Since the
passage of SOX in 2002, practical experience in the field has yielded several
recommended best practices for implementing IAM systems to enable SOX
compliance.
Oracle
recommends the following:
• Understand
requirements.
By developing
a better understanding of compliance requirements, how compliance affects IT,
and how IT in general and IAM specifically can help support governance and compliance,
companies can establish efficient, cost-effective, and sustainable programs
that address all of these complex requirements within a holistic compliance
framework.
• Recognize
information technology’s critical role.
In many
companies, IT has evolved to become the critical backbone behind almost every
operation, but many people still view technology as a cost rather than an
investment or asset. By understanding the key roles that IT plays in support of
compliance, enterprises can maximize the value of their technology investment.
• Understand
the role of identity and access management.
IAM plays a
critical role in compliance with SOX requirements, particularly in the areas of
minimizing risk, automating processes, preventing fraud, and providing
comprehensive auditing and reporting. However, it does not automatically
satisfy all SOX requirements. Recognizing the value and the limitations of IAM
in the entire spectrum of SOX compliance is essential.
• Think
program, not project.
SOX
compliance is a journey, not a short-term event. Companies must begin to
approach compliance as a long-term program, not a single project. An effective
and holistic compliance program should also incorporate governance and risk
management. Because of new higher standards, boards of directors and executives
must be knowledgeable about, and assume liability for, everything going on
within the enterprise.
• Develop
a strategy.
The only way
to address the wide spectrum of compliance requirements effectively is to
integrate them into a common compliance strategy intertwined with the business itself.
A business-driven, risk-based, and technology-enabled compliance strategy can
help create enterprise value by rationalizing unnecessary complexities, driving
consistency and accountability across the enterprise, and identifying
opportunities for a possible enhancement of operational performance and
information quality.
• Establish
a governance process.
Compliance
efforts affect a broad spectrum of an enterprise.
Stakeholders
from many organizations, often with conflicting priorities, have stakes in the
outcomes of a compliance strategy. The governance process must provide
representation from the impacted functional areas of the organization. A
governance board should have appropriate representation from IT, security,
audit, application owners, human resources, and business process owners. The board
should be accountable for the project objectives and be vested with authority
to make program decisions. The board should be empowered to
• Establish a
statement of purpose for the program
• Promote and
give visibility to the program throughout the larger organization
• Act as a
mechanism for quickly making decisions regarding program scope, issues, and
risks
• Monitor the
program health on an ongoing basis
• Implement
your strategy in phases.
By segmenting
the overall solution into manageable parts, an organization can realize quick,
visible business benefits and progressively realize overall program objectives
in an orderly, measurable way. Implementing in manageable phases also makes it
easier to battle issues such as scope creep or requirements drift.
• Give
real-time visibility.
Real-time
views into the functioning of controls across these systems and across the
enterprise, through job-specific dashboards or portal views, can provide
insight into compliance status, progress, and risks. Effective communications
with all stakeholders is essential.
• Unify
disparate compliance efforts.
Many
companies are beginning to realize the potential of technology to support
sustained compliance and are actively looking to combine existing fragmented,
reactive, and inefficient governance and compliance efforts into a single
sustainable compliance program. Bringing together governance, risk, and
compliance (GRC) management under a holistic framework can result in a
centralized compliance organization with the understanding, structure, and
ability to help optimize the company’s compliance efforts in a sustainable,
strategic, and cost-effective manner.
• Assess
progress and adjust as necessary.
Each phase of
the progressive implementation of the compliance strategy will yield more
in-depth understanding about the compliance process as it pertains to the
specific enterprise. Implementing methods of continual process improvement will
yield progressively refined results.
