SOX PAM Certification 2019

• SOX privileged access consists all certification related to privileged access for applications, databases and infrastructure
• Bank SOX certification – runs annually and performs by M S S P
• Branch SOX certification – is part of the PAM certification and runs quarterly by McAfee
• M S S P define what are SOX applications
• M S S P – External auditors
• M S S P – Control Assurance and Advisory – Our internal SOX 2nd line.
• M S S P is the resolution team for SOX remediation.
• Keys to the kingdom are the entitlements that can affect the entire firm, i.e. Active Directory, Database, Network, Storage, UNIX, Infrastructure, Domain Admin.
• Entitlements are reviewed and confirmed by platform owners quarterly
• User privileged access certification is done quarterly
• SOX Coverage:
• Bank – 100 applications and 300 servers (UNIX, LINUX, Windows, Databases), 20K accounts – Manual Certification
• Branch – 20 applications and database and infrastructure – Certification is done by McAfee
• M S S P is running the Privileged Infrastructure SOX certification – Manual certification
• There is a plan to pulls privileged access and feed into McAfee automatically so the effort for next year.
• UNIX & AD, and Windows platforms – Manual certification
• Database – pending hiring contractor – Manual certification
• MF, AS400, and Greenplum – Manual certification
• What constitute as privileged access? 
• M S S P is working with platform owners to align the definition of “privilege access” with M S S P expectation.