• No results found

The Challenges and Myths of Sarbanes-Oxley Compliance

N/A
N/A
Protected

Academic year: 2021

Share "The Challenges and Myths of Sarbanes-Oxley Compliance"

Copied!
6
0
0

Loading.... (view fulltext now)

Full text

(1)

The Challenges—and Myths—

of Sarbanes-Oxley Compliance

Meeting the requirements of regulatory legislation on the iSeries.

(2)

w w w . b y t w a r e . c o m

E

nron. WorldCom. Tyco. Th ese are all names that immediately bring to mind corruption, and fol-lowing the accounting scandals that ushered in this decade the Government and Congress set out to do something about the problem. Th e solution was the passing in 2002 of the Public Company Accounting Reform and Investor Act—better known as Sarbanes-Oxley (SOX). Th e goal of the Act is to hold publicly traded companies ac-countable for corporate fi nancial reporting and governance. With deadlines to begin certifi cation of the adequacy of internal accounting controls starting as early as November 15, 2004, companies are scrambling to comply with a rather lengthy and vague set of regulations. Meanwhile, soft ware vendors are rushing to the table with promises of simple compliance through technology.

The Myth of One-Click Compliance

The Myth of One-Click Compliance

The M

Th ere’s a lot being thrown around about how specifi c soft -ware applications can make a company SOX-compliant. In reality, the majority of the Act deals with procedural and cul-tural practices that ensure the integrity, accuracy, and secu-rity of corporate records. Most of the buzz centers on Section 404: Management Assessment of Internal Controls. It is this section that large publicly traded companies ($75 million+ cap) must comply with before the November 15 deadline (extended from the original June 15 deadline). Smaller com-panies—those with a cap below $75 million—have until June 15, 2005 to comply.

Th e overall spirit of the Act is one of increased security and integrity, placing the interests of stockholders ahead of exec-utives. Despite the fact that much of the Act is vague, prom-ises of “one-click compliance” abound. Th e fact

of the matter is that the needs of each organi-zation are diff erent and there is no one solution to ensure compliance. Regardless of the claims of some vendors, soft ware solutions are merely tools to assist with the implementation of sound internal procedures arrived at through planning, scoping, documenting, and analyzing. Soft ware solutions cannot provide take-two-and-call-me-in-the-morning cures for inadequate processes and a lax corporate atmosphere.

Already have the Basic Tools?

For companies who rely on the iSeries for op-erations, it may come as a surprise that most of what is needed to comply technologically is

al-ready sitting in their computer rooms. IBM’s OS/400 comes

equipped with tools for securing, monitoring, and logging built right into the operating system. (Th e exception is virus protection, though enablement for this has been built into the new i5/OS V5R3, allowing easy tie-in to the third-party anti-virus tool.) While third-party soft ware packages can build upon OS/400’s standard toolkit, and can certainly en-hance an operator’s capabilities, none of these packages are critical for compliance with SOX. Vendors who claim other-wise are not being straightforward with customers.

Built-in Security

Th e iSeries provides excellent object level security features to control access to resources—who can read a particular fi le, for example. Th ese security features are built into every iS-eries system, whether you use them or not. Contrary to some vendor claims, the iSeries can provide fi eld-level security as well. You may need tools to supplement the iSeries security, such as restricting access during certain time periods, or al-lowing users to read a particular fi le but not to download it. Take the time to learn what you have, and how it can be used for your organization before investing in tools that provide little value to what is already available to you.

Built-in Logging

Also provided with the iSeries are excellent logging facili-ties to track the activity occurring on the system—the Sys-tem History Log, Message Queues, and Journals, just to

Executives and managers who fail to ensure

that adequate measures are in place to meet

the requirements of SOX could be held legally

responsible.

(3)

name a few. Many activities are automatically logged, such as when particular users sign on and off , and you can enable additional logging for many other types of activities as well. Th ese logs provide a detailed accountability to what is occur-ring on the iSeries. Th ese logs can be monitored proactively to identify potential problems, or post-mortem to trace a particular problem.

Built-in Monitoring

Lastly, in the area of monitoring, the iSeries provides good tools for keeping tabs on the health and

sta-tus of your system—including security related events. iSeries Navigator can monitor messages and logs for specifi c events and notify an administrator when a particular condition oc-curs. Depending on your needs, you may want to supple-ment the iSeries monitoring tools to provide additional fea-tures, such as problem escalation, or scheduling of specifi c types of alerts to diff erent groups of people.

Five Steps to Compliance

An article entitled “Sarbanes-Oxley: Road to Compliance” that ran on the eWeek website (www.eweek.com) on Febru-ary 16, 2004, breaks down compliance with SOX into fi ve steps:

1. Planning

Form a compliance committee and select soft ware to assist in compliance process.

2. Scoping

Determine what information needs to be documented and is material to company.

3. Documentation

Document business processes and controls in place to en-sure accurate information.

4. Gap Analysis

Identify and remediate inadequate controls.

5. Implementation, Evaluation, & Monitoring Controls

Document and update controls as needed, then turn them over to the audit team which evaluates the depth and eff ective-ness of the controls. Develop ongoing process for monitoring controls.

