Old Republic Selects Partner for Sarbanes-Oxley Compliance
July 31, 2014
Old Republic National Title Insurance Co. has selected Courion’s Compliance Courier as its access certification solution.
As a public company, Old Republic must comply with Sarbanes-Oxley (SOX) reporting requirements. Like many companies, answering the question of “who has access to what” required IT staff to spend a considerable amount of time with line-of-business managers, compiling user-access information in spreadsheets. Like any manual data process, it was susceptible to errors.
With ComplianceCourier, Old Republic can centralize and automate the access control process, reducing the risk of unauthorized access. ComplianceCourier’s reporting interface will allow the company to more easily audit existing access by user, application, administrator, group or workstation, and meet SOX compliance requirements. By establishing a process for certifying “who has access to what,” the efficiency of IT operations will be increased, freeing staff to focus on other tasks, according to Courion. The solution also will help the company consolidate its active directory structure.
Old Republic’s director of IT Security said the clear visibility in the company’s user access will improve access control and significantly streamline access review processes.
Section 802 of SOX contains the three rules that affect the management of electronic records. The first rule deals with the destruction, alteration or falsification of records, and the resulting penalties. The second rule defines the retention period for records storage. Best practices indicate that corporations securely store all business records using the same guidelines set for public accountants. The third rule refers to the type of business records that need to be stored, including all business records and communications, including electronic communications.
The third pillar of ALTA’s “Title Insurance and Settlement Company Best Practices” encourages companies to adopt and maintain a written privacy and information security program to protect NPI as required by local, state and federal law. The pillar encourages companies to restrict access to NPI to authorized employees and to maintain and secure access to company information technology. The pillar also says companies must dispose of information in a manner that protects against unauthorized access to or use of NPI.