1 List the specific requirements the software shows for your type of business.

Include a
screenshot if appropriate. (15 pts)
2 Which ones of the 21 entity-level controls discussed this week are included in the Netwrix
output? Which ones should have been included in addition? (15 pts)
3 Evaluate and describe IN DETAIL what entity-level solutions your company will have to
implement in order to comply with the selected audit. (20 pts)

1. In the following report, I outline how ManageEngines AD Audit Plus software generates
comprehensive reports that enable our company to meet Sarbanes-Oxley compliance. It provides
us with predefined report templates for the Sarbanes-Oxley (SOX) Act which helps us meet our
audit requirements.

The following SOX requirements are met using AD Audit Plus:

A. Section Number 302 (a) (5) (a)

1 File Creation
2 File Modification
3 File Deletion

Screenshot depicting the various controls:

B. Section Number 302 (a) (5) (b)

1 User & Computer Creation

 2 User Logon Reports
3 User & Group Changes
4 All Action made in AD by any User

C. Section Number 302 (a) (4) (c) /302 (a) (4) (d)

1 Local Logon Reports based on Time only:Successful Logon / Logoff

2 Unsuccessful Logon
3 Terminal Server Logon Activities
4 Summary Reports
D. Section Number 302 (a) (4) (a) -

1 Audit Log Cleared

2 Process Tracking
3 File deletion / permission changes

E. Section Number 302 (a) (6)

1 All AD Objects:User
2 Group
3 Computer
4 OU
5 GPO

In addition, AD Audit Plus Continuous Security provides reports for Sections 404 (a) (1), 404 (a)
(2) & 404 (b).

2.
Review performance indicators and measurements for IT, which is entity level control 4, can be
measured using Event Log Analyzer from Manage Engine. Review metrics for routine activities
(system update, response time) are visible under the system audit reports. It enables us to monitor
critical servers and set alerts when system changes are made.

Entity level control 8, which is to review and evaluate risk-assessment processes in place for the
IT organization, can be monitored and reviewed using the following software provided by Manage
Engine: Device Expert, which is a web-based network change and configuration management
solution for switches, routers, firewalls and other network devices. Device Expert helps prevent
unauthorized configuration changes to network devices and to ensure that configurations comply
with standards and regulations.
Security Manager Plus, which is another solution from ManageEngine, is a network security
scanner that reports on network vulnerabilities and helps to remediate them and ensure
compliance. Some of the features it supports include: vulnerability scanning, open port detection,
patch management as well as vulnerability reporting capabilities. Security Manager Plus protects
the network from security threats and malicious attacks.

Entity level control 12 deals with obtaining approvals prior to responding to user requests for
having passwords reset and for obtaining system access. Password Manager Pro from
ManageEngine supports storing and managing shared sensitive information, such as passwords,
and documents, shared administrative passwords and hard-coded passwords.

Review and evaluate processes for controlling nonemployee logical access, which is control 14,
can be monitiored using

Manage Engine Service Desk Plus manages software licenses, and satisfies entity level control
15, which ensures that the company is in compliance with applicable software licenses

......

3.
Here are a list of entity level solutions that we will have to implement in our company:

Corporate Governance:

Clairville Cottage needs to establish which policies it has in place within the organization. The
company then needs to evaluate the policies to determine if they are comprehensive, and ensure
that they include the following documents:

Code of Ethics
Employee handbook
Mission, vision, or values statement
Board of Directors Policies and Procedures
New employee hire and termination checklist
Performance review policy
Whistle blower policies

We also need to make the policies available on the company corporate website, and ensure that all
employees are informed of the policies annually. Also ensure that a record is kept of employee
training as well as an employee acknowledgment or attestation form that confirms each new
employee has received and understands the code of conduct policies. A test needs to be performed
every quarter of these attestation forms to ensure the policy is being followed. The same goes for
new-hire training and performance reviews.

