The Challenges—and Myths—
of Sarbanes-Oxley Compliance
Meeting the requirements of regulatory legislation on the iSeries.
w w w . b y t w a r e . c o m
E
nron. WorldCom. Tyco. Th ese are all names that immediately bring to mind corruption, and fol-lowing the accounting scandals that ushered in this decade the Government and Congress set out to do something about the problem. Th e solution was the passing in 2002 of the Public Company Accounting Reform and Investor Act—better known as Sarbanes-Oxley (SOX). Th e goal of the Act is to hold publicly traded companies ac-countable for corporate fi nancial reporting and governance. With deadlines to begin certifi cation of the adequacy of internal accounting controls starting as early as November 15, 2004, companies are scrambling to comply with a rather lengthy and vague set of regulations. Meanwhile, soft ware vendors are rushing to the table with promises of simple compliance through technology.The Myth of One-Click Compliance
The Myth of One-Click Compliance
The M
Th ere’s a lot being thrown around about how specifi c soft -ware applications can make a company SOX-compliant. In reality, the majority of the Act deals with procedural and cul-tural practices that ensure the integrity, accuracy, and secu-rity of corporate records. Most of the buzz centers on Section 404: Management Assessment of Internal Controls. It is this section that large publicly traded companies ($75 million+ cap) must comply with before the November 15 deadline (extended from the original June 15 deadline). Smaller com-panies—those with a cap below $75 million—have until June 15, 2005 to comply.
Th e overall spirit of the Act is one of increased security and integrity, placing the interests of stockholders ahead of exec-utives. Despite the fact that much of the Act is vague, prom-ises of “one-click compliance” abound. Th e fact
of the matter is that the needs of each organi-zation are diff erent and there is no one solution to ensure compliance. Regardless of the claims of some vendors, soft ware solutions are merely tools to assist with the implementation of sound internal procedures arrived at through planning, scoping, documenting, and analyzing. Soft ware solutions cannot provide take-two-and-call-me-in-the-morning cures for inadequate processes and a lax corporate atmosphere.
Already have the Basic Tools?
For companies who rely on the iSeries for op-erations, it may come as a surprise that most of what is needed to comply technologically is
al-ready sitting in their computer rooms. IBM’s OS/400 comes
equipped with tools for securing, monitoring, and logging built right into the operating system. (Th e exception is virus protection, though enablement for this has been built into the new i5/OS V5R3, allowing easy tie-in to the third-party anti-virus tool.) While third-party soft ware packages can build upon OS/400’s standard toolkit, and can certainly en-hance an operator’s capabilities, none of these packages are critical for compliance with SOX. Vendors who claim other-wise are not being straightforward with customers.
Built-in Security
Th e iSeries provides excellent object level security features to control access to resources—who can read a particular fi le, for example. Th ese security features are built into every iS-eries system, whether you use them or not. Contrary to some vendor claims, the iSeries can provide fi eld-level security as well. You may need tools to supplement the iSeries security, such as restricting access during certain time periods, or al-lowing users to read a particular fi le but not to download it. Take the time to learn what you have, and how it can be used for your organization before investing in tools that provide little value to what is already available to you.
Built-in Logging
Also provided with the iSeries are excellent logging facili-ties to track the activity occurring on the system—the Sys-tem History Log, Message Queues, and Journals, just to
Executives and managers who fail to ensure
that adequate measures are in place to meet
the requirements of SOX could be held legally
responsible.
name a few. Many activities are automatically logged, such as when particular users sign on and off , and you can enable additional logging for many other types of activities as well. Th ese logs provide a detailed accountability to what is occur-ring on the iSeries. Th ese logs can be monitored proactively to identify potential problems, or post-mortem to trace a particular problem.
Built-in Monitoring
Lastly, in the area of monitoring, the iSeries provides good tools for keeping tabs on the health and
sta-tus of your system—including security related events. iSeries Navigator can monitor messages and logs for specifi c events and notify an administrator when a particular condition oc-curs. Depending on your needs, you may want to supple-ment the iSeries monitoring tools to provide additional fea-tures, such as problem escalation, or scheduling of specifi c types of alerts to diff erent groups of people.
Five Steps to Compliance
An article entitled “Sarbanes-Oxley: Road to Compliance” that ran on the eWeek website (www.eweek.com) on Febru-ary 16, 2004, breaks down compliance with SOX into fi ve steps:
1. Planning
Form a compliance committee and select soft ware to assist in compliance process.
2. Scoping
Determine what information needs to be documented and is material to company.
3. Documentation
Document business processes and controls in place to en-sure accurate information.
