Sarbanes-Oxley Compliance
Security Administration
INTRODUCTION
Strong corporate governance practices and a business code of ethics aren't just good corporate etiquette—they are the law—thanks to The Sarbanes-Oxley Act (SOA) which is the U.S. government's response to several well publicized corporate financial scandals including Enron, WorldCom, Adelphia, Tyco and others.
Essentially, the government is requiring that the CEOs and CFOs of public companies swear under oath that the financial statements they make are accurate and complete. The purpose of the act is to protect investors by improving the reliability of corporate financial statements and by establishing stiffer penalties for auditors, corporate officers, company directors, and others who violate the act.
The impact of SOA since it was signed into law on July 30, 2002 has been significant and far-reaching. Essentially every publicly-traded company, big or small, domestic or foreign, that has registered under the Exchange Act or has a pending registration statement under the Securities Act of 1933 is affected by the legislation. Failure to comply with SOA requirements carries significant penalties including jail terms for executives and corporate fines.
SARBANES-OXLEY ACT COMPLIANCE AND INFORMATION
TECHNOLOGY'S ROLE
According to a survey conducted in April 2003 by AMR Research Inc., about 85 percent of all public companies intend to change their IT systems as part of their efforts to comply with the law. (Source: AMR Research April 2003). And those companies are planning to spend $2.5 billion in 2004 alone on projects related to compliance.
While SOA is not detailed in prescribing a solution to the compliance issue, it does make clear what obligations the company is under in order to be compliant. Explicitly, section 404(a) of the act sets June 15, 2004 as the deadline for establishing "adequate internal controls" around financial reporting and its governance.
For those companies operating under a calendar fiscal year, this effectively means that they must be in compliance by January of 2004. The "internal controls" that SOA refers to ultimately break down into a series of processes companies must adhere to in the preparation of financial reports as well as the protection of the financial information that go in to making the reports as it is stored in various locations throughout the enterprise.
The majority of data that makes up financial reports is generated by IT and its related processes, therefore, it is critical that the effectiveness of these processes can be verified. General believes that IT plays a critical part in ensuring its company is in compliance with SOA. If not, the risk to the corporation and potential personal liability to executives can be significant.
THE IMPACT ON IT
Sarbanes-Oxley is largely about specifying requirements around auditing practices and financial reporting. It is about making sure that the performance information of a public company is accurate and timely. So what does it mean for IT? Throughout the act, pockets of indicators for IT can be found. Three sections in particular are driving most of the IT discussion and budget.
The chart below spotlights the three specific Sarbanes-Oxley sections most likely to have critical impact on IT. Displayed here are the implications of each section and how General solutions directly address each of them.
|
SOA REGULATION IMPLICATIONS
|
GENERAL'S SOLUTION
|
|
Section 302. Mandates that the CEO and CFO personally certify the accuracy of financial reports
Financial reports must be verifiable and auditable: This means that IT must provide assurance that a company's core infrastructure and mission critical software applications are not exposed to potential failure due to human error, staff turnover or sabotage
|
Security Policy Enforcement: General solutions provide complete visibility into access privileges, for control and up-to-the-minute insight into who has access to what resources and information throughout the enterprise. General solutions automatically detect and react to unauthorized changes and potential risks. The system ensures that the right users have access to the systems and applications they need to conduct business within the enterprise, but turns off this access when appropriate
|
|
Section 404. Requires the implementation of internal controls, and the ability to assess effectiveness of those internal controls
Auditability of the internal control structure and processes: Will require that companies demonstrate appropriate levels of enforcement of business process involved in financial reporting.
|
Information Security Policy Framework: Policy framework clearly delineates roles and accountability for the information security program. Asset Protection Policy defines protection objectives, and required technical standards. Combination of Real-time and query-based auditing assures comprehensive management of access controls and delivers detailed audit logs documenting both authorized and unauthorized changes. "Behavior monitoring" creates the ability to "guard the guards", effectively watching all administrator-level network activity.
|
|
Section 409. Requires real-time disclosure of any material change in the financial condition of the company.
