I started to have my suspicions about how secure this network was and how compliant was the enterprise, strange things were happening in day-to-day processes and provisioning requests. Without SSO how did all the system accounts have the same user password to log in with? It was an interesting question that I asked myself. I was now into my second week at Solar, and being invited to a SOX meeting with some very serious partners KPMG and PWC, to talk SOX. Having prepared for SOX auditors before, I know I could not sit and wait to be asked questions I would not have answers to, even if it was only my second week. Therefore I rapidly began to diagram the network out and the application architecture. I was given an application diagram but could not believe that what I was given was real as it was so basic, so went on a journey asking everyone for an architecture diagram and security assessment documents. I created my own assessment and started to see some significant gaps and issues which I documented ready for my SOX meetings. I meet a very professional individual, we reviewed his set of requirements and I responded directly to his questions; with each question, he asked me the greener he went, and the validation of what I was seeing and what was needed came to reality. We have a tremendous about of work to do, so I got a new team together and some SMEs to help identify and define where we had gaps and how we add controls to close the door on the issues. We had 9 systems and over 130 controllers to define and create policies for and then test them with the end users. During our audits with his amazing team, we found our biggest issues were within change management and the culture in the organization with team members circumventing the processes defined. We had to reinforce and close any gaps in the process to enable enforcement. Ten months down the line we are about to go through the final audit of our controls, which is a fantastic achievement from my new compliance team and with help from Tim’s team, we now have a secure and more compliant enterprise to build our secure foundation on.

Project outline – SOX Control Implementation
Our team was required to stand up controls for critical systems and validate these controls through a third-party audit. We implemented User Access controls for all IT systems and Change Management, and Computer Operations controls for our critical systems; Salesforce, Sunlighten and NetSuite. We completed the implementation of all controls on schedule and delivered all requirements for the external audit before the year's end. During the audit, we found that the controls were designed to requirements, but we had issues with personnel following instructions.
Value & Benefits,
· MFA across all three core systems in line with best practices
· Removal of admin accounts across the enterprise, reduction in cost and data loss risk
· Added a Secret server, which now holds brake glass accounts for all systems and removed a single individual holding the account information and passwords.
There is room in the future to increase compliance through system enhancement and automation.