4. Gap Analysis
Identify and remediate inadequate controls.
5. Implementation, Evaluation, & Monitoring Controls
Document and update controls as needed, then turn them over to the audit team which evaluates the depth and eff ective-ness of the controls. Develop ongoing process for monitoring controls.
How Can Bytware Solutions Help?
First of all, it is important again to understand that soft ware solutions are tools, not cures. Bytware off ers several applica-tions that can assist in compliance with SOX once a com-pany has put a framework into place. Independent auditing fi rms have been relying upon a set of guidelines from 1992 called “Th e Control Objectives for Information and Related Technology”, better known simply as COBIT. On the fol-lowing pages is a list of specifi c objectives and the Bytware product(s) that can assist.
Following the fi ve steps can create an atmosphere
that is suited to SOX compliance. Pulling in the
technology that is built into your iSeries can build
the foundation—and then third-party applications can take that
infrastructure to the next level.
w w w . b y t w a r e . c o m
COBIT Objectives for SOX Compliance
Many of these objectives have been paraphrased. Th e complete COBIT objectives are available for free online from the IT Gov-ernance Institute at: www.usmd.edu/Leadership/USMOffi ce/ AdminFinance/IAO/is/cobit-control-guidelines.pdf.
PO9: PLANNING AND ORGANIZATION Assess Risk
PO9.2: Risk Assessment Approach
Th is objective calls upon Management to establish a general risk assessment approach, defi ning boundaries and methodologies with regard to security risk and vulnerabilities. It directs Man-agement and security specialists to identify vulnerabilities and IT specialists to identify tools with which to control the vulner-abilities.
StandGuard can help.
You can use StandGuard’s ability to identify and log access to sensitive fi les and libraries through unusual means or during unusual times. Once you have identifi ed these sources, you can create rules and fi lters to allow or reject these types of activity.
AI3: ACQUISITION AND IMPLEMENTATION Acquire and Maintain Technology Infrastructure
AI3.7: Use and Monitoring of System Utilities
Th is objective calls for policies and techniques to be implement-ed for using, monitoring, and evaluating the use of system utili-ties. Responsibilities for using sensitive soft ware utilities should be clearly defi ned and understood by developers, and the use of the utilities should be monitored and logged.
Messenger and StandGuard can help.
You can use either MessengerConsole or MessengerPlus to monitor the OS/400 and iSeries security audit journals for us-age of soft ware utilities and commands and log these events to a message queue or e-mail log.
You can use StandGuard to monitor and log the use of certain OS/400 and iSeries commands and values, such as PWRDWN-SYS RESTART(*NO), for example.
DS5: DELIVERY AND SUPPORT Ensure Systems Security
DS5.1: Manage Security Measures
Th is objective states that IT security should be managed such that security measures are in line with business requirements including:
• Implementing the IT security plan.
• Monitoring the implementation of the IT security plan.
StandGuard and Messenger can help.
You can use StandGuard to defi ne rules that log and control ac-cess to company data through network services such as FTP and ODBC.
You can use Messenger to monitor StandGuard’s rules and notify IT personnel of exceptions. Messenger’s Audit Journal Monitor can look for possible intrusions and notify IT personnel. DS5.2: Identifi cation, Authentication, and Access
Th is objective specifi es that the logical access to and use of IT computing resources should be restricted by the implementa-tion of adequate identifi caimplementa-tion, authenticaimplementa-tion, and authoriza-tion mechanisms, linking users and resources with access rules. Such mechanisms should prevent unauthorized personnel, dial-up connections, and other system (network) entry ports from accessing computer resources and minimize the need for autho-rized users to use multiple logins. Procedures should also be in place to keep authentication and access mechanisms eff ective (e.g. regular password changes.)
StandGuard can help.
You can use StandGuard to create access rules and fi lters to log and prevent access to company data through unauthorized entry points. For example, “do not allow Telnet access if IP address is outside defi ned range or time period.”
DS5.3: Security of Online Access to Data
Th is objective states that, in an online IT environment, IT man-agement should implement procedures in line with the security policy that provides access security control based on the individ-ual’s demonstrated need to view, add, change, and delete data.
StandGuard can help.
You can use StandGuard to defi ne rules and fi lters to log and control access to company data via network services such as FTP and ODBC, and further defi ne the types of allowed ac-cess— Add, Change, or Delete, for example.
DS5.5: Management Review of User Accounts
Th is objective specifi es that Management should have a control process in place to review and confi rm access rights periodically. Periodic comparison of resources with recorded accountability should be made to help reduce risk of errors, fraud, misuse, or unauthorized alteration.