Real-time disclosure: Will require "timely and accurate disclosure of material events" to the business. Implies that companies be ready to disclose events that affect the business within 48 hours
|
Real-time detection: Provides immediate alerts and automated responses to unauthorized access changes and attempted security breaches. Gives management timely knowledge of the state of network security. Audit History Reporting: For any given date, provides comprehensive view of who has access to what and why, including access privileges on IT resources and administrative privileges on key systems.
|
INTERNAL CONTROLS
Internal controls are generally recognized as a system of monitoring capabilities, checks and balances established to safeguard the integrity of information and protect the enterprise against wrongful or fraudulent acts. They are defined more broadly relative to auditing and finance, which leaves enterprises turning to several key sources for guidance.
Sources include SEC rulings on Sarbanes-Oxley; Two existing frameworks that are referenced in those SEC rulings are: Committee of Sponsoring Organizations of the Treadway commission (COSO framework) which was formed around internal controls in the early 1990's, and Control Objectives for Information and Related technology (COBIT framework) which has been developed by the IT Governance Institute as a generally applicable and accepted standard for good Information Technology (IT) security and control practice. For regulatory needs today COBIT soundly manages the gaps around business risks, corporate governance issues and other technical issues in organizations.
These auditing standards define "Internal Controls" as a process that provides reasonable assurance regarding achievement of three major objectives:
• Effective and efficient operations
• Reliable financial reporting
• Compliance with applicable laws
APPLYING COSO
COSO further defines the five internal control components that need to be in place.
1. Control environment. Top down enforcement of values that support discipline and structure
2. Risk Assessment. Identification and analysis of risks and a risk
mitigation strategy and plan
3. Control Activities. Policies and procedures that ensure that
management objectives are achieved and risk mitigation strategies are
enacted.
4. Information and Communications. Communications of responsibilities
to employees and dissemination of information that ensures proper
execution of their duties.
5. Monitoring. Outside oversight of internal controls and benchmarking
against recognized standards like COSO.
LAYING OUT COBIT
There are 34 processes in COBIT broken out into 4 main categories. There is one high level control objective that relates to each of the 34 processes, and there are a total of 318 specific control objectives broken out across the 34 processes. The 34 processes are broken out into four domains:
• Planning and organization
• Acquisition and implementation
• Delivery and support
• Monitoring
The table below identifies the 34 processes by the domains where they exist
|
Planning and Organization
|
Acquisition and Implementation
|
Delivery and Support
|
Monitoring
|
|
PO1- Define a strategic IT plan
|
A11- Identify automated solutions
|
DS1- Define and manage service levels
|
M1- Monitor the processes
|
|
PO2- Define the information architecture
|
A12- Acquire and maintain application software
|
DS2- Manage third-party services
|
M2- Assess internal control adequacy
|
|
PO3- Determine the technological direction
|
A13- Acquire and maintain technology infrastructure
|
DS3- Manage performance and capacity
|
M3- Obtain independent assurances
|
|
PO4- Define the IT organization and relationships
|
A14- Develop and maintain procedures
|
DS4- Ensure continuous service
|
M4- Provide for independent audits
|
|
PO5- Manage the IT investment
|
A15- Install and accredit systems
|
DS5- Ensure systems security
|
|
|
PO6- Communicate management aims and direction
|
A16- Manage changes
|
DS6- Identify and allocate costs
|
|
|
PO7- Manage human resources
|
|
DS7- Educate and train users
|
|
|
PO8- Ensure compliance with external requirements
|
|
DS8- Assist and advise customers
|
|
|
PO9- Assess risks
|
|
DS9- Manage the configuration
|
|
|
PO10- Manage projects
|
|
DS10- Manage problems and incidents
|
|
|
PO11- Manage quality
|
|
DS11- Manage data
|
|
|
|
|
DS12- Manage facilities
|
|
|
|
|
DS13- Manage operations
|
|
GENERAL APPROACH
General approach applies both COSO and COBIT framework objectives in addressing Sarbanes-Oxley compliance. The General Sarbanes-Oxley Matrix, available on the company's website is a comprehensive outline detailing each COSO and COBIT requirement, as well as how General's solutions address each specific requirement.
