Authentication Solutions - By Regulation

SOX

Challenge

The Sarbanes-Oxley Act (SOX) requires publicly-traded companies to implement controls with respect to specific internal business processes.  This necessitates having an outside auditor certify the accuracy of financial statements and performing an annual assessment of internal controls relating to the security of critical data, particularly financial information.

There are several components to SOX, but it clearly stipulates that organizations are required to establish an “adequate internal control structure,” including control over system access.  Sections 302 and 404 of SOX specifically require CEOs and CFOs to ensure their business processes are under control. 

Organizations that must comply with SOX need a password authentication and management solution that provides the following capabilities:

• Ensures end-user access to only those systems and applications required for their jobs;
• Enforces strong password policies, especially for end-users who have access to sensitive or protected records;
• Ensures enterprise access privileges are removed when an employee leaves the organization;
• Eliminates end-users’ need to share authentication information with the Help Desk or IT staff for password reset or system access;
• Automates password reset processes to eliminate human error; and
• Ensures complete, accurate audit trails for all changes in access rights.

Solution

PistolStar’s Password Power and PortalGuard respond to the SOX compliance needs of publicly-traded companies by ensuring robust password authentication, controlled system access, and consistent enforcement of corporate security policies. 

Both products provide single sign-on using Microsoft Active Directory and the added security of the Kerberos authentication protocol, allowing end-users to use one password one time to access numerous enterprise applications, directories and servers, such as Lotus Domino and Notes, IBM WebSphere and System i, SAP and Oracle. 

Password Power and PortalGuard further simplify authentication management by enabling end-users to perform self-service password reset/recovery, permitting them to change only one password in one location and without requiring the assistance of the Help Desk.  During the synching process, password security policies (e.g., password expiration and password quality) are automatically transferred to the other passwords, ensuring the coordination of disparate password policies.

PortalGuard also provides functionality that enables administrators to meet or exceed the authentication security requirements of SOX.  Administrators can implement best practices such as requiring a username, password and challenge question response to gain access and multiple challenge questions for self-service password reset and recovery.  Password rules can be established by person, group or hierarchy and enable/disable certain password behaviors.  For example, administrators can configure the number of password strike-outs allowed for each user and receive an alert when a strike count is exceeded.  They also have the ability to:

• Prevent multiple users from logging in with the same credentials;
• Set password expiration intervals and grace periods for expired passwords;
• Track all login activity and certain login behaviors;
• Lock out inactive users and disable accounts of departed employees;
• Restrict the frequency with which a previously-used password can be re-used;
• Validate password strength during login; and
• Control password quality by configuring 12 fully customizable password strength rules. 

To summarize, Password Power and PortalGuard provide the following capabilities for satisfying the authentication and access management needs of regulatory compliance:

• Facilitating and enforcing the use of stronger passwords;
• Ensuring employees only have access to systems and information required for their jobs;
• Guaranteeing accounts are disabled and access is completely revoked when employees leave company;
• Automating password reset processes to eliminate human error;
• Ensuring complete, accurate audit trails and reports on all account changes, login attempts;
• Enforcing password policies that require passwords to be strong and changed regularly;
• Confirming unified password policies via accurate password synchronization; and
• Enabling strong authentication.