With the first round of Sarbanes-Oxley (SOX) reporting closed, U.S. businesses now are shifting their attention to the next round of hurdles. Throughout the coming months and years, most will focus the lion's share of resources on respective IT and finance departments - unfortunately, often overlooking other areas that also demand attention.
Chief among the oversights is customer service - especially in the case of B2B technical support. In most cases, a technical support session for a business-critical system will take the shape of an IT vendor support engineer remotely accessing the system at the enterprise or service provider level, looking at log files and configuration files, and changing configuration and system parameters. These steps raise many critical compliance concerns:
Was the remote access authorized according to required process? With the wide use of Internet-based remote access tools, vendors can directly access backbone systems without any prior authorization from the enterprise IT department.
Was access limited to authorized content and resources? In panic mode, a vendor's technical support engineer often is provided administrator-level credentials, granting access to ANY resource on that and, often, other systems.
Were configuration changes documented? During most support sessions, system configuration is manipulated to resolve issues, but oftentimes only in a temporary manner (e.g., raising logging levels). The problem is that these changes often are neither logged nor audited; or, if they are logged, the log is unusable for rollbacks or audits.
Can the process be audited? A cornerstone of most new regulations is auditing. But in the current support process, auditing is not always possible because not all operations are logged, or because logging is performed in an unsearchable format. In other cases, a file containing confidential information may be sent via FTP or e-mail to the vendor organization for review, but without a trace of its being sent.
Was security compromised? Identity theft is an overwhelming concern for financial services institutions as a growing majority of transactions now take place online. Enterprises invest significant resources on security mechanisms that protect against external and internal security threats. In the case of B2B technical support, a confidential password might be provided to a remote support rep or a file might be sent without prior review of the content - all examples of situations that breach security mechanisms without the knowledge of the IT department.