improve Efficiency with IAM... 17 Regulatory Obligations: an Opportunity... 17 Measuring Return on Investment in Productivity Terms.. 18 Deploying IAM to Enforce SOX-mandated Controls... 19 IAM and Internal Controls: an Efficient Combination... 20 APPENDIX: IAM and COBIT Control Objectives... 21 39 A2 92LS Rev00 3

Introduction The Sarbanes-Oxley Act of 2002 (SOX) was passed in the wake of corporate scandals in which major companies financial reports failed to represent the severity of issues facing these companies. In reaction, SOX aims at restoring investors' confidence in public companies and in the credibility of their financial reporting. The Sarbanes-Oxley Act of 2002 is based upon some major principles: Integrity and accessibility of financial information Management responsibility Auditor independence The part of SOX that most directly concerns IT security is Section 404, which aims at strengthening internal control over financial reporting, and in so doing, minimizing material weaknesses in the reporting process. Section 404 requires that audited reports which concerned companies file yearly at the SEC, known as 10K, include a section on the status and effectiveness of internal control over financial reporting. The Securities and Exchange Commission issued its final rule in August 2003 and specified the content of this section, as well as the general procedure to be used in this management assessment. As most financial activity is performed on IS resources, Identity and access management (IAM) plays a significant part in helping maintain the integrity of a company s reporting process. Of course, IAM is just one piece of the overall SOX compliance process, but it can help make that process significantly easier to implement, maintain and audit. Compliance with Regulations: an Opportunity According to a report released in December 2004 by Forrester Research, 65% of interviewed business leaders considered compliance with regulations such as SOX a priority for 2005; 38% of them judged it a critical priority. A company may see regulations as a burden, but formalizing many existing controls and improving them can have a positive effect on an organization. How to benefit from this while keeping costs low? 39 A2 92LS Rev00 4

Sarbanes-Oxley Reference Framework Section 404 of SOX does not specify a set of formal evaluation categories, known as a framework, to be used in the assessment of controls over financial reporting. In turn, the SEC final rules specifically do not specify the method or procedures to be performed in an evaluation. However, the SEC rules mention specifically the Committee of Sponsoring Organizations (COSO) framework although regional corporate control frameworks may be used. Similarly, specific IT control frameworks may be chosen by a company, as long as the company can convince its external auditor that its controls satisfy the requirements for effectiveness. A framework of IT control objectives that is often used in the context of SOX is the Control Objectives for Information and related Technology - COBIT, issued by the IT Governance institute ITGI (www.itgi.org). SOX created the Public Company Accounting Oversight Board (PCAOB), a non-profit organization, to oversee auditors of public companies. The PCAOB is charged with issuing guidelines for auditors on how to audit different aspects of reports, including the ones relating to section 404. As long as the resulting controls satisfy the requirements set forth by the PCAOB s auditing standard, companies can conceivably use IT control frameworks other than COBIT. Such frameworks can be the ones included in the IT Infrastructure Library - ITIL (www.itil.co.uk) or ISO17799. Companies may also choose a proprietary control framework developed by consulting and audit firms. It is, therefore, important that companies work closely with their external auditors, especially in the first rounds of SOX section 404 implementation and certification. Figure 1. Determining Control Objectives for SOX COSO COBIT SOA section 404 July 2002 SEC final rules August 2003 PCAOB Auditing Standard No. 2 March 2004 Determine control objectives for Sarbanes-Oxley Internal Assessment Internal Audit and processes assessment 39 A2 92LS Rev00 5

How to Choose Controls? Control objectives are overall goals that may or may not specifically concern IT. For instance Accounting data must not be tampered with during the consolidation process could be a control objective. From control objectives, one deduces control activities sometimes simply called controls. One control activity resulting from the preceding example could be establish authorization procedures for user access to the consolidation application. IT organizations are therefore involved both in the setting up of control objectives, and in the exhaustive documentation of IT control activities necessary to fulfill those objectives which includes assessment procedures and metrics. There are over 300 audit controls included in COBIT. To provide guidance, the ITGI has published the IT Control Objectives for Sarbanes-Oxley document in April 2004. Among the twelve control objective headings of COBIT that are deemed relevant to SOX compliance, Ensure Systems Security is expressly mentioned. Please note that no regulation related to SOX provides you with a mandatory checklist of required controls. On the contrary, both the SEC and ITGI specifically state that choosing and implementing controls heavily depends on your organization. Therefore, the set of controls for your organization must be selected carefully according to a transparent process. For instance, META Group (P. Proctor, 2004) recommends the following process: Step 1: Assess risks. Reasonably anticipated risks must be listed and prioritized according to criticality and likelihood of occurrence. Step 2: Choose and implement effective controls. Controls must match reasonably anticipated steps and be selected according to clear criteria. Step 3: Build a defensible case, in particular by anticipating required data and choosing appropriate metrics. Therefore, processes should be implemented first, then metrics chosen, then the necessary tools deployed. 39 A2 92LS Rev00 6