How Can Bytware Solutions Help?

First of all, it is important again to understand that soft ware solutions are tools, not cures. Bytware off ers several applica-tions that can assist in compliance with SOX once a com-pany has put a framework into place. Independent auditing fi rms have been relying upon a set of guidelines from 1992 called “Th e Control Objectives for Information and Related Technology”, better known simply as COBIT. On the fol-lowing pages is a list of specifi c objectives and the Bytware product(s) that can assist.

Following the fi ve steps can create an atmosphere

that is suited to SOX compliance. Pulling in the

technology that is built into your iSeries can build

the foundation—and then third-party applications can take that

infrastructure to the next level.

(4)

w w w . b y t w a r e . c o m

COBIT Objectives for SOX Compliance

Many of these objectives have been paraphrased. Th e complete COBIT objectives are available for free online from the IT Gov-ernance Institute at: www.usmd.edu/Leadership/USMOffi ce/ AdminFinance/IAO/is/cobit-control-guidelines.pdf.

PO9: PLANNING AND ORGANIZATION Assess Risk

PO9.2: Risk Assessment Approach

Th is objective calls upon Management to establish a general risk assessment approach, defi ning boundaries and methodologies with regard to security risk and vulnerabilities. It directs Man-agement and security specialists to identify vulnerabilities and IT specialists to identify tools with which to control the vulner-abilities.

StandGuard can help.

You can use StandGuard’s ability to identify and log access to sensitive fi les and libraries through unusual means or during unusual times. Once you have identifi ed these sources, you can create rules and fi lters to allow or reject these types of activity.

AI3: ACQUISITION AND IMPLEMENTATION Acquire and Maintain Technology Infrastructure

AI3.7: Use and Monitoring of System Utilities

Th is objective calls for policies and techniques to be implement-ed for using, monitoring, and evaluating the use of system utili-ties. Responsibilities for using sensitive soft ware utilities should be clearly defi ned and understood by developers, and the use of the utilities should be monitored and logged.

Messenger and StandGuard can help.

You can use either MessengerConsole or MessengerPlus to monitor the OS/400 and iSeries security audit journals for us-age of soft ware utilities and commands and log these events to a message queue or e-mail log.

You can use StandGuard to monitor and log the use of certain OS/400 and iSeries commands and values, such as PWRDWN-SYS RESTART(*NO), for example.

DS5: DELIVERY AND SUPPORT Ensure Systems Security

DS5.1: Manage Security Measures

Th is objective states that IT security should be managed such that security measures are in line with business requirements including:

• Implementing the IT security plan.

• Monitoring the implementation of the IT security plan.

StandGuard and Messenger can help.

You can use StandGuard to defi ne rules that log and control ac-cess to company data through network services such as FTP and ODBC.

You can use Messenger to monitor StandGuard’s rules and notify IT personnel of exceptions. Messenger’s Audit Journal Monitor can look for possible intrusions and notify IT personnel. DS5.2: Identifi cation, Authentication, and Access

Th is objective specifi es that the logical access to and use of IT computing resources should be restricted by the implementa-tion of adequate identifi caimplementa-tion, authenticaimplementa-tion, and authoriza-tion mechanisms, linking users and resources with access rules. Such mechanisms should prevent unauthorized personnel, dial-up connections, and other system (network) entry ports from accessing computer resources and minimize the need for autho-rized users to use multiple logins. Procedures should also be in place to keep authentication and access mechanisms eff ective (e.g. regular password changes.)

StandGuard can help.

You can use StandGuard to create access rules and fi lters to log and prevent access to company data through unauthorized entry points. For example, “do not allow Telnet access if IP address is outside defi ned range or time period.”

DS5.3: Security of Online Access to Data

Th is objective states that, in an online IT environment, IT man-agement should implement procedures in line with the security policy that provides access security control based on the individ-ual’s demonstrated need to view, add, change, and delete data.

StandGuard can help.

You can use StandGuard to defi ne rules and fi lters to log and control access to company data via network services such as FTP and ODBC, and further defi ne the types of allowed ac-cess— Add, Change, or Delete, for example.

DS5.5: Management Review of User Accounts

Th is objective specifi es that Management should have a control process in place to review and confi rm access rights periodically. Periodic comparison of resources with recorded accountability should be made to help reduce risk of errors, fraud, misuse, or unauthorized alteration.

StandGuard’s User List can help.

You can use StandGuard’s rules and fi lters reports to show the re-sources users can access through network services. StandGuard’s usage information can show the usage frequency of these fi lters to determine policy eff ectiveness. Review the public usage infor-mation to verify that you are within compliance standards. DS5.7: Security Surveillance

Th is objective states that IT security administration should en-sure that security activity is logged and any indication of immi-nent security violation is reported immediately to all who may be concerned, internally and externally, and is acted upon in a timely manner.

StandGuard and Messenger can help.

You can use StandGuard to log access to critical system fi les via network services, and Messenger can be used to alert personnel

• • • • •

• • • • •

• • • • •

(5)

to StandGuard’s warnings about unauthorized or unexpected access.

