Review of Selected SOX, GLB and HIPAA Compliance Solutions

Paul Braeckel, Michael Sthultz, Jiang Hong Song, Hal Berghel
Center for Cybermedia Research (ccr.i2.nscee.edu)
Identity Theft and Financial Fraud Research and Operations Center (www.itffroc.org)

(c) 2006 by CCR and ITFF/ROC - all rights reserved
(Version 0.1; February 7, 2006 )

Reviews and Opinions

Source: Risk Management Magazine
Website: http://www.riskmanagementmagazine.com.au/articles/6B/0C02EA6B.asp?Type=125&Category=1244
Title: SOX software causing concerns
Date: 04/19/05

“ Senior internal audit professionals have signaled their alarm at the narrow nature of some Sarbanes-Oxley Act compliance software .

At a recent forum on the state of the market for software designed to ease compliance with the US law, 60 per cent of the senior internal auditors attending said they were using solutions developed by the Big Four accounting firms. While it was agreed that these solutions had strengths in terms of their user-friendly nature, there was concern expressed over their limitations.

The major issue, the auditors said, is that the Big Four products focus primarily on financial controls, rather than operational controls . The most important function to ensure ongoing long term compliance was defined as the ability to communicate internal control information across the enterprise by one third of the group.”

Source: MAC News World
Website: http://www.macnewsworld.com/story/41658.html
Title: SOX Compliance Made Easy Through Software
Date: 03/25/05

“ Many executives of publicly held companies are complaining about the complexity of managing the SOX reporting process and its costs. Fortunately, there are software companies that see this as a wonderful opportunity to garner additional revenue, while helping the industry comply with a complicated law.”

Here are some of the companies that have stepped into the fray: Certus, Movaris, Documentum, Handysoft, Integrify and Microsoft. Your company's IT person can research these companies and others that are specializing in SOX compliance.”

There are restrictions associated with showing SOX compliance for financial records. These financial restrictions are what seem to be largely addressed by the compliance checking with these companies. They do not address the concerns associated with how the financial records are stored and handled, which is a large concern with CompGuardian.

Source: IT Compliance Institute
Website: http://www.itcinstitute.com/display.aspx?id=1174
Title: The Future of Security, Control, and SOX Compliance

“Basically, the compliance effort is just scattered . It's representative of the enterprise application landscape about five or six years ago, where everyone was buying applications and trying to knit them together”

Industry Products

1. Vendor: Master Control
Standard Tested: SOX
Website: www.mastercontrol.com/Products/index.html

This organization offers the following compliance services:

MasterControl SOX – Software solution to automate and to sustain the documents associated with the SOX compliance implementation.
MasterControl Training – Software solution to create training as the CE's SOX compliance implementation changes.

2. Vendor: Certus
Standard Tested: SOX 404, 302
Website: www.certus.com/products/

This organization offers the following compliance services:

Certus360 – Financial records management tool that aids in determining SOX Compliance. This solution assures the CE that financial information is accurately reported and up-to-date.
SOX 404/302 – Manages the distribution of SOX compliance duties throughout a CE.
Audit – Manages the audit reporting associated with SOX compliance.
Vignette-Link – Recordkeeping tool for managing documents that support SOX compliance.

3. Vendor: Ecora – Change & Configuration Management
Standard Tested: SOX, HIPAA, GLBA
Website: www.ecora.com/ecora/solutions/reduce-cost.asp

This organization offers the following HIPAA compliance services:

Enterpriser Auditor – A software solution used to automatically create auditable reports of configurations settings of the hardware and software infrastructure.
Patch Manager – A software solution to report software patches meet CE security policy.
Device Lock – A software solution that allows enforcing locally installed device-level security policies for a computer.
Change Manager – A software solution that manages and tracks any configuration changes to an IT infrastructure.

