What challenges have you encountered with Active Directory SOX Reports?

Governance, Risk & Compliance Regulatory Compliance

1.6k views1 Upvote2 Comments

Sort by:

VP, Customer and Technical Operations in Software4 years ago

As with any acquisition, especially in a much larger organization, there's a lot of effort required to get all the right people to reach a decision; at times it can be a real challenge. We were told to go full speed ahead and not change anything. And I thought, wait a minute, this doesn't make any sense. But it works its way through various meetings and it's like, “Well, you probably don't need to do these things...”

Any sort of compliance work that adds value is very important. But as we know, with Sarbanes-Oxley and the other audit, there's also a lot of busy work in there that you just have to do. So the challenge becomes trying to get rid of that stuff in order to focus on other things.

VP, Chief Security & Compliance Officer in Software4 years ago

One challenge with SOX and the AD in reporting consolidating under you, is that you're being given the responsibility to be accountable for processes, services, and people that you don't have direct control over. And then you have to attest.

Content you might like

Which pitfalls—model bias, false positives/negatives, data quality, regulatory constraints—often impede AI-based security tools, and how can they be mitigated in a financial-services context?

I'm interested in understanding how your organizations estimate the complexity of digital initiatives, particularly as a basis for applying appropriate project management governance. In other words, how do you assess initiative complexity in order to determine the level or type of governance needed?

What's your most indispensable cloud infrastructure tools to use in addition to what you get from GCP, AWS, Azure?

HashiCorp (Terraform, Vault, Packer, etc.)22%

Cloud infra automation (Ansible, Puppet, Chef, etc.)56%

APM (Datadog, AppD, SignalFX, NewRelic, etc.)10%

Others?10%

View Results

Seeking insights for research universities regarding CMMC 2.0 adoption and compliance. I'm listing our full question set below, but we would welcome insights on any or all of these:

1. What is the anticipated timeline for CMMC 2.0 adoption by the Federal Government? Any insights on the expected rollout and implementation schedule?

2. From a Higher Ed CIO perspective, what are the key operational differences between each "level" in CMMC 2.0? Are there any specific challenges or considerations especially for research universities?

3. For a research university, which CMMC level would be the most suitable target? Are there any key dates or deadlines that Higher Eds and researchers should be aware of in their compliance journey?

4. What are the most crucial features or elements of CMMC that universities need to achieve compliance? Any recommendations or best practices?

5. Specifically, are there any requirements in CMMC for 7/24/365 "eyes on glass" network and/or endpoint monitoring? If there is an endpoint requirement, does it extend to all servers and laptops issued by the university, or is it limited to hosts involved in research grants? What is expected to demonstrate compliance in this regard?

6. Apart from CMMC compliance, are there other considerations or or strategies to consider when seeking to qualify for/reduce cyber risk insurance costs?

What are your organization’s drivers for implementing RegTech?

Support future growth36%

Automate manual processes59%

Demonstrate compliance49%

Reduce risk exposure43%

Improve customer experience16%

Reduce costs13%