StandGuard’s User List can help.
You can use StandGuard’s rules and fi lters reports to show the re-sources users can access through network services. StandGuard’s usage information can show the usage frequency of these fi lters to determine policy eff ectiveness. Review the public usage infor-mation to verify that you are within compliance standards. DS5.7: Security Surveillance
Th is objective states that IT security administration should en-sure that security activity is logged and any indication of immi-nent security violation is reported immediately to all who may be concerned, internally and externally, and is acted upon in a timely manner.
StandGuard and Messenger can help.
You can use StandGuard to log access to critical system fi les via network services, and Messenger can be used to alert personnel
•
• • • • •
•
•
• • • • •
•
•
• • • • •
•
•
•
•
•
•
•
•
to StandGuard’s warnings about unauthorized or unexpected access.
DS5.10: Violation and Security Activity Reports
Th is objective states that IT security administration should ensure that violation and security activity is logged, reported, reviewed, and appropriately escalated on a regular basis to iden-tify and resolve incidents involving unauthorized activity. Th e logical access to the computer resources accountability informa-tion (security and other logs) should be granted based upon the principle of least privilege, or need-to-know.
StandGuard and MessengerConsole can help.
You can use StandGuard to log security violations through net-work services, and extract data from the system security audit journal. Messenger can in turn monitor these events and notify and escalate security violations to the appropriate personnel. DS5.17: Protection of Security Functions
Th is objective directs that all security related hardware and soft ware should at all times be protected against tampering to maintain their integrity and against disclosure of secret keys. In addition, organizations should keep a low profi le about their se-curity design, but should not base their sese-curity on the design being secret.
StandGuard and StandGuard Anti-Virus can help.
You can use StandGuard to secure fi les from being inappro-priately updated or deleted via network services. Additionally, StandGuard Anti-Virus can detect, prevent, and remove viruses and malicious code.
DS5.19: Malicious Software Prevention, Detection, and Correction
Th is objective states that, regarding malicious soft ware, such as computer viruses or Trojan horses, management should estab-lish a framework of adequate preventative, detective, and correc-tive control measures, and occurrence response and reporting. Business and IT management should ensure that procedures are established across the organization to protect information sys-tems and technology from computer viruses. Procedures should incorporate virus protection, detection, occurrence response, and reporting.
StandGuard and StandGuard Anti-Virus can help.
You can use StandGuard to secure fi les from being inappro-priately updated or deleted via network services. Additionally, StandGuard Anti-Virus can detect, prevent, and remove viruses and malicious code.
DS9: DELIVERY AND SUPPORT Manage the Confi guration
DS9.5: Unauthorized Software
Th is objective specifi es that clear policies restricting the user
of personal and unlicensed soft ware should be developed and enforced. Th e organization should use virus detection and rem-edy soft ware. Business and IT management should periodically check the organization’s personal computers for unauthorized soft ware. Compliance with the requirements of soft ware and hardware license agreements should be review on a periodic basis.
StandGuard Anti-Virus can help.
You can use StandGuard Anti-Virus to detect, prevent, and re-move viruses and malicious code.
DS10: DELIVERY AND SUPPORT Manage Problems and Incidents
DS10.1: Problem Management System
Th is objective calls upon IT management to defi ne and imple-ment a problem manageimple-ment system to ensure that all op-erational events which are not part of the standard operation (incidents, problems, and errors) are recorded, analyzed and resolved in a timely manner. Emergency program change pro-cedures should be promptly tested, documented, approved, and reported. Incident reports should be established in the case of signifi cant problems.
MessengerConsole and MessengerPlus can help.
You can use Messenger to monitor for errors and abnormal con-ditions and alert operations staff automatically.
DS10.2: Problem Escalation
Th is objective states that IT management should defi ne and implement a problem escalation to ensure that identifi ed prob-lems are solved in the most effi cient way on a timely basis. Th ese procedures should ensure that these priorities are appropriately set. Th e procedures should also document the escalation process for the activation of the IT continuity plan.
MessengerConsole and MessengerPlus can help.
You can use Messenger to escalate event notifi cation to backup personnel or management when critical events have exceeded their defi ned time limit tolerances.
DS10.3: Problem Tracking and Audit Trail
Th is objective calls for a problem management system that pro-vides for adequate audit trail facilities that allow tracing from incident to underlying cause (e.g. package release or urgent change implementation) and back. It should work closely with change management, availability management, and confi gura-tion management.
MessengerConsole and MessengerPlus can help.
You can use Messenger’s ability to track event history, including time of creation, replies, commands, notifi cations, escalations, and acknowledgments.