DS5.10: Violation and Security Activity Reports

Th is objective states that IT security administration should ensure that violation and security activity is logged, reported, reviewed, and appropriately escalated on a regular basis to iden-tify and resolve incidents involving unauthorized activity. Th e logical access to the computer resources accountability informa-tion (security and other logs) should be granted based upon the principle of least privilege, or need-to-know.

StandGuard and MessengerConsole can help.

You can use StandGuard to log security violations through net-work services, and extract data from the system security audit journal. Messenger can in turn monitor these events and notify and escalate security violations to the appropriate personnel. DS5.17: Protection of Security Functions

Th is objective directs that all security related hardware and soft ware should at all times be protected against tampering to maintain their integrity and against disclosure of secret keys. In addition, organizations should keep a low profi le about their se-curity design, but should not base their sese-curity on the design being secret.

StandGuard and StandGuard Anti-Virus can help.

You can use StandGuard to secure fi les from being inappro-priately updated or deleted via network services. Additionally, StandGuard Anti-Virus can detect, prevent, and remove viruses and malicious code.

DS5.19: Malicious Software Prevention, Detection, and Correction

Th is objective states that, regarding malicious soft ware, such as computer viruses or Trojan horses, management should estab-lish a framework of adequate preventative, detective, and correc-tive control measures, and occurrence response and reporting. Business and IT management should ensure that procedures are established across the organization to protect information sys-tems and technology from computer viruses. Procedures should incorporate virus protection, detection, occurrence response, and reporting.

StandGuard and StandGuard Anti-Virus can help.

You can use StandGuard to secure fi les from being inappro-priately updated or deleted via network services. Additionally, StandGuard Anti-Virus can detect, prevent, and remove viruses and malicious code.

DS9: DELIVERY AND SUPPORT Manage the Confi guration

DS9.5: Unauthorized Software

Th is objective specifi es that clear policies restricting the user

of personal and unlicensed soft ware should be developed and enforced. Th e organization should use virus detection and rem-edy soft ware. Business and IT management should periodically check the organization’s personal computers for unauthorized soft ware. Compliance with the requirements of soft ware and hardware license agreements should be review on a periodic basis.

StandGuard Anti-Virus can help.

You can use StandGuard Anti-Virus to detect, prevent, and re-move viruses and malicious code.

DS10: DELIVERY AND SUPPORT Manage Problems and Incidents

DS10.1: Problem Management System

Th is objective calls upon IT management to defi ne and imple-ment a problem manageimple-ment system to ensure that all op-erational events which are not part of the standard operation (incidents, problems, and errors) are recorded, analyzed and resolved in a timely manner. Emergency program change pro-cedures should be promptly tested, documented, approved, and reported. Incident reports should be established in the case of signifi cant problems.

MessengerConsole and MessengerPlus can help.

You can use Messenger to monitor for errors and abnormal con-ditions and alert operations staff automatically.

DS10.2: Problem Escalation

Th is objective states that IT management should defi ne and implement a problem escalation to ensure that identifi ed prob-lems are solved in the most effi cient way on a timely basis. Th ese procedures should ensure that these priorities are appropriately set. Th e procedures should also document the escalation process for the activation of the IT continuity plan.

MessengerConsole and MessengerPlus can help.

You can use Messenger to escalate event notifi cation to backup personnel or management when critical events have exceeded their defi ned time limit tolerances.

DS10.3: Problem Tracking and Audit Trail

Th is objective calls for a problem management system that pro-vides for adequate audit trail facilities that allow tracing from incident to underlying cause (e.g. package release or urgent change implementation) and back. It should work closely with change management, availability management, and confi gura-tion management.

MessengerConsole and MessengerPlus can help.

You can use Messenger’s ability to track event history, including time of creation, replies, commands, notifi cations, escalations, and acknowledgments.

• • • • •

• • • • •

(6)

References

Related documents

In this chapter will be presented elemental programming of basic inputs and outputs (for instance LED as an output, and button as an input). These two examples

CT Excitation Characteristic 1.4 Voltage developed across CT secondary Another important function of a current transformer is to develop enough voltage to drive required

UPnP Control Point (DLNA) Device Discovery HTTP Server (DLNA, Chormecast, AirPlay Photo/Video) RTSP Server (AirPlay Audio) Streaming Server.. Figure 11: Simplified

We tested a hypothesis that both individual-level risk factors (partner number, anal sex, condom use) and local-network features (concurrency and assortative mixing by race) combine

As it is mentioned in subsection 3.6, the average wind conditions for the month of April were used to do the dimensioning of the plant, obtaining the following results regarding

Conversely, 43.7% of all respondents who misused prescription drugs met criteria for alcohol dependence, problem gambling, and (or) had used illicit drugs in the past year..

Content by outlining the basic color terms their universality pdf downloads, we study showed two colors on the term may serve you are the word.. Smaller range of six terms

Even though Phase 1 specified short message services (SMSs) and some fax and data capabilities, these features were not available in the net- works nor were they supported by the