GENERAL SECURITY ADMINISTRATION FRAMEWORK
The General solution addresses Sarbanes-Oxley compliance with a suite of security and compliance management products focused on four critical areas of IT security.
|
• Vulnerability Management
|
• Identity Management
|
|
• Change Management
|
• Policy Management
|
MANAGING VULNERABILITIES
Complying with Sarbanes-Oxley requires that publicly held companies have certain internal controls in place to ensure that their financial audit records are adequately protected from vulnerabilities or weakness within the company's IT infrastructure.
In general there are five different types of vulnerabilities: exposed user accounts or defaults, dangerous user behavior, configuration flaws, missing patches and dangerous or unnecessary services. These five vulnerabilities fall into two categories:
Configuration flaws- By some estimates, a large number of vulnerabilities stem from poorly configured machines, not software defects. For example, inappropriate file, directory and share permissions lead to many exposures by allowing non-administrative users access to sensitive system components. Vulnerable services running with administrative privileges constantly are at fault for elevating the damages caused by an exploit. Both of these are examples of configuration flaws, not software defects.
Dangerous user behavior- Oftentimes the actions of end users and administrators expose systems to compromise even when there is no associated configuration flaw, missing patch or dangerous service. If the user performs a dangerous action, its damage will only be mitigated by the limitations of user's authority (i.e., privileges). Unfortunately, many users operate with administrative authority on their workstations or, in the case of administrators, on servers and other critical hosts. User behavior is frequently overlooked by vulnerability management approaches, although it is a significant source of security incidents.
The SANS Institute Top 20 Internet Security Vulnerabilities list 20 high-level classes of vulnerabilities that are considered the most critical by a consensus of experts. In turn, each vulnerability is caused by one or more of the five issues described above for a total of 44 distinct causes, as illustrated below:
Exposed user accounts or defaults, 4
Dangerous
user behavior,
2
Dangerous or unnecessary services, 9
Configuration flaws, 17
Note that configuration flaws are the number one source of vulnerabilities in the SANS Top 20, followed closely by missing patches. Stronger security can be largely achieved by maintaining secure configurations and staying up-to-date with software patches and service packs.
Despite the external drivers of vulnerability management, the true reason is risk management. The principal formula for quantifying security risk is:
Risk = Threats X Vulnerabilities X Impact
Therefore the greatest opportunity to proactively mitigate risk is through the reduction of vulnerabilities; reducing the opportunity for an attacker or other threat to cause an impact. Because many business managers are willing to accept risk even when it has been poorly measured, in essence, this is why most security-related regulations (like Sarbanes-Oxley), standards, guidelines and audits mandate vulnerability management and expect to see it instituted in policy.
Security Awareness Training
Security awareness training should be considered an important aspect of vulnerability management. Often security awareness is designed to raise the general level of security awareness and is focused on general issues, such as passwords or physical security, rather than role-specific issues, such as Windows 2000 Server security. Moreover, most organizations fail to measure security awareness and understanding, making the management of awareness more art than science.
COMPREHENSIVE VULNERABILITY MANAGEMENT
General believes an ideal vulnerability management solutions is one that meats at least the following criteria:
El Provides an accurate assessment of security posture. Vulnerability management should provide a comprehensive picture of security from an administrator's point of view. It should provide a view from the inside out, so that it is clear where you have exposures. Just because an external attacker cannot exploit a configuration flaw on a particular host does not mean you are secure; you are likely vulnerable to an insider.