4. Vendor: McLure-Moynihan, Inc. (MMI)
Standard Tested: HIPAA
Website: www.mmiec.com/mmi_l2_a.html

This organization works with CE's via books, online training series, and onsite consulting to ensure the training of the employees in the HIPAA rules and regulations.

5. Vendor: HIPAA Solutions RX – Navigating HIPAA Compliance
Standard Tested: HIPAA
Website: www.hipaarx.net

This organization offers the following HIPAA compliance services:

Online HIPAA Training – Online courses to train the CE's employees. Certificate documents are provided to show during an audit that training has been completed. This training is usually performed yearly ongoing bases.
Privacy Manuals & Template Policies – Workbooks and checklists to assess the CE's HIPAA Privacy Compliance plan.
Security Manuals & Template Policies – Workbooks and checklists used as a walkthrough to assess the CE's HIPAA Security Compliance plan.
Security Products – Services to test the security holes in a CE's computing infrastructure, including the application level, and to create backup procedures of EPHI.
Disclosure Tracking Systems – Software tool to address the Covered Entity's duties to protect the patient's accounting records.
Compliance Consulting Services – Onsite consulting and training courses to assess the design of and gaps in HIPAA Privacy compliance plan.

6. Vendor: Movaris
Standard Tested: SOX 404, 406
Website: www.movaris.com/index.html

This organization offers the following SOX compliance services:

Movaris Sarbanes-Oxley Compliance – Software solution that automates and manages the risk associated with financial statements.

7. Vendor: Documentum
Standard Tested: SOX
Website: www.documentum.com/

This organization works with CE's to plan, assess, and implement procedures that be in compliance the SOX regulation for financial records.

8. Vendor: Handysoft and Plumtree Software
Standard Tested: SOX
Website: www.handysoft.com/products

This organization offers the following SOX compliance services:

SOXA Accelerator – A web application that centralizes and organize documents and duties related to the CE's SOX compliance assessment.

9. Vendor: Integrify and Visage Solution
Standard Tested: SOX
Website: www.handysoft.com/products

This organization offers the following SOX compliance services:

SingleVUE Alliance – A group of consultants that provide SOX compliance.
OpsAudit – A consulting service that audits and identifies areas of risk associated with the SOX ACT for the CE's operations.

10. Vendor: Microsoft
Standard Tested: SOX 302, 404
Website: www.microsoft.com/office/showcase/sarbanes/default.mspx

This organization offers the following SOX compliance services:

Microsoft Office System – SOX Solutions helps prove SOX compliance through document, workflow, communication, and auditing management of financial documents.

Product Comparison:

Vendor Functionality	Master Control	Certus	Ecora	MMI	HIPAA Solutions RX	Movaris	Documentum	Handysoft and Plumtree Software	Integrify and Visage Solution	Microsoft
Tests for SOX compliance	X	X	X			X	X	X	X	X
Tests for HIPAA compliance			X	X	X
Tests for GLB compliance			X
Compliance program orientation training				X	X
Compliance continued training – Manuals				X	X
Compliance continued training – Online				X	X
Compliance continued training – Onsite Consulting				X	X		X
Compliance program implementation – Onsite Consulting				X	X		X
Compliance program implementation – Division of duties planning		X					X	X
Compliance program implementation – Manage software updates			X
Compliance program implementation – Track changes in IT infrastructure			X
Compliance program implementation – Manage individual computers			X
Compliance program implementation – Financial records management		X			X			X
Compliance program implementation – Document Management								X		X
Audit report creation – Automated audit creation	X							X
Audit report creation – Financial	X	X				X
Audit report creation – Hardware / software configurations			X
Audit report creation – Employee knowledge
Compliance testing – Checklists driven testing program implementation					X
Compliance testing – Software driven testing program implementation	X	X	X			X		X
Compliance testing – Onsite consulting testing compliance program implementation				X	X				X
Compliance testing – Continuous monitoring of program implementation	X			X
Compliance testing – Onsite Consulting testing IT infrastructure					X
Compliance testing – Financial records (SOX)	X	X				X