Figure 2. Illustrative SOX Life Cycle Define and adapt control objectives Document corresponding control activities Determine tests and metrics Implement controls Audit and diagnosis of internal controls A large part of the controls that a corporation can decide to implement relates to users accessing financial or personal information. Who has access to what information, and under which conditions, is the key to the integrity of the financial reporting process. Also critical are the procedures for granting access. As more and more information is stored in computer format, such controls necessarily have an IT component. A class of IT applications, called Identity and Access Management (IAM) tools, can help implement such controls over an entire organization. 39 A2 92LS Rev00 7

The Case for (IAM) Tools Making an organization comply with the requirements of SOX section 404 is conceivable without IAM tools. Indeed, for resource and timing reasons, many IT organizations began, as a first step, to implement SOX requirements by documenting existing identity and access management procedures, and improving those procedures when required. Compared with pure paper guidelines, an IAM infrastructure brings in very significant benefits to the whole compliance process in that it: Improve internal control processes Enhance flexibility and save costs Make it easy to design metrics and audit process Eliminates human error from control activities Improves end-user s productivity, which may have decreased due to more stringent controls Easily implements a control relating to user access or access right management Easily modifies such a control whenever required by internal committees Reduces the IT staff workload when complying with a control Automatically provides the historical data necessary for assessing the effectiveness of the control. Therefore, once the initial rollout of SOX compliance activity is completed, the portfolio of IT controls relating to identity and access management can be implemented using an IAM tool. In addition, thanks to the flexibility and ease of auditing of an IAM tool, it is possible to improve the life cycle of SOX section 404 compliance itself. 39 A2 92LS Rev00 8

IAM and Internal Controls over Financial Reporting The Basics In many cases, SOX section 404-mandated control objectives concern identity and accesses. These controls will require that only a person with the right authorization may perform specific tasks. In turn, that authorization must have been granted using a process that minimizes the risk of error or abuse. These two important processes can be automated using an Identity and Access Management (IAM) tool: User authentication User life cycle management As IAM tools can efficiently automate such processes, they can be an invaluable help in enforcing them as well as producing audit trails on their operations. Figure 3. Enhancing the SOX Section 404 Compliance Process with Define and assess Internal controls Enforce with IAM Internal controls Formalized Controls Security policy enforcement Audit and assessment User life cycle User authentication Audit trails Provisioning Identity Management Authorization workflow Strong authentication Single Sign-On Provisioning is the most important area for SOX compliance. It rationalizes the authorization process by maintaining a set of rules based on your organization. Provisioning is often supplemented by an authorization workflow. Identity management can provide corporate-wide user administration; it also offers a corporate-wide, single user identifier, even if user information is actually located in multiple directories. This makes it possible to administer multiple user directories, from a single interface. Strong authentication allows you to go beyond passwords for selected profiles, thus helping ensure that SOX-critical processes are handled by the right people. Although not specifically required by SOX, Single Sign-On offers user convenience, which is much needed if the new controls begin to hamper user productivity. 39 A2 92LS Rev00 9

Assessing Internal Controls Evaluating the effectiveness of internal controls means having effective ways to: Evaluate their design Test their effectiveness Maintain evidential matter about them Therefore, an IAM tool must provide a way to effectively assess the identity management aspect of these controls: Homogeneous and role-based management of identities can make design evaluation easier by starting such controls in a way that fits the organization s activity, not its technical infrastructure. A centralized alert console makes it possible to schedule the testing of the effectiveness of internal controls. An efficient, centralized console provides detailed and auditable information about accesses to the information system used in financial reporting. It can also provide information about which access rights were put in place, when and by whom. Implement the SOX Life Cycle more Efficiently with IAM Improving your SOX Compliance Process with IAM According to a study conducted in January 2004 by Financial Executives International, polled companies will spend an average of over 12,000 internal person hours to be compliant with Section 404 of SOX. Much of that time is spent documenting internal processes. Using a coherent identity and access management tool can help an organization implement and maintain its set of Section 404 controls more efficiently. This can result in direct benefits: Modularity: modifying a control process in provisioning will not force you to change a control process in user administration, for instance. Simplicity: as the tool is the same, whatever the resource managed, it is much easier to document a control that concerns identity and access management. Most procedures will be described by referring to the same user interface. Organization independence: the technical choices of an organization (underlying user directory technology, server type, etc.) have no impact on the IAM procedure. Therefore, the control description will not need to change if the local details change. Speed of deployment: implementation of a control is immediate and companywide. Therefore, a material weakness can be corrected very quickly. 39 A2 92LS Rev00 10

