For Robert Sheridan K. Smith, the key to achieving and sustaining Sarbanes-Oxley (SOX) compliance is automation. As an IT manager for Arch Reinsurance Ltd., in Bermuda, a publicly held company that provides specialty property
When it comes to the challenges of complying with the Sarbanes-Oxley Act of 2002, Arch Reinsurance Ltd. is in good company.
Public companies of all sizes have to contend with the cost and workload of SOX compliance, but for small companies, the burden is considerably higher in relative terms.
According to a survey conducted by Financial Executives International , a professional association for CFOs and other senior financial executives, in 2004 the first-year cost of satisfying Section 404 of SOX -- the portion of the legislation that requires companies to attest to the effectiveness of internal financial reporting controls -- was $4.6 million for large companies (those with more than $5 billion in revenue) and about $2 million for small and medium-sized companies. According to Smith, Arch Reinsurance Ltd. is no exception and has "spent lots of money" on SOX-related compliance initiatives.
Many of those internal financial reporting controls take place in data centers, where managers are charged with implementing processes and technologies to protect the integrity of financial systems. With about $15 billion in assets, Arch Reinsurance Ltd. and its subsidiary Arch Insurance (Bermuda) have two data centers in Hamilton, Bermuda, and needed to enact controls on 150 workstations and servers. For a company with an IT staff of only four, Smith says that Arch Reinsurance Ltd. would have difficulty effectively sustaining SOX compliance without automation.
Access control starts in the data center
For Smith, the critical issue in SOX compliance is controlling access to financial systems and applications -- essentially any areas that are involved in financial reporting. "The two key areas for us are to control access and change management," he said. "My goal is to ensure all critical systems are monitored and access control is maintained."
To control access, Smith evaluated three event log management software applications to enable automation of event log collection and to generate daily scheduled reports quickly and easily. Specifically, Smith said, he wanted daily reports detailing log-in failures and file activities. "These type reports, together with others, help us with the access control aspect of SOX," he said.
Smith selected EventTracker software from Prism Microsystems Inc. According to Smith, key criteria for selection were its ease of use and out-of-the-box reporting options as well as its numerous alerts.
Even with a relatively small infrastructure, Arch Reinsurance Ltd. generates considerable event log information throughout its network; Smith said that EventTracker captures more than 20 million events each month on the company's network. So finding a tool that could help keep tabs on important activities within the network is a critical aspect of SOX compliance.
With EventTracker, Smith tracks network events including user software downloads and installs, password changes and access, or log-in, failures. In addition to monitoring 150 servers and workstations Smith said that he was in the process of configuring the software to monitor events on his company's Cisco routers and switches.
Smith's company also purchased Prism Microsystems' change/configuration management tool WhatChanged. This product detects configuration and file changes by taking a snapshot of critical servers on a daily basis and comparing one snapshot with the previous day's snapshot. Combining change management with log management helps ferret out zero-day attacks and other security threats that initially show up as configuration changes.
In addition to log management, Smith keeps tabs on his network via three products from ScriptLogic Corp.: Active Administrator, which audits Active Directory activities, Enterprise Security Reporter, which monitors security permission changes to files and folders and takes snapshots similar to WhatChanged, and File System Auditor which monitors access to specific files, tracking deletions, moves, modifications and the like. Smith also uses software from Ecora Software Corp. called Auditor Professional , which audits configuration changes made to critical servers, firewalls and routers.
Extending data center staff
All told, the various data center monitoring tools generate 20 daily reports that Smith and his staff review. Smith also uses Track-It , a help desk management tool from Numara Software Inc., to create daily tasks for his team which includes review of these reports. The reports are attached to the daily Track-It work order and presented to SOX auditors during compliance testing.
According to Michael Coté, an analyst with industry research firm RedMonk, small companies in particular tend to adopt a hodgepodge approach to data center automation. For one thing, he says, it's often cheaper for small companies to do so, because few monitoring suites are available to fulfill every small company's needs. "Small companies still take the best-of-breed approach," he said. "Buying tools from different vendors for specific monitoring needs is often the best if not the only way to go."
Taken together, the various tools extend considerably the monitoring and access control capabilities of Arch Reinsurance Ltd.'s IT staff, something that SOX compliance requires. "Complying [with SOX] is costly and very time-consuming," Smith said. "If we didn't automate it, it would cost a whole more because we would have to hire more IT staff." The upside is that Smith now has a comprehensive view of company data center operations. "There's very little that can be done on the network that I don't know about," he said. "I receive all types of alerts on my BlackBerry. Me and my team are constantly aware of what is happening in our network."
Let us know what you think about the story; email Megan Santosus, Features Writer .