Auditing Software for SOX

[Mide]

Does anyone know of or have used any application that can print out reports of AD users, what security groups they belong to and what groups are assigned permissions to what shares? A SOX auditor just came by and I can only think of doing this manually which would suck.

 

[Mide]

No responses hu? So there are no other IT people who work for a company in the private sector?

 

[fulltilt39]

You didn't say if it had to be free or not, but take a look at this site...

http://www.likewise.com/resour...per-SOX-Compliance.pdf

 

[Mide]

Both are fine. Although one I was looking at quoted me around 3-4k and that is totally not in the ballpark that we're looking for.

 

[dfnkt]

Mide -- You said private sector. Why would a SOX auditor be bothering you? As far as I know they can only come around when you're publicly traded. I work for a privately held organization and we don't do SOX and don't have to worry about PCI-DSS since we aren't involved with credit card payments. AFAIK we don't have to worry about anything but HIPPA.

As far as SOX auditing goes, it's probably going to cost some money. I think the SCCM (formerly MOM, EDIT: Wrong, formerly SMS) from microsoft has some canned configurations you can use for SOX audits. We use a tool from Altiris (Now part of Symantec) for this type of thing. Even though we don't have to comply with it, we still strive to do so.

 

[Mide]

Perhaps it is my mistake in terms of wording. I work for a company that has "gone public" so we have stocks listed on the market. I have always thought that private sector = being paid by the business itself and public sector = being paid using public money like fed jobs, state jobs, and other such entities. Is this not correct?

 

[dfnkt]

I guess you could really use either description. I just prefer to use private = no stocks, public = stocks and the compliance hassles.

I was incorrect in my last post, SCCM was formerly SMS not MOM.

Found these for you:
http://en.wikipedia.org/wiki/S..._Configuration_Manager
http://www.microsoft.com/syste...ger/en/us/default.aspx

Others you might look into:

Bigfix -- http://www.bigfix.com/
and -- http://www.bigfix.com/content/...-and-policy-compliance

Client Management Suite 7 from Symantec -- http://www.symantec.com/busine...lient-management-suite

KBOX by KACE -- http://www.kace.com/

 

[dfnkt]

Alot of what I've seen is that if you have some type of software or an appliance and are making a good faith effort to stay in compliance they are pretty accepting. If you think about it: You have a tool on all the computers gathering information and can run reports about user access levels etc, how are they going to put their own tool out there? By using yours?

 

[dfnkt]

I mentioned this to the OP in a PM but want to include it here for anyone in the future:

ADAM - AD Application Mode http://www.microsoft.com/windo...2003/adam/default.mspx
This could be used to make AD much more extensible and more easily queried.

AD Manager Plus - Web based AD management and reporting http://www.manageengine.com/products/ad-manager/
Pretty solid from the little we have used it.