Elimination of human error: for administrators, following long control procedures requires much discipline. When such tasks are automated using authorization workflow or provisioning tools, much less human intervention is required. Less need for user training: implementation of an access control is immediate on the end-user workstation. Easily defined metrics: assessing the operational effectiveness of a control can be costly. With a centralized IAM tool, the history of user accesses and access rights administration actions are available in one place, under a single format. SOX compliance must be a continuous and self-improving process. A wellimplemented IAM tool can help you streamline your internal controls' design life cycle, making it more flexible and less costly. Effective IAM tools make it possible to: Quickly identify new threats to the financial reporting processes Quickly implement new controls and deploy them across all reporting organizations Produce and adapt metrics to allow audits on a changing organization The IAM tools deployed by a company must, therefore, bring in enough functional breadth, flexibility and ease of use to implement controls not only for the first 10K report, but over the long term too. Implementing IAM related Controls related control activities may cover the following tasks, which are typically provided out-of-the-box by an IAM tool such as AccessMaster. The following list is illustrative only: End-user: Identification End-User: Identity Assurance Providing a unique identifier for each user, company-wide Making sure this identifier is provided at the beginning of each session (using Single Sign-On) Enforcing user authentication using personal passwords and/or certificates Enforcing a specific, company-wide password policy Enforcing password life cycle procedures, creation and transmission Administrator: Implementing the Authorization Process Centralized and coherent provisioning environment Administrator responsibilities are strictly compartmentalized on a role basis Existing user definition processes (HR) are not impacted by provisioning tasks In order to make such processes auditable, all user attempts at accessing applications are logged, as well as all administration actions. This makes it possible to establish metrics and detect deficiencies in the process. 39 A2 92LS Rev00 11

Segregation of Duties makes it possible to enforce segregation of duties, a major concern in SOX compliance. As corporate roles are compartmentalized, users can only access those applications that their responsibilities require. Fine-grained segregation of duties is also possible, provided that the application conforms to certain standards for instance SAML, or LDAP lookup of user profiles. This makes it possible to ensure, for instance, that certain users may access the AP area of an accounting application, but not the AR area. For older applications, it may still be necessary to set up access rights at the application level. Segregation of duties can also be enforced at the administrator level. For instance, you can decide that access rights management may only be performed by the administrator that is geographically closer to the end-user. Alternatively, you can segregate administrator duties according to organizational function, etc. Historical Data on Accesses and Access Management Measurability is a major focus of Sarbanes-Oxley. To build a strong governance infrastructure inside an organization, it is very important to be able to set up metrics and analysis mechanisms. This makes it possible to: Establish metrics destined to measure efficiency and improve processes Report to management on specific quality indicators Detect possible deficiencies in internal controls Internal controls, therefore, need to be auditable in terms of operational efficiency. Metrics and audit trails are an important factor that helps an auditor determine whether an internal control harbors significant or material deficiencies. Control activities will be assessed for operating effectiveness: By high-level management, using trends and health status By the internal staff, including internal auditors By independent auditors By operators, for day-to-day troubleshooting These different profiles require different types of information. Therefore, the IAM environment needs to be flexible enough to tailor the level of granularity to different audiences inside the organization. Obviously, the quantity of data gathered is not the only factor that comes into play. In order to comply with changing requests for data, the IAM tool needs to be flexible enough to provide detailed information. This can cover the effectiveness of access controls, the administration activities, the status of access rights allocation, etc. 39 A2 92LS Rev00 12

