SOX and IT Security 1919



  • Working in the IT security sector I am involved in writing checks to protect windows and UNIX servers against insider and outsider threats.
    We have been working to provide a SOX compliance policy which has been outlined to us by a large accountant firm.
    This policy contains around 20 checks, which considering our base product contains an average of 450 checks per OS seems extremely small.
    Since part of SOX is to secure access to data, I would have expected system security experts to define the policies in this area and not accountants.
    The further I probe into the SOX impact on IT security I realize there is no definition, even in a loose term of areas, which would enable someone to program a compliant policy. Thus it is open to interpretation, which is frightening considering the account firm which has defined a SOX compliance policy for securing servers has missed all the vital areas of an intruder attack.
    I downloaded a new copy of some penetration software (freely available from the web) and ran it across our network. This interface is so simple to use now that anyone could use it, more important I was able to capture all clear text from the network including all clear text passwords very easily (Yes we use telnet and ftp for testing purposes), no more having to know how to use nmap. Encrypted passwords, capture from sniffing packets, were easily decrypted using the hash tables provided unless they were of at least a medium strength. This software could be downloaded and easily used by any user to compromise the entire company network and every connected server.
    My question is this:
    Have system security policies been created for SOX if so where are they. To qualify this it should contain clear guidelines on Security.
    Example of some general areas:
    User perms, file perms, services, protocols, ssl, service wrappers, banners, shares access and mounts, trusts, security modules and baselining for most areas.
    If anyone has information on where I can obtain this documentation (must be accredited by SOX and NOT a benchmark or best practice guide) please let me know.
    Thank you in advance



  • Hi and welcome to the forums 🙂 Below are some threads that might help you start this process:
    What is: COSO, COBIT, and SOX 404
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1516
    Free PDF copy of COBIT 4.0
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1920



  • Thanks Harry,
    I checked out the links but they are the same as my original starting point with SOX a few months ago.
    The whole issue of securing access to data held within computers is part of SOX. There is nothing in 404 that states what level of security is needed.
    Thus anyone can right a security policy that does a very minimum to protect their network / servers to potentially get a sign off as SOX compliant. It would not be until after an intrusion occurred causing damage or theft of certain data, sparking another Enron style case that their security measures are going to be judged as adequate for the purpose of SOX or not.
    For our client base we need to be able to know what security messages are needed at a detailed level so we can produce SOX policies for different operating systems. These policies we can then state to the client are SOX compliant or not (well this is our best guess from what we have read so far).
    I am more then confident that the level of security checks we provide far exceeds any levels of security that would be acceptable as SOX compliant, however without at least an accredited technical guide to SOX 404 we are not going to be able to state to our clients that they will be fully SOX compliant with regards to their IT system security if they use our product.
    Our clients want a legal sign off that their IT security compiles with SOX we can at this point not give it to them. IT security is does not work on grey areas, you can either be hacked at a one breach point through know methods or the breach point has been secured.
    You can now see my dilemma in that we provide down to system level coding, security checks against insider and outsider intrusions for our clients who wish to be SOX compliant using our software. In the eyes of the law our clients need to be able to state their IT security is fully SOX compliant because they use our product. Our clients are 1000 server companies minimum up to '…
    Any thoughts ?



  • Dear JSB, your questions are really interesting and in fact these are the questions in every IT and information security department.
    Issue 1:
    You said: I would have expected system security experts to define the policies in this area and not accountants
    Answer 1:
    Sarbanes Oxley is an effort to provide reasonable assurance to shareholders (not absolute assurance). It is compliance, not information security. The reason of the act is to restore investor confidence, not to improve information security or IT governance
    It is a minimum , a framework, not a best practice or a detailed guideline.
    Issue 2:
    You said: I realize there is no definition, even in a loose term of areas, which would enable someone to program a compliant policy. Thus it is open to interpretation, which is frightening considering the account firm which has defined a SOX compliance policy for securing servers has missed all the vital areas of an intruder attack
    Answer 2:
    I agree with you. If you have a good information security environment, Sarbanes Oxley as a minimum level of assurance does not seem important.
    But, remember:
    A. Investors pay our salaries.
    B. Investors did not trust companies and senior management after Enron and World Com. They did not want to invest any more. Without their money, there are no more salaries.
    C. Sarbanes Oxley restored investor confidence
    D. We still have our salary as investors trust companies again
    E. After that, we can do our best, over and above Sarbanes Oxley, for information security.
    Issue 3:
    You said: Have system security policies been created for SOX if so where are they
    Answer 3:
    There are no official policies. Do not search. You have to document your policies and to persuade the auditors.
    Issue 4:
    You said:There is nothing in 404 that states what level of security is needed
    Answer 4:
    This is correct. Senators and representatives can not explain to IT and InfoSec persons what to do. For example, Senator Paul Sarbanes has graduated from Princeton and Harvard Law School. Not the best career path for information security.
    Issue 5:
    You said:Thus anyone can right a security policy that does a very minimum to protect their network / servers to potentially get a sign off as SOX compliant
    Answer 5:
    You still have to persuade the external auditors.
    Issue 6:
    You said:It would not be until after an intrusion occurred causing damage or theft of certain data, sparking another Enron style case that their security measures are going to be judged as adequate for the purpose of SOX or not
    Answer 6:
    Enron had nothing to do with hacking. Investors know that there is a risk called external fraud, hacking etc. but they accept this risk. What they do not accept is a CEO and/or a CFO misleading them and doing all the wrong things.
    Issue 7:
    You said: without at least an accredited technical guide to SOX 404 we are not going to be able to state to our clients that they will be fully SOX compliant with regards to their IT system security if they use our product
    Answer 7:
    You do not need any accredited technical guide to be able to state to clients that they are fully SOX compliant. You need to understand the expectations of the external auditors and to help your clients test and document how they use your products. The external auditors must have a qualified opinion that your clients comply. This is your target. Not better information security.



