Roaming Profiles 1581

  • Coming from a privately owned small-mediuml size company, Sarbanes Oxley has been quite an adjustment for me. I use a laptop at work and bring it home each night. At my former company, I could log on to my laptop anywhere away from the network using my domain login account. This was very convienient because I only had to have one profile. At my new company, I asked to be setup this way and was told that this was not Sarbanes Oxley compliant. Now when I log in from home I have to use a local account which even through vpn won’t allow me to access anything on our domain. Is this really the case? Does Sarbanes Oxley not allow for roaming profiles? Or is this just a case of a typical LAZY/CONTROLLING systems administrator not wanting to do his/her job?

  • Hi Chad and welcome to the forums 🙂 … While this is most likely not stated specifically, the SOX 404 standards encourage best practices and the optimal level of security controls over financial information and the IT environment itself.
    This is discouraged in our own company, as there are increased security risks associated with roaming profiles. If a hacker were to discover the ID/password, they might have more access rights than a more restrictive VPN environment.
    Most likely ADMINS aren’t going to allow this. However, from a VPN standpoint you might want to work with IT security to ensure you have some of the basic rights you need for after hours access. Hopefully you can gain access to network drives and other resources (maybe using IP addresses which is what I do sometimes) to help you in after hours support.

  • Or is this just a case of a typical LAZY/CONTROLLING systems administrator not wanting to do his/her job?
    I would think that was the reason, yes.
    We have the same sollution you used in your previous company, and no SOX issues because of all the other controls we have in addition.

  • Or is this just a case of a typical LAZY/CONTROLLING systems administrator not wanting to do his/her job?
    Having worked in IT security for several years, I definitely see the ‘CONTROLLING’ factor, but not the ‘LAZY’ connotation. Security managers can be as ‘stubborn as mule’ when it comes to changing things that are in place, even when the reasons are legitimate 😉
    I agree with IrquiM that roaming profiles should not impact SOX compliancy. However, security may still not want to implement them as they must always place additional controls on remote access (as you have less assurances on who is truly sitting behind the keyboard when it comes to remote access). This is why 2-factor security and other controls are needed, as passwords alone are not a good defense measure.
    I still think IT security should solve Chad’s access issues and give provide what he needs to support his requirements – esp. since he’s going the extra mile and providing additional OT support from home.

  • My company offers remote access to our network through a secure ID service. In our instance, the person has a username and password to type in and also must have a code that changes every 15 or 30 seconds from a little card-like object. This control seems to be sufficient in providing safe and secure remote access to let people work from out of the office.

  • Hi Jason - Yes, SecureID cards are one of my favorite solutions for 2 factor authentication 🙂
    They’re supported natively by Windows Servers, Workstations, and other technologies. The proprietary algorithm has also never broken and the 60 second constant rotation of PINs offers better assurances that the bad guys won’t compromise controls. These are expensive solutions for security.
    A couple of links are shared below … Please cut/paste and add ‘www’
    RSA SecurID Authentication
    Cytrocard - another good 2 factor solution

  • Some great comments here.
    I think one of the important things about SOx that people miss time and time again is that the act was never intended to stop businesses doing the things they needs to do to carry out their business.
    If there is a valid business reason for someone to have remote access to their systems then SOX doesn’t prevent this, it merely requires that you have sufficient controls to prevent or detect errors that would impact financial reporting.
    As pointed out elsewhere there are plenty of recognised solutions for providing this type of access.

Log in to reply