Auditors have specific requirements. IAM systems can consolidate historical information located on different resources (access to systems or applications, for instance). Auditors may still decide to go to the source for double-checking. Still, centralized information makes it easy to determine what information is relevant. As an illustration, the data generated by Evidian AccessMaster are extremely detailed. Here are a few examples of the type of data you may obtain for control metrics or audit purposes: Audit of user activity - illustration Access to an application granted or denied Access denied because outside authorized times and dates (configurable) Account blocked because too many attempts refused, etc. Audit of user rights administration illustration Inclusion of a user or resource (application, database ) inside a group Allocation of access rights (to a resource or group of resources) for a user or group of users Password change operations, etc. Audit of SOX controls implementation - illustration Allocation of rights specific to a security administrator (based on roles) Creation and modification of profiles Creation, modification and deletion of a user, a resource, a group of users or resources The Need for Flexibility SOX imposes criminal, rather than civil, sanctions on the officers of companies that failed to implement adequate controls. On the other hand, there is no consensus yet on what constitutes an adequate control over financial reporting. Therefore, the set of internal controls that a company has defined is very likely to evolve significantly over time. It is, therefore, mandatory that the IT department be able to implement the IT side of internal controls in a timely manner. Flexibility is essential, in order to quickly take changes into account in a cost effective manner: Changes in internal controls resulting from internal or external audits Changes in industrial consensus regarding the necessary internal controls In practice, while IT is often part of the working groups set up to determine (or evolve) corporate controls, it is the IT manager s task to implement the IT part of these controls. Much IT resources will, therefore, remain mobilized for documentation tasks. 39 A2 92LS Rev00 13

Features IAM Features -Overview (IAM) can help enforce controls developed or documented during the SOX section 404 compliance process. With an IAM solution, internal controls dealing with user authentication and resource-access authorization are deployed quickly and with minimal potential for human error. They are easier to audit, and offer flexibility, making it possible to adapt internal control over time. Significant features of IAM and its added value for SOX section 404 are: IAM Feature Identity Management Provisioning Authentication (SSO) Certificate Management Illustrative Added Value for SOX Compliance Company-wide enforcement of identity management controls Centralized audit of user identities and administration actions Homogeneous interface, for easy documentation of controls Company-wide single user identifier Easy design and implementation of provisioning controls Centralized audit of authorization rules No interference with user definition controls (HR responsibility) Homogeneous interface, for easy documentation of controls De-provisioning controls are very easy to describe and enforce Documentation of controls is independent of the technical infrastructure. Central audit for end-user access to applications Single user authentication, no shared accounts Enforces a company-wide password policy Single sign-on makes it possible to design more internal controls for accesses to resources. Enforces strong authentication, thus ensuring that the user is clearly identified. 39 A2 92LS Rev00 14

Producing Historical Data for Audit and Metrics In order to be easily auditable, the access rights allocation process must be clearly defined and involve as few manual operations as possible. AccessMaster relies on the user and organization definitions already in place in the company. In fact, it uses the company's LDAP directories directly, without requiring any import. The roles are thus clearly defined, and the information auditable: Role Who? Where to Audit? Defining the organization, creating, modifying and canceling users. Allocating rights to the users thus defined. Defining the technical resources for which the access rights are to be managed Generating audit data on the accesses and administration operations Existing organization. Generally, the human resources department. Management of user rights; centralized organization with possible delegation. IT department Done automatically by AccessMaster LDAP directories AccessMaster base AccessMaster base AccessMaster audit base The access rights allocation procedures (request, qualification, approval, etc.) can thus be easily defined and audited, even if the procedures are highly detailed and complex. Managing Identities and Accesses Managing Identities and Accesses Internal Check Audit Audit Audit Access right wrongly granted 1 Access authorized Fraudulent act 2 Access not authorized This way, the information needed for the audit, such as an inquiry into the origin of an operational incident, is clearly localized. 39 A2 92LS Rev00 15

In the above diagram, we can see that a fraudulent act can be the result of either an unauthorized access (password theft for example), or incorrect allocation of access rights (intentional or otherwise). The audit data must thus cover both aspects: 1. audit of right allocations and 2. audit of accesses. Must Be Technology-independent The rapid development of information systems shows that an identity and access management system must be extremely adaptable. Permanent evolution of technologies (J2EE, certificates, etc.) Need to integrate a new information system, in the event of a merger Development of new applications, purchase of software licenses Identity and accesses must, therefore, be independent of technologies and applications. If not, the proliferation of access-right management consoles will make the process very hard to define, implement and audit. 39 A2 92LS Rev00 16

