Let’s start with the bad news (that you already know and have to deal with every day). To pass a Sarbanes-Oxley (SOX) audit, your company is compelled to implement security best practices for systems. These touch on anything and everything related to financial reporting and accounting systems. The IT Control Objectives that are required for SOX compliance are numerous, to put it mildly.
Now the good news: Don’t worry; I’m not going to give you a diatribe about encryption standards or other techy verbiage.
What I want to discuss with you is the easy to understand, but often overlooked, SOX compliance aspect of Application Control.
SOX Compliance Within Applications
So what is Application Control about? Application Control touches the intersection that’s common to every single business process implemented within your company: that of the user and the application itself. It’s the most understandable – but the least addressed – concept of all the IT Controls.
Yes, you likely already “lock down” the desktop in some fashion. You prevent most users from accessing various components of the client operating system and you ensure they can see only required data sources.
But what are you doing about managing the settings within the applications themselves? Nearly every application on the desktop has configuration settings. Your users probably have free reign to access the configuration settings of many of your business applications. So they can go to “Tools | Options” or “Edit | Preferences” and start messing up important settings which may impact upon your overall system security.
Your users could be modifying application settings originally configured by your IT administrator. This means they could be modifying these applications in such a way that they go against the best practices set by both your internal network’s security plan, as well as SOX itself.
So, here’s the “full confession” time. I’m the Founder of PolicyPak Software, which makes PolicyPak Professional. To put it simply, PolicyPak delivers settings to applications and locks down those settings so users cannot work around them.
Many settings, thankfully, are security neutral, but others can directly affect security compliance. PolicyPak gives you a drop-dead easy way to leverage your existing Active Directory structure to deliver, enforce, lockdown and remediate any applications’ settings. When your IT department carefully configures applications such that your application settings are aligned with your SOX compliance strategy, you’re golden.
PolicyPak can proactively lock the user out of application settings, and thwart attacks to change these settings. This is what endpoint-protection is all about – preventing users from working around your compliance directives.
SOX Compliance and Application Change
One of the facets of SOX IT Application Control is “Application Change.” As its name implies, Application Change consists of application modification or substitution. Most people associate Application Change with the process of migrating to a different software platform or upgrading to the newest release of your current application, but application change can occur on a micro scale as well, through the integration of new application updates. These application updates can introduce new features and settings. Common everyday applications such as Adobe Reader, Adobe Acrobat Pro or Firefox have an entire tab of configuration settings pertaining to these types of updates. Application updates are something that you want your Network Manager or IT staff to manage, not your common users.
SOX Compliance and Non-Financial Applications
Most people also associate Application Control and SOX with applications that correlate directly to the business financial process. But that’s just not true. SOX requires that every application that touches business process must be addressed.
So how might SOX requirements impact upon your non-financial applications?
Let’s take Adobe Acrobat Pro for instance. Chances are that your financial documents, charts and spreadsheets are consolidated into a secure PDFs with Acrobat Pro, which means that controlling this application and its settings are just as important as your financial ERP application (under the guidelines of SOX).
How about those applications which ask your end-users to “Send anonymous usage information” or to “Join the Customer Experience Improvement Program”? These software programs will send information back to the software manufacturers. Manufacturers love these reports, they get to perform monitoring and address bugs – but that’s of very little value to you. How anonymous, really, are these information chunks that get sent back?
Participation in these types of programs is really not for those of us with SOX compliance concerns. And as such, these opt-in participations should be disabled for all desktops that must address SOX compliance and other standards.
Let’s switch focus to the most vulnerable application of all, your users’ web browser. Or maybe it’s browsers (plural). Many organizations use one, two, three or more browsers to get to Internet-based data. Exactly how are you managing the important security settings within those browsers? Out of the box, no browser is set up to high security standards. Many organizations utilize in-the-box tools to manage Internet Explorer to thwart vulnerabilities and enforce higher security configurations. But when you have more than just Internet Explorer – what’s your compliance plan? With Mozilla Firefox or Google Chrome or other browsers, how can you accommodate user’s needs and preferences, while ensuring corporate compliance?
How PolicyPak Can Help
You can resolve all of these issues by integrating PolicyPak with your current Active Directory Group Policy structure. PolicyPak will then deliver settings to any Windows application (including Internet Explorer, Mozilla Firefox and Google Chrome), and ensure that those settings are delivered, locked down, and consistent – whatever machine they utilize.
Let’s recap: You’ve got hundreds, maybe thousands of users and each one has got a desktop full of applications. And you have to worry about SOX compliance for every application they touch which deals with finances. Maybe you have the tightest physical security design money can buy. Maybe you’ve got strong encryption and data security which would make hackers cry.
Yet, a simple end-user misconfiguration or change can be the little hole that exasperates the most comprehensive and elaborate security blueprint. Whether it’s Sarbanes-Oxley or some other federally mandated security directive, application control can keep your compliance strategy on track.
Jeremy Moskowitz is a Microsoft Group Policy MVP and teaches hands-on training to IT administrators who want to make their business more secure by using Group Policy.
He runs GPanswers.com, a forum for Group Policy enthusiasts and also founded PolicyPak Software, an innovative add-on that allows admins to dictate, enforce and remediate application settings.
PolicyPak Software is a leader in application compliance and desktop management tools for Active Directory. The software enables IT pros to deliver, lockdown and remediate settings for desktops, laptops, VDI sessions, company devices, as well as personal “BYOD” devices.
Jeremy is also author of several Group Policy Books, including “Group Policy: Fundamentals, Security, and the Managed Desktop, 2nd Edition”. He has been quoted in Info World, Information Week and Redmond Mag.