Operating reviews:

Clairville Cottage needs to conduct a top-down risk assessment of its key financial processes and
transactions. There needs to be regularly scheduled monthly operating reviews, with the results
documented with operating issues identified and followed up on, as well as written documentation
that support the reviews.

Personnel assessment and systems investment:

The company needs to hire skilled, qualified and experienced personnel in key positions and
ensure senior finance personnel possess professional accounting designations. The company also
needs to conduct ongoing training and certifications, and ensure its operating systems and
financial applications are able to handle the complexity of the companys operations.

Management from the Top:

Clairville Cottages needs to implement the appropriate Internal Control Framework such as
COSO, and ensure the CEO and President participate in the follow through and implementation of
internal control reviews.

Accountability from Executives and Directors the company needs to review how employees
are hired, trained, or terminated and how the Board of Directors governs the executive
management team. The company also needs to look at board independence and how financial
accountability are maintained.

how employee feedback is accepted and incorporated, such as through surveys, feedback review
policies, and whistleblower policies.

Financial Analysis and Integrity

Entity-level controls in this area will determine how often the organization compares budgeted vs.
actual costs; when risk assessments are performed, and which positions are involved; signing
authority policies including thresholds; and the frequency of review of key performance indicators
to check activities at decentralized locations. In addition, these controls would discuss the

The company also needs to review employee compensation totals, which include salaries, stock,
bonuses etc., as well as executive compensation and bonus structures.

Adherence to Applicable Laws and Legislation - Clairville Cottages needs to establish a

procedure requiring legal counsel to update management on changing legislation, and also decide
who within the organization takes responsibility for compliance. There also needs to be procedures
in place to review internal controls for financial reporting.
There needs to be an Annual review of internal controls over financial reporting, compliance
training, and the establishment of an internal audit department that reports to an audit committee.

Maintenance of ticket trails for issues pertaining to infrastructure and/or user changes. This was
one of the most time consuming parts of the entire audit. One of the things we got dinged on in
our initial audit was that we had several tickets, that for lack of better term would considered
invalid (such as those generated by some event, this machine for instance is almost out of drive
space, and the such). Now these were just garbage tickets, and the tech team was just going
through and dumping them. This, of course, caused them to ask where the tickets were since there
was break in the continuity (I see tickets 1,2, 3,and 4, but no 5, and then 6, 7) that kind of thinking.
What I ended up doing is taking away the ability to delete tickets, and now garbage tickets get
closed as such.

Change audit - by this, I mean the ability to monitor changes made in Active Directory and
Group Policy. Netwrix has a fee tool that can help you out, and unless I miss my guess, Splunk
will do the same.

Maintain firewall logs for the company, as well as periodically review them.

User accounts - what they're looking for is GPOs that apply to password changes, and such, as
well as expired accounts, accounts never used, and such. While DSQuery and etc will give you the
info you need, I found a great tool from MaxPowerSoft to help out. Becomes a simple point and
click oepration from there. No doubt there's other tools out there or way to get this info.

Patch Management - we can print MBSA scans to a share and employ WSUS to do patch
management on our servers, as well as generate reports. Each patch needs to be submitted as part
of a ticket, with an explanation of what it would fix, its consequences, impacted software, what
occurs if it is not installed, and if a reboot would be needed.

On the Active Directory side Clairville Cottages needs to audit changes to AD and monitor the
changes using Netwrix AD Reporter. The company needs to keep track of AD changes through a
ticket system for new, modified and deleted users, as well as old accounts and service accounts.
For the companys financial software we need to determine who has access to the servers, and
maintain a log of them. The IT teams access to the system would have to be limited, with DBAs
limited to local access to the servers instead of domain rights. was a domain admin. Well, we
ended up limiting that role, and now the DBAs and etc on those servers have just local access to
them rather than domain rights. Backups were tested for them, and I had to show patch
management logs, and MBSA scans.