Improve Efficiency with IAM Regulatory Obligations: an Opportunity SOX compliance can bring in benefits for an organization in terms of investor confidence and rationalization of financial business processes. But an IAM solution not only helps make existing SOX-mandated processes cheaper to implement, but also saves an organization money in the long run. An IAM solution can help make the IT staff and the enterprise as a whole measurably more productive. This can help alleviate some of the costs generated by a SOX compliance drive. Running a SOX section 404-compliant organization can generate high costs at the enterprise level. Even without considering the large initial cost of setting up SOX compliance processes and controls, recurring time and money must be spent. This includes: Table 1. Examples of Costs Added by SOX Section 404 Compliance Population IT Staff Employees Help-desk Workload Added by SOX Section 404-mandated Processes Allocating access rights according to detailed procedures Documenting the technical consequences of a change of internal controls (password allocation on specific servers, etc.) Collecting historical data (resource access, right allocation ). The said data is often available in very different formats, on very different locations a time-consuming process. Entering additional passwords due to the elimination of shared accounts, added access control points, etc. More calls due to lost passwords. New password change controls require them to follow detailed procedures. These additional costs can be alleviated, and the return on investment easily demonstrated, in terms of productivity gains by three types of populations: 1. End-users 2. Help desk staff 3. IT staff and system administrators. An (IAM) solution can thus quickly pay for itself, especially when used to implement internal controls required by SOX. 39 A2 92LS Rev00 17

Measuring Return on Investment in Productivity Terms Evidian has developed a methodology for evaluating the return on investment of an AccessMaster solution in terms of productivity. Here are a few examples of the areas concerned: Profile IT Staff System administrators Help desk Users Illustrative Savings Implementing a new access right granting procedure is a matter of configuring a workflow. Provisioning procedures can be set up and managed centrally. Historical data concerning accesses and access right management is available on a single console, and can be provided to auditors as needed. The procedures for declaring a new user are extremely fast and only involve a simple operation on the AccessMaster console. Deleting all the accounts of a user who leaves the enterprise also only takes just a few seconds. Lost passwords typically account for 30% of calls to the help-desk. Setting up an solution, such as AccessMaster, considerably brings down help-desk related costs. Time is saved by no longer having to enter multiple passwords. As there is only one password to remember, a significant drop in the number of forgotten passwords - and the time lost in contacting the help desk. A new user or a user changing functions immediately has his or her access rights. That user no longer has to wait a few days to receive them. For a personalized ROI evaluation for your organization, contact Evidian at info@evidian.com. 39 A2 92LS Rev00 18

Deploying IAM to Enforce SOX-mandated Controls can help you reduce the running and maintenance costs of your portfolio of SOX-mandated controls. It can also enhance the flexibility and auditability of these controls. Deployment must be carefully planned in a phased manner, starting with the features that will bring you the most benefits. An example of such a phased deployment can be: STEP IAM Feature Benefits for SOX-mandated Controls (Examples) Step 1 Identity management Step 2 Provisioning Step 3 Access management and SSO Step 4 Certificate management Unifies company-wide the user management procedures Partitions some administration tasks according to user activity (Finance ), not geographical location Audits user administration controls centrally Partitions clearly the resource management tasks Eliminates human error from access rights management Central, unified audit of provisioning controls Single company-wide policy for passwords (format, duration before changes, etc.) Audits user access to applications centrally Improves end-user productivity Ensures that a user is authenticated with efficient methods (smart cards, USB key, etc.) Deployment can be restricted to profiles that are critical to financial reporting processes. Of course, a real-life deployment can also be phased according to geographical locations, functional organization (starting typically with the finance department), etc. Again, the most beneficial projects should be planned first. 39 A2 92LS Rev00 19

IAM and Internal Controls: an Efficient Combination Most companies concerned by SOX section 404 have already implemented its requirements, or are in the process of doing so. As far as IT and access management are concerned, this means that numerous procedures are being formalized. As SOX is here to stay, these procedures must be evaluated regularly: Is the control efficient? Can the cost of implementing this control be reduced while keeping it as or more efficient? How much would it cost to modify an existing control, or to implement a new one due to a changing environment? Can the control be improved by making it less prone to human error? Can the control set be improved by reducing interdependences? IAM can help you enforce internal controls cost-effectively; making sure that only authorized users may perform the tasks assigned to them. This provides you with the means to: Define your security policies and procedures Ensure that access right allocation is performed with an auditable workflow Perform authentication of users 39 A2 92LS Rev00 20

