|
(click here to view actual article)
July 22,
2005 - Compliance can be achieved through Organizational
Improvements and Effective Process Automation Projects
by Benedict
Campbell
With
2005 now past the halfway mark, Sarbanes-Oxley Act
audits for many public companies continue to be near the
top of the list in terms of business action items and
expense. It is also becoming apparent that companies
realize the value of software automation to ensure
continued compliance, after all, SOX isn't just a
one-time event. Accounting compliance is an ongoing
effort that requires controls and management to be
documented, refined and tuned over time, throughout an
organization.
Sufficient controls related to the access of information
technology systems is required for SOX compliance, but
nothing in the law says that software must be used to
accomplish these controls. Sufficient reporting related
to “who accessed” and “when accessed” will need to be
made available. Many firms have chosen to conduct
complete system audits to “mine” this data from logs,
network and application session files that will provide
some portion, if not all, of this information. For the
most part these audits have been conducted manually to
meet the recent deadlines associated with SOX reporting.
The good news about these manual audits is that they
have produced the visible process that companies must
understand regarding effective controls and the
accessibility of business information systems. In some
regards, these audits can be referred to as a very
thorough “needs analysis”. As has always been the case,
once a process has been identified, process automation
can be considered to improve organizational
productivity. Specific areas where software investment
will speed the delivery of access control information,
is an excellent first consideration.
For example, consider that an organization has an
eCommerce Website that provides for a source of business
revenue. The firm will be required to show that it has
established controls over system access and use, along
with a procedure that documents changes and
modifications to the application itself. The audit trail
for system use must be well documented. The data sources
for information to be included in this audit trail will
most likely include the following:
1. Authentication process of authorized user information
(trusted user lists)
2. Information accessed (file locations within systems)
such as database layout or schema
3. Acceptable procedure for system access (user
information entitlement)
4. Data protection procedures (including technology
used, both hardware & software)
5. Historical event tracking (such as failed
connections, versus successful connections)
6. Security event tracking (security event logs, event
handling procedure and event impact/remediation)
7. System change and modification procedure (process,
documentation and authorizations for such changes)
Each of these items will
provide relevant information associated with SOX
reporting requirements, and they will represent
information points within a system access audit trail.
To clarify each of these items and to improve the
ability to gather useful data, each data source will
need to include a more granular view of the collected
information. Consider the following:
• Authentication process of authorized user information
(trusted user lists)
What about the information associated with the
possibility that trusted user credentials may have been
stolen and used to access a system and steal data or
conduct fraud? Information regarding trusted user lists
must be protected, and therefore information related to
trusted user authentication processes must be
safeguarded.
• Information accessed (file system details) including
database connection details
It is essential that a hierarchical report related to
application system files, including location and access
details be available. System IT security protection must
include an overall system report regarding the files
that comprise an application. File access lists are
therefore valuable sources of information that will
provide for additional proof of SOX compliance. Systems
will most certainly be comprised of data files that
should not be accessed for any reason.
• Acceptable procedure for system access (user
information entitlement)
How is an application accessed? In other words,
acceptable access may only be made available through
specific administrative and user interfaces, not other
methods such as protocol or default user access points.
Any other methods of access will require administrative
approval, or will need to be considered as serious
security events.
• Data protection procedures (including what technology
has been installed - both hardware & software)
An organization must take obvious steps to protect data.
These steps require documentation related to how the
protection has been implemented and what is being
accomplished with the use of these solutions.
• Historical event tracking (such as failed connections,
versus successful connections)
System use information in a standard and typical audit
format providing successful connections and failed
connections, both inbound and outbound, must be
available. System access reporting needs to have views
that are easily accessed and produced for
audit/reporting purposes. A failed connection list that
represents a subset of total attempted system
connections is equally important versus the successful
connection information.
• Security event tracking (security event logs, event
handling procedure and event impact/remediation)
Notification of security events along with the
corresponding actions related to the security events
must be quickly accessible.
• System change and modification procedure (process,
documented and administrative authorizations for such
changes)
System changes and modifications will impact an
application and the user community. They will also cause
administrative changes to other systems that are being
used by the application or that protect the application.
Whenever changes and modifications are implemented they
will have a cause and effect relationship across overall
system access procedures. Understanding the impact of
these relationships can be achieved if system session
information is readily available.
The ability of an organization to leverage its own human
resource agility along with the agility of the
information technology investments, will lead to
effective process automation for SOX auditing and
compliance reporting. Each of these highlighted data
points will require some degree of time and therefore
associated cost to manage and automate. If the time
associated with management and the investment associated
with automation can be minimized, then the organization
will benefit.
