Data center automation helps one small company comply with SOX

By Megan Santosus, Features Writer 13 Mar 2008 | SearchDataCenter.com

IT infrastructure news Digg This!     StumbleUpon     Del.icio.us

For more on data center compliance: ITIL aids compliance efforts Mainframe change management tools ease compliance burden Strategic IT planning for compliance and beyond

When it comes to the challenges of complying with the Sarbanes-Oxley Act of 2002, Arch Reinsurance Ltd. is in good company.

Public companies of all sizes have to contend with the cost and workload of SOX compliance, but for small companies, the burden is considerably higher in relative terms.

According to a survey conducted by Financial Executives International , a professional association for CFOs and other senior financial executives, in 2004 the first-year cost of satisfying Section 404 of SOX -- the portion of the legislation that requires companies to attest to the effectiveness of internal financial reporting controls -- was $4.6 million for large companies (those with more than $5 billion in revenue) and about $2 million for small and medium-sized companies. According to Smith, Arch Reinsurance Ltd. is no exception and has "spent lots of money" on SOX-related compliance initiatives.

It would be very difficult to sustain [Sarbanes-Oxley] compliance if we didn't use automation. Robert Sheridan K. Smith, IT manager, Arch Reinsurance Ltd.

Many of those internal financial reporting controls take place in data centers, where managers are charged with implementing processes and technologies to protect the integrity of financial systems. With about $15 billion in assets, Arch Reinsurance Ltd. and its subsidiary Arch Insurance (Bermuda) have two data centers in Hamilton, Bermuda, and needed to enact controls on 150 workstations and servers. For a company with an IT staff of only four, Smith says that Arch Reinsurance Ltd. would have difficulty effectively sustaining SOX compliance without automation.

Access control starts in the data center
For Smith, the critical issue in SOX compliance is controlling access to financial systems and applications -- essentially any areas that are involved in financial reporting. "The two key areas for us are to control access and change management," he said. "My goal is to ensure all critical systems are monitored and access control is maintained."

To control access, Smith evaluated three event log management software applications to enable automation of event log collection and to generate daily scheduled reports quickly and easily. Specifically, Smith said, he wanted daily reports detailing log-in failures and file activities. "These type reports, together with others, help us with the access control aspect of SOX," he said.

Smith selected EventTracker software from Prism Microsystems Inc. According to Smith, key criteria for selection were its ease of use and out-of-the-box reporting options as well as its numerous alerts.

Even with a relatively small infrastructure, Arch Reinsurance Ltd. generates considerable event log information throughout its network; Smith said that EventTracker captures more than 20 million events each month on the company's network. So finding a tool that could help keep tabs on important activities within the network is a critical aspect of SOX compliance.

With EventTracker, Smith tracks network events including user software downloads and installs, password changes and access, or log-in, failures. In addition to monitoring 150 servers and workstations Smith said that he was in the process of configuring the software to monitor events on his company's Cisco routers and switches.

Smith's company also purchased Prism Microsystems' change/configuration management tool WhatChanged. This product detects configuration and file changes by taking a snapshot of critical servers on a daily basis and comparing one snapshot with the previous day's snapshot. Combining change management with log management helps ferret out zero-day attacks and other security threats that initially show up as configuration changes.

In addition to log management, Smith keeps tabs on his network via three products from ScriptLogic Corp.: Active Administrator, which audits Active Directory activities, Enterprise Security Reporter, which monitors security permission changes to files and folders and takes snapshots similar to WhatChanged, and File System Auditor which monitors access to specific files, tracking deletions, moves, modifications and the like. Smith also uses software from Ecora Software Corp. called Auditor Professional , which audits configuration changes made to critical servers, firewalls and routers.

Extending data center staff
All told, the various data center monitoring tools generate 20 daily reports that Smith and his staff review. Smith also uses Track-It , a help desk management tool from Numara Software Inc., to create daily tasks for his team which includes review of these reports. The reports are attached to the daily Track-It work order and presented to SOX auditors during compliance testing.

According to Michael Coté, an analyst with industry research firm RedMonk, small companies in particular tend to adopt a hodgepodge approach to data center automation. For one thing, he says, it's often cheaper for small companies to do so, because few monitoring suites are available to fulfill every small company's needs. "Small companies still take the best-of-breed approach," he said. "Buying tools from different vendors for specific monitoring needs is often the best if not the only way to go."

Tags: IT Compliance: SOX and HIPAA in the data center,  IT process automation, data center automation,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT IT Compliance: SOX and HIPAA in the data center Does SAS 70 certification mean better data center security? Change management software eases PCI compliance burden IT priorities in 2008: A truly new year Mainframe change management tools ease compliance burden Change and configuration management cut firm's downtime Time to deal with daylight saving Log management eases SAS 70 auditing burden SAS 70: Compliance shortcut Top 5 HIPAA tips in 5 minutes Instilling a HIPAA mindset IT process automation, data center automation Data center 2009 Products of the Year award winners Data center systems management software follows CRM into SaaS IT shops weigh Microsoft buy of Opalis Software APC adds monitoring, efficiency features to UPS line Mission impossible: Data center asset management IT automation: Top five common mistakes Has the down economy driven data center automation? Indemnification, support woes plague open source systems management How data center pros do due diligence on startup software firms HP updates management software: News in brief

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary MIS  (SearchDataCenter.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary