Wall Street & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Trading Technology

11:12 PM
Adi Dulberg, CEO and Founder, NextNine
Adi Dulberg, CEO and Founder, NextNine
News
Connect Directly
RSS
E-Mail
50%
50%

SOX Pitfall: IT Support

With the first round of Sarbanes-Oxley (SOX) reporting closed, U.S. businesses now are shifting their attention to the next round of hurdles.

With the first round of Sarbanes-Oxley (SOX) reporting closed, U.S. businesses now are shifting their attention to the next round of hurdles. Throughout the coming months and years, most will focus the lion's share of resources on respective IT and finance departments - unfortunately, often overlooking other areas that also demand attention.

Chief among the oversights is customer service - especially in the case of B2B technical support. In most cases, a technical support session for a business-critical system will take the shape of an IT vendor support engineer remotely accessing the system at the enterprise or service provider level, looking at log files and configuration files, and changing configuration and system parameters. These steps raise many critical compliance concerns:

Was the remote access authorized according to required process? With the wide use of Internet-based remote access tools, vendors can directly access backbone systems without any prior authorization from the enterprise IT department.

Was access limited to authorized content and resources? In panic mode, a vendor's technical support engineer often is provided administrator-level credentials, granting access to ANY resource on that and, often, other systems.

Were configuration changes documented? During most support sessions, system configuration is manipulated to resolve issues, but oftentimes only in a temporary manner (e.g., raising logging levels). The problem is that these changes often are neither logged nor audited; or, if they are logged, the log is unusable for rollbacks or audits.

Can the process be audited? A cornerstone of most new regulations is auditing. But in the current support process, auditing is not always possible because not all operations are logged, or because logging is performed in an unsearchable format. In other cases, a file containing confidential information may be sent via FTP or e-mail to the vendor organization for review, but without a trace of its being sent.

Was security compromised? Identity theft is an overwhelming concern for financial services institutions as a growing majority of transactions now take place online. Enterprises invest significant resources on security mechanisms that protect against external and internal security threats. In the case of B2B technical support, a confidential password might be provided to a remote support rep or a file might be sent without prior review of the content - all examples of situations that breach security mechanisms without the knowledge of the IT department.

Previous
1 of 3
Next
Register for Wall Street & Technology Newsletters
Video
Exclusive: Inside the GETCO Execution Services Trading Floor
Exclusive: Inside the GETCO Execution Services Trading Floor
Advanced Trading takes you on an exclusive tour of the New York trading floor of GETCO Execution Services, the solutions arm of GETCO.