Tackling SOX, the compliance heavyweight

September 9th, 2014   |     |  smarter identity, security & compliance

OneLogin’s customers run the gamut of industries and range from small educational nonprofits to large public technology companies and global media empires. Since we’re in the security business, we are often asked whether we’re compliant with some specific regulation – usually because the company doing the asking is required to comply with that particular regulation themselves.

Sarbanes-Oxley (SOX) and HIPAA are two mandates that are cited with the greatest frequency – not unsurprisingly, because both regulations apply to a large percentage of companies doing business in the United States today. I’ll talk more about HIPAA in my next post, so my focus here will be SOX; the first item to get out of the way is that, as a privately held company, OneLogin is not required to undergo Sarbanes-Oxley-related audits.

Just because we don’t have to comply doesn’t mean we don’t feel your pain

That said, because we are an integral part of our customers’ authentication and access management strategy, it’s important that we help our customers and prospects fully understand how OneLogin can impact their compliance requirements and what steps we take to minimize that impact, which is one of the main raisons d’être for my role as Director of Risk & Compliance (a little French to remind you we speak EU).

As I noted in my last blog post, two key frameworks for cloud service providers, Trust Services Principles (“TSP”) and ISO 27001, have released new versions that will become mandatory by the end of this year. The changes to the TSP help bring more clarity to SOC 2 reports, one of the most widely used compliance reporting vehicles for cloud service providers in the US. The changes to ISO 27001 help bring the standard up to speed with today’s IT risks, which is important since ISO 27001 certification is one of the most widely used compliance vehicles for companies around the world that depend on IT services.

Companies required to be SOX compliant need to have controls in place to manage the risks inherent in outsourcing part of their IT systems to cloud service providers. Using providers that issue SOC 2 reports and are ISO 27001 certified is a pretty good place to start. With those customers’ needs in mind, we overhauled our control environment to align with the newer versions of these frameworks, issued a new SOC 2 Type 2 report last month, and have recently completed our ISO 27001 Stage 2 audit. Having these in place helps our customers execute their vendor management controls and prove to their auditors how they manage both internal and external risk factors in their IT environment.

Granted, these are not the only two compliance options out there; in fact, a SOC 1 report is even more pertinent to entities seeking SOX compliance, and we have already laid down the groundwork for the issuance of a SOC 1 report in conjunction with future SOC 2 reports. Fortunately, since we have done all the heavy lifting in our SOC 2 and ISO 27001 efforts, very little incremental effort will be required for us to be able to issue that report going forward.

Enough about you, what about my compliance efforts?

In addition to our significant investment in our own compliance efforts, the OneLogin Enterprise Identity Management solution continues to offer support to our customers for those areas of SOX compliance that are under IT control, particularly those that are prone to deficiencies year after year:

  • Access Management: OneLogin uses existing directory structures, or can even serve as a completely cloud-based directory service, to enable you to immediately and centrally grant, modify, or remove access based on granular role-based access privileges.
  • Segregation of Duties: OneLogin lets you map pre-defined access levels and document any authorized exceptions based on your organizational structure and creates a login audit trail.
  • Authentication: With OneLogin, you can centrally manage multiple password policies, including multi-factor authentication, enabling you to set authentication controls commensurate with each application’s risk level.
  • Monitoring: OneLogin provides you with reports that can help you actively or periodically monitor what users are doing, and what apps they are accessing from the OneLogin portal.
  • Audit Evidence: By using OneLogin as your central point of access management and authentication, you can provide all the IAM reports needed for a SOX audit from a single data source.

You’ll find more information on how we help you take the pain out of SOX in our SOX Compliance Solution Brief, available for download from our Solution Brief Library.

OneLogin continues to deploy additional functionality to provide you with more ways to strengthen your access management and authentication strategy, including support for additional multi-factor authentication vendors, more ways to manage password resets, and additional fields to synchronize which can be leveraged tostreamline access management processes . We know how integral our solution can be to our customers’ compliance efforts, and we will continue to move forward as a partner in thoseefforts.

Next up: Jumping through the HIPAA Hoops

About the Author

Alvaro Hoyos leads OneLogin’s risk management, security, and compliance efforts. He also works with prospects, customers and vendors to help them understand OneLogin’s security, confidentiality, availability, and privacy posture and how it works alongside, or in support of, customer’s own risk management model. Alvaro has over 15 years in the IT sector and prior to joining OneLogin, helped startups, SMBs, and Fortune 500 companies with their security and data privacy compliance efforts. His commentary and articles have been featured in several publications, including CIO, CSO, Network World, Infosecurity, eWeek, and Help Net Security. Alvaro is a member of the Forbes Technology Council and has a B.B.A in M.I.S. and a M.S. in M.I.S. from Florida International University.

View all posts by Alvaro Hoyos

Secure All Your Apps, Users, and Devices