SOX Asset Inventory
While at PennyMac, our team had convinced the Risk, and Compliance manager to modernize their tracking mechanisms (called the SOX Asset Inventory), from a shared google
spreadsheet, to an integrated, audited, module on ServiceNow.
Sarbanes-Oxley act is a suite of accountability laws that set forth both SOC and SOX compliance measures. With it, the company is under constant audit, both internal and external, to ensure that we remain in compliance.
The original implementation was very clunky and was a solution borne of necessity, but not ideal for the rapidly growing scale of the company.
Implementation in ServiceNow
At the time, ServiceNow was the System of Record for both the company’s CMDB (Configuration Management Database) and DAL (Database Access List). This, combined with its ease of use, access controls, and reporting made ServiceNow the ideal place to track the Sox Asset Inventory.
Each Inventory item was linked to an object in our CMDB and had its own custom fields including Asset Status, Pending Validation, SOX Classification, and Validation Date. In addition, each Inventory item had the ability to link one or more SOX Processes through a related list.
Inside of an Inventory record, we would also show fields related to the CMDB record that was needed by the Risk and Compliance manager, these fields included things such as Access Manager, Business Owner, Technical Owner, Vendor Provider, and Description.
- Application Inventyo: Utilizing the Business Application filter on the CMDB. Also, allowed the user to link Databases, Servers, and AWS Scaling Groups to the record.
- Databases Inventory: Utilizing the Database filter on the CMDB. Also, allowed the user to link Servers to the record.
- Files/Directories Inventory: Utilizing the CI/Shared Folder filter on the CMDB.
- IT Jobs Inventory: Utilizing the Critical IT Jobs section of Event Management, this is the weakest part of the inventory as we are still working on onboarding the database and ops teams to ServiceNow.
- SOX Processes: Although this is primarily managed by the Audit team in Auditboard, we imported all of the processes into their own table which could then be assigned out to each Inventory item as necessary.
An important part of this system was so that changes could be tracked and auditable. This resulted in the creation of the SOX Snapshot which is a table that tracks all updates and changes. These are enabled by business rules that do the following:
- Any update to a SOX record required a comment before being able to save, this ensured that there was a justification provided by the Risk and Compliance team.
- Any change to a CMDB item that has an associated sox record, would write an update log into the Snapshot.
Using ServiceNow’s reporting capability, we’ve created monthly reports that email on-schedule to its designated recipients.
In addition to fixing production bugs that emerged, we also implemented a feature that would check to see if a SOX record already existed before creating a new Inventory item. Since all Inventory items are tied to a master source, this was possible through the implementation of business rules. In addition, in the error message, we provided a link to the already-existing Inventory item.