  • Dear George,
    Thank you for the reply,
    This means once we have completed the current SOX policy we are working on for an Auditor (current project for a client) we have an IT systems security policy that is SOX compliant (The Auditor being a very large American firm recognized under SOX).
    I appreciate your comments they have been the best and by far the most informative I have seen in the last 4 months.



  • Answer 3:
    There are no official policies. Do not search. You have to document your policies and to persuade the auditors.
    Answer 6:
    Enron had nothing to do with hacking. Investors know that there is a risk called external fraud, hacking etc. but they accept this risk. What they do not accept is a CEO and/or a CFO misleading them and doing all the wrong things.

    Nice reply George.
    A lot of people in IT relate SOX to Information security. SOX compliance in IT touches some part of Information security and its mostly process driven rather then product driven. An example would be IDS/IPS. A lof of IT departments think that its mandated by SOX which is not true.
    I understand the Infosec guys when they think that controls under SOX are simply not enough for prevention of something like say hacking. The point is prevention of hacking is not the focus of SOX act.
    What IT needs is a process centric approach for SOX compliance and not product or personnel centric. These processes need to be repetitive, managed and auditable. That said, two areas in IT which are most important for SOX and overlap with Information security are change management and access to systems.
    Calvin



  • Nice reply George
    I agree – Both George’s and Calvin’s good replies helped clarify a few things for me 🙂
    A lot of people in IT relate SOX to Information security. SOX compliance in IT touches some part of Information security
    These boundary lines aren’t well understood by the public, those implementing SOX, or even auditing it for compliancy. Sometimes too many things are rolled up in the SOX umbrella, including non-applicable items.
    I’m also starting to read through the 209 page COBIT 4.0 documentation, as it’s an accepted approach for fulfilment of SOX 404 requirements. There’s quite a bit of IT security related items and best practices embedded throughout, so it’s indeed easy for confusion to set in.
    I understand the Infosec guys when they think that controls under SOX are simply not enough for prevention of something like say hacking
    Agreed – In the past, I worked several years in IT security, before moving more into a project and application development role. Regardless of SOX requirements, companies need strong security defences to protect against a hostile environment of spam, viruses, spyware, targeted attacks, etc.
    That said, two areas in IT which are most important for SOX and overlap with Information security are change management and access to systems
    This nails down the two primary focal points that are directly related to SOX. Still, it’s easy for implementers to see a lot of indirect security relationships with SOX and infer beyond this. For example without good security, your IT financial systems have increased risk factors. Still, you don’t want to carry SOX compliancy too far out of scope.
    The compliancy for SOX (to satisfy regulators) and a strong security program (to satisfy customers and internal needs) are BOTH fundamental for companies. Even though there’s logically some overlap, an already strong security program can reduce the need to do above and beyond what’s needed in the SOX 404 area



  • To perhaps clarify, I would add that the relevance of SOX to IT is not directly for security at all, but aims rather at management oversight. I have observed many organizations where the technical team is very good and security relatively tight, but management really has no clue and just happens to have gotten lucky. In order to build long-term consistency in information security, a culture of security has to permeate management. Most commonly, when management is not doing proper oversight, they don’t get lucky and have a rigorously implemented secure infrastructure. SOX demands that they do the oversight portion of the equation.
    Documenting a SOX compliant policy is also really only a beginning. Depending on how the controls are specified there may be 10,000 more things remaining to be done. An IT general control may only specify that procedures exist and are followed, but there must be then some method of documenting that they are followed. In creating the procedures, IT managers achieve actual read-world security by reviewing the way things are done and deciding what their staffs really should be doing, usually in consultation with their staff who has to perform the work. This results in an educational process for the IT department, sometimes for the entire organization in the case of personnel training types of controls. Further, the procedure communicates how things should be done in a way that creates a more complete implementation that is more consistently performed over time by multiple technicians who may never otherwise communicate. The requirement for management to review the documentation of procedures being followed enforces these requirements and, as a side effect, creates greater awareness of security issues amongst management. This often leads to improvements in budgeting and staff assigned to security. The general control leads to specific security practices.
    So, while SOX controls are very general, I believe that they contribute to actual security in ways both direct and indirect.



  • Thank you iaraudit for adding more good comments and perspective to the thread 🙂 Your comments, plus those of George and Calvin, have helped me fine tune how IT security controls better fit within the SOX framework.



  • Gentlemen,
    Thank you all for the responses to this thread so far. It puts the original question into full context with regards to SOX and what as a whole is being achieved.
    From my perspective the hardest part of SOX was the lack of understanding of where IT security fitted in to the whole scheme, and what our part as an IT security company played. The information in this thread has been provided with so much clarity that any SOX confused IT related person (me) can follow as a supplement to 404 or other related SOX documentation.
    This thread will now provide me with a stable information supplement to which I can direct people.



  • Thank you all. I am beginer in SOX. This topic really helped in understanding the diffrence of responsibilties between the technical side and management side while implementing SOX. Its not only about securing the systems its more about securing the processes.


Log in to reply