APPENDIX: IAM and COBIT Control Objectives The document IT Control Objectives for Sarbanes-Oxley issued by ITGI in April 2004 details which of the COBIT control objectives are relevant to the SOX legislation. In particular, it maps them to the PCAOB IT general controls. The following table lists the IT control objectives related to the section Ensure Systems Security as stated in this document. In front of each of them, we have included the added value that an IAM solution, such as AccessMaster, can bring to these objectives. Again, please note that this in no way represents a features checklist. On the other hand, a company s list of corporate controls over financial reporting is likely to cover the same subjects as expressed here, and to be expressed in a similar manner, if the overall process has been performed using COBIT as a guidance. Therefore, an IAM tool, such as AccessMaster, will meet similar relevant requirements in a similar manner. Ensure Systems Security: Control Guidance Source: IT Control Objectives for Sarbanes-Oxley issued by ITGI in April 2004 Control Objective Controls provide reasonable assurance that financial reporting systems and subsystems are appropriately secured to prevent unauthorized use, disclosure, modification, damage or loss of data. Illustrative controls How AccessMaster can help implement such controls Source: ITGI 2004. Source: Evidian. An information security policy exists and has been approved by an appropriate level of executive management. A framework of security standards has been developed that supports the objectives of the security policy. An IT security plan exists that is aligned with overall IT strategic plans. N/A AccessMaster makes it possible to deploy a security policy once it has been decided, and can through centralized logging of security events, provide data for the review of this policy. AccessMaster makes it possible to implement security standards, whether they mostly concern processes (COBIT, Basel II, ITIL) or the technical infrastructure technical. By providing company-wide identity and access management, AccessMaster makes it possible to effectively deploy an information security policy, from executive levels down to individual users. 39 A2 92LS Rev00 21

Illustrative controls Source: ITGI 2004. How AccessMaster can help implement such controls Source: Evidian. The IT security plan is updated to reflect changes in the IT environment as well as security requirements of specific systems. Procedures exist and are followed to authenticate all users to the system to support the validity of transactions. Procedures exist and are followed to maintain the effectiveness of authentication and access mechanisms (e.g., regular password changes). Procedures exist and are followed to ensure timely action relating to requesting, establishing, issuing, suspending and closing user accounts. A control process exists and is followed to periodically review and confirm access rights. Where appropriate, controls exist to ensure that neither party can deny transactions and controls are implemented to provide nonrepudiation of origin or receipt, proof of submission and receipt of transactions. Where network connectivity is used, appropriate controls, including firewalls, intrusion detection and vulnerability assessments, exist and are used to prevent unauthorized access. AccessMaster provides a centralized management console that covers most IT access aspects, whatever their location or technical specificities. This way, an update of the security plan is quickly implemented centrally, and the updated policies are automatically forwarded to the whole organization. AccessMaster can authenticate users access to most IT resources, whether legacy- or web based. This way, access to applications, data, and systems is controlled from a central location. Using the AccessMaster consoles, administrators can implement maintenance procedures easily. Some of these procedures can be automated, for instance enforced password changes. Using the AccessMaster console, user accounts can be managed cost-effectively. For instance, a new user can have his or her accounts created or revoked with a single administrative action. AccessMaster s provisioning features mean that such operations can be done according to user roles or profiles, not just on a case-bycase basis. Administrators can perform these control processes cost-effectively from a single AccessMaster console. They do not need to use the individual resources specific access right management consoles. AccessMaster s single sign-on procedure can provide individual applications with the user s application profile. As user access to individual applications is logged centrally, auditors can also check whether a user did or did not access an application involved in an unauthorized transaction. AccessMaster is compatible with firewalls and strong authentication processes. 39 A2 92LS Rev00 22

Illustrative controls Source: ITGI 2004. IT security administration monitors and logs security activity, and identified security violations are reported to senior management. How AccessMaster can help implement such controls Source: Evidian. AccessMaster is the focal point for all access alerts for the resources that it manages, whatever their origin. Controls relating to appropriate segregation of duties over requesting and granting access to systems and data exist and are followed. Access to facilities is restricted to authorized personnel and requires appropriate identification and authentication. It is therefore technically easy to set up a security office to monitor threat events related to accesses. The staff involved will only need to be trained in a single monitoring tool, and will be more reactive and efficient. Access right management is performed in a role-based manner: specific administrators are only allowed to manage access rights of a specific subset of user and/or resources. This makes it easy both to set up a rational access right management policy, and to review it whenever needed. N/A. References Sarbanes-Oxley Act of 2002: http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf SEC final rule of August 2003: http://www.sec.gov/rules/final/33-8238.htm ITGI IT Control Objectives for Sarbanes-Oxley : http://www.itgi.org 39 A2 92LS Rev00 23

For more information go to www.evidian.com/ Email: info@evidian.com