0 Support a business-process approach. Vulnerability management should be both repeatable and measurable. In other words, it should be integrated with the business and performed as a process rather than as periodic or infrequent projects. It should provide meaningful metrics for security, not just list the numerous vulnerabilities that exist. The solutions should support multiple, distinct roles in the business such as security officers, administrators, and auditors.
0 Scales securely. Vulnerability management should grow with the business and support the entire enterprise. This means the solution should work over large, distributed networks with little impact on utilization and other resources. It should also communicate and store data securely, so that the solution itself does not become a potential exposure.
E Ensures compliance and helps protect and remediate. The solution must provide
compliance with applicable policies, standards and regulations. Vulnerability management should export and integrate a company's policy standards and rules into the vulnerability checking process. The system must not only identify exceptions from policies and standards, but should provide automation and guidance in correcting the vulnerabilities.
0 Address the human side of security. The ideal vulnerability management solution addresses vulnerabilities introduced by dangerous human behavior as well as system vulnerabilities. It should address the human side of security at all levels - end users as well as those responsible for implementing and maintaining system security. End users should be educated on what constitutes dangerous or unacceptable behavior, while administrators should understand how to secure their specific platforms.
THE ROLE OF CHANGE MANAGEMENT
According to the Institute of Internal Audit, "reliability of internal controls and financial reporting depends directly on such technical controls as change management and monitoring for information, systems, programs, and operational configurations." In other words, financial reporting integrity depends on the integrity of IT systems and processes that support financial data.
Monitoring and alerting on changes to core IT infrastructure such as directories, operating systems and business-critical applications is central to change management controls for any organization. IT is the main tool for assessing information and controlling integrity, as well as supporting auditors' assessments, and IT change control is a key process for ensuring ongoing integrity.
Therefore, auditors will look for--and evaluate the effectiveness of--key preventative controls:
El Authorization processes establishing suitable procedures for authorizing transactions
0 Separation of duties which means segregating roles to prevent and deter people from circumventing authorization processes
F Effective change management employing detective controls to ensure that all changes go through established authorization processes
0 Effective change documentation of all authorized infrastructure change requests, change authorizations, and resulting infrastructure changes
El Documentation of exceptions-unauthorized changes; changes made outside the change management process; documentation of any "ad hoc" configuration fixes
Recovering from Undesired Change
General's technology is uniquely capable of providing not just detailed audit logs of network changes, but more importantly the ability to employ smart automation to recover from unwanted changes.
Based on pre-determined policies and threshold levels, unauthorized directory and server activity can be stopped in its tracks, and reversed through General's automated controls. Examples include:
Immediate termination of access rights
Reversal of unauthorized changes to configurations, security settings or files
Deletion of offending files
Any other pre-scripted and customizable response
IDENTITY MANAGEMENT ADDRESSES "ADEQUATE INTERNAL CONTROLS"
In regard to system security and the control of access to computers and applications, SOA is not explicitly prescriptive. It does not articulate what "adequate internal controls" means or what solutions an organization must implement in order to affect them. However, by again drawing from industry best practices, several inferences can be made. For example, each of the following should be considered components of internal control:
0 Access rights in distributed and networked environments should be effectively controlled
and managed 0 Companies should be able to confirm that only authorized users have access to sensitive
information and systems 0 Control over access to multi-user information systems should be put in place—including
the elimination of multiple user ID's and accounts for individual persons El The allocation of passwords should be managed and password security policies must be
enforced 0 Appropriate measures must be taken to prevent unauthorized access to computer system
resources and the information held in application systems El Periodic assessments of access rights and privileges must be performed
Each of these requirements can be specifically addressed by a comprehensive enterprise identity management solution. General's NVIdentity solution provides everything an enterprise needs to securely and efficiently manage identities and their access to sensitive data and systems including:
0 Enterprise provisioning
0 Password policy enforcement
El Self-service password management
0 Directory management
POLICY-BASED SECURITY MANAGEMENT
Policy-based security management leverages policies to improve protection. It is an ongoing business process; a continuous life-cycle with four key phases resulting in a mature policy management process that can be automated, and is repeatable and measurable.