Information technology purchases are being driven
heavily by SOX requirements. Additionally, the training
and administration of much of these technology purchases
represent additional cost investments (both time and
money). These technology, training and time costs should
yield savings overtime. Granted that organizational
audit and compliance standards are important, but is it
essential that these solutions represent new
investments, as opposed to investments that create
savings? As has been the case in the past, savings
should be a driver when technology purchases are being
planned. New sources of profit or new ways to save money
and time have always been primary drivers around
technology purchases. There is no reason why that should
change, even when accounting and government compliance
is the primary reason for new solution and human
resource investments. Here are some ways in which
information technology purchases must be weighed against
planned savings
• Within your existing security information technology
procedures, will the purchase of this new solution be
complementary to current solutions deployed? Does the
technology easily integrate with existing solutions?
Will an existing solution be replaced?
• Does the purchase of a new solution create a need for
additional in-house expertise to support and administer
the technology? Will there be a new training requirement
or a need to hire new resources? If yes, identify these
resources and what added costs will be associated.
• If resources outside of the organization are necessary
to support the compliance information gathering
requirements, will the implementation of the new
technology improve the organization’s ability to respond
to audits and save time with respect to the outside
resources that are being contracted? If yes, how?
• What are the investment dollars required to purchase
the new technology? Has the new technology been verified
to achieve an improved approach to organizational
accounting compliance? Will the investment cost savings
be realized in the short-term (less than 12 months) or
the long-term (over 12 months)?
Of course, any organization will have other pre-purchase
questions that will need to be answered, and these
questions will represent the organization’s own unique
way by which it makes such decisions. The above
questions should be added to the compliance expense
decision process, and they are fair questions that will
fortify investment decisions.
Computer Security and
Improved System Use Reporting for Compliance Audits
As has been the case for many years, Microsoft has been
the underlying software of most computer system. Whether
it is a desktop, notebook computer or server, Microsoft
software is present more than not. With this large
population of computer users, it has also been the case
that computer criminals have focused on seeking ways to
breach and steal information or conduct computer fraud
on these computers. Hackers, viruses, malware and other
Internet borne threats continue to plague personal
computers around the world, either causing systems to
malfunction, or resulting in the theft of information
that can be used by the attacking criminal for profit.
Notable breaches have occurred against companies that
have government mandated accounting requirements. These
mandates include that proper IT procedures must be
established that provide data protection to minimize
and/or prevent computer crime.
Industry analysts continue to reinforce the need for
behavioral software security to be a component of an
organization’s security strategy. Why? It can be said
that all computer users are unique. No user operates a
computer the same way as another. Whether they use a
personal computer for e-mail, research, document
preparation, data analysis, etc., a computer user will
have different behavioral characteristics than another
user. It is important for organization, as part of an
overall information technology and security strategy, to
consider computer system behavior. Behavioral anomalies
are indicators that correlate to threats on computer
networks. Implementing a technology solution into an
overall IT strategy that can track and alert when system
behavior should be questioned is a smart investment.
One such company, United Security Bank (NASDAQ: UFBO),
selected a security solution for their Internet systems
that would provide for a system behavioral baseline that
could then be used to alert the IT security staff when
system behavior was not within a pre-determined norm.
Not just a typical system resources norm such as heavy
CPU utilization, but when a non-typical user action had
occurred. The bank selected ThreatSentry from Microsoft
ISV Partner – Privacyware. The Web servers that have
been secured are based on Microsoft’s IIS Web server
software where the bank’s applications provided critical
information processing on backend systems. Utilizing
Privacyware’s behavioral layer technology, called the
Adaptive Security Engine, the solution added a new layer
of protection to the bank’s existing IT security
strategy, which monitored and actively blocked any
perceived malicious activity on their IIS servers.
Additionally, the software easily integrated into their
existing system event management solutions and also was
easy to administer and tune through the Microsoft
Management Console.
"Being a financial institution, Sarbanes Oxley (SOX)
compliance has impacted our security efforts. Towards
the end of the year in 2004 most of our efforts were
directed at ensuring we were in compliance with this
legislation and we are always working to make sure
maintain this level of compliance", stated Paul O'Neil
at United Security Bank. "The Privacyware product is an
important part of that compliance since it is tightly
integrated with our online banking product and was a
notable enhancement to our security efforts."
Reporting on the Web servers now includes critical
security events, which provides a more complete and
easily understood view into overall server session data.
The software solution required a short period of time to
implement and training included just two follow-up Web
sessions, prior to ThreatSentry to be installed in
production. What’s more, at an investment price of just
$139 per server, the software product has been an ideal,
low-cost IT security augmentation that the bank was able
to quickly implement without having to conduct an
extensive ROI analysis prior to implementation.
|