Policy
Management
Lifecycle
Four Phases for Proactive Security Policy Management
Establish
(or Enhance)
Enforce
Educate
Evaluate
Establish Policies and Standards
Organizations need the capability to establish policies that drive efficiency and limit risk. While many organizations establish policies, they often fail to translate security configuration policies into actionable standards, leaving a significant gap between policies and action. Important security policies to have in almost any organization include, but are not limited to acceptable use policies governing allowable and disallowable activities on the corporate network; information classification policies describing how to classify and handle sensitive company information; and security standards specifying acceptable configuration and maintenance procedures for critical platforms.
Educate Workers
Organizations need to communicate policies and standards to the people responsible for enforcing and complying with them. Once communicated, it is important to certify that users understand and accept the policies that govern them. The process should be able to educate workers on a large scale, without overwhelming each worker with content. Key to success includes making policies role specific--a staff accountant should read a different set of policies than a NetWare administrator, although there may be some overlap.
Evaluate Compliance
Organizations need to assess compliance with security policies for people and technology as well. All personnel must read and agree to abide by security policies and standards that apply to them. This especially includes those responsible for implementing and maintaining security.
Technologies, in turn must be routinely evaluated and monitored for compliance with corporate security policies and standards. Compliance assessment is used to evaluate current effectiveness and may lead to changes or improvements in procedures that help to enforce policies.
Enforce Policies and Standards
Organizations need to enforce policies for both people and technology. People behavior must be monitored and restricted in some cases controlling activity on network resources to ensure users are not violating acceptable use, information classification and handling, and other policies. These also mitigate many of the well-known vulnerabilities associated with dangerous human behavior. Technology enforcement focuses on technical security settings on key platforms such as Windows, Unix/Linux and NetWare.
GENERAL SECURITY ADMINISTRATION FRAMEWORK POLICY-BASED SECURITY MANAGEMENT SOLUTIONS
General's policy-driven security management solution increases efficiency and reduces risk by implementing and managing security policies and standards through all four phases of the Policy Management Lifecycle: establishment, education, evaluation and enforcement. General provides four primary product groups that help fulfill the policy management lifecycle. The table shown below illustrates how each of the General products fits within the Policy Lifecycle and positions them according to the key policy deliverable necessary to assure proactive and practical enforcement across the enterprise,
Key Deliverables
Acceptable use of network Resource s-Human Behavior
Technical
Security
Standards-
Systems
Behavior
Establish
NVPolicy Resource Center
NVPolicy Resource Center NVMonitor
Policy Lifecycle Stage
Evaluate
NVPolicy Resource Center NVMonitor
NVPolicy Resource Center
Enforce
NVMonitor NVAssess NVIdentity
NVMonitor NVAssess
Together NVPolicy Resource Center, NVAssess, NVMonitor, and NVIdentity improve efficiency and reduce risk by enabling security professionals to quickly measure the effectiveness of existing policies and enforcement and identify trends and issues that may need attention or further action.
CONCLUSION
With the passing of the Sarbanes-Oxley Act, the government has issued a call to action for corporate America. Consequences for non-compliance are far too serious to ignore the mandate. General acknowledges there is no single turnkey "solution" to a challenge that continues to be redefined and is threaded within the deepest inner workings of the enterprise. However, General is leading the way in helping companies address the issue with proactive and practical solutions.
Additionally companies should acknowledge that while Sarbanes-Oxley is an incentive to improve quality of overall business practices and processes, the same security management foundation that can help an organization meet regulatory requirements today, can provide the agility to respond to challenges and seize opportunities--outside the regulatory realm--far into the future.