The appropriately named Sarbanes-Oxley Compliance Toolkit includes a whole range of materials specifically put together to both introduce, and take you through this most important of legislation.
As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
The SOX email storage requirements can be fulfilled using the
GFI MailArchiver
SOX Advertisers
Sarbanes What?
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Sarbanes-Oxley Act Forum: Forums
The Sarbanes Oxley Act :: View topic - SOX and IT Security
Posted: Thu Jan 11, 2007 9:55 am Post subject: SOX and IT Security
Working in the IT security sector I am involved in writing checks to protect windows and UNIX servers against insider and outsider threats.
We have been working to provide a SOX compliance policy which has been outlined to us by a large accountant firm.
This policy contains around 20 checks, which considering our base product contains an average of 450 checks per OS seems extremely small.
Since part of SOX is to secure access to data, I would have expected system security experts to define the policies in this area and not accountants.
The further I probe into the SOX impact on IT security I realize there is no definition, even in a loose term of areas, which would enable someone to program a compliant policy. Thus it is open to interpretation, which is frightening considering the account firm which has defined a SOX compliance policy for securing servers has missed all the vital areas of an intruder attack.
I downloaded a new copy of some penetration software (freely available from the web) and ran it across our network. This interface is so simple to use now that anyone could use it, more important I was able to capture all clear text from the network including all clear text passwords very easily (Yes we use telnet and ftp for testing purposes), no more having to know how to use nmap. Encrypted passwords, capture from sniffing packets, were easily decrypted using the hash tables provided unless they were of at least a medium strength. This software could be downloaded and easily used by any user to compromise the entire company network and every connected server.
My question is this:
Have system security policies been created for SOX if so where are they. To qualify this it should contain clear guidelines on Security.
Example of some general areas:
User perms, file perms, services, protocols, ssl, service wrappers, banners, shares access and mounts, trusts, security modules and baselining for most areas.
If anyone has information on where I can obtain this documentation (must be accredited by SOX and NOT a benchmark or best practice guide) please let me know.
I checked out the links but they are the same as my original starting point with SOX a few months ago.
The whole issue of securing access to data held within computers is part of SOX. There is nothing in 404 that states what level of security is needed.
Thus anyone can right a security policy that does a very minimum to protect their network / servers to potentially get a sign off as SOX compliant. It would not be until after an intrusion occurred causing damage or theft of certain data, sparking another Enron style case that their security measures are going to be judged as adequate for the purpose of SOX or not.
For our client base we need to be able to know what security messages are needed at a detailed level so we can produce SOX policies for different operating systems. These policies we can then state to the client are SOX compliant or not (well this is our best guess from what we have read so far).
I am more then confident that the level of security checks we provide far exceeds any levels of security that would be acceptable as SOX compliant, however without at least an accredited technical guide to SOX 404 we are not going to be able to state to our clients that they will be fully SOX compliant with regards to their IT system security if they use our product.
Our clients want a legal sign off that their IT security compiles with SOX we can at this point not give it to them. IT security is does not work on grey areas, you can either be hacked at a one breach point through know methods or the breach point has been secured.
You can now see my dilemma in that we provide down to system level coding, security checks against insider and outsider intrusions for our clients who wish to be SOX compliant using our software. In the eyes of the law our clients need to be able to state their IT security is fully SOX compliant because they use our product. Our clients are 1000+ server companies minimum up to …..
Dear JSB, your questions are really interesting and in fact these are the questions in every IT and information security department.
Issue 1:
You said: “I would have expected system security experts to define the policies in this area and not accountants”
Answer 1:
Sarbanes Oxley is an effort to provide reasonable assurance to shareholders (not absolute assurance). It is compliance, not information security. The reason of the act is to restore investor confidence, not to improve information security or IT governance
It is a minimum, a framework, not a best practice or a detailed guideline.
Issue 2:
You said: “I realize there is no definition, even in a loose term of areas, which would enable someone to program a compliant policy. Thus it is open to interpretation, which is frightening considering the account firm which has defined a SOX compliance policy for securing servers has missed all the vital areas of an intruder attack”
Answer 2:
I agree with you. If you have a good information security environment, Sarbanes Oxley as a minimum level of assurance does not seem important.
But, remember:
A. Investors pay our salaries.
B. Investors did not trust companies and senior management after Enron and World Com. They did not want to invest any more. Without their money, there are no more salaries.
C. Sarbanes Oxley restored investor confidence
D. We still have our salary as investors trust companies again
E. After that, we can do our best, over and above Sarbanes Oxley, for information security.
Issue 3:
You said: ”Have system security policies been created for SOX if so where are they”
Answer 3:
There are no “official” policies. Do not search. You have to document your policies and to persuade the auditors.
Issue 4:
You said:”There is nothing in 404 that states what level of security is needed”
Answer 4:
This is correct. Senators and representatives can not explain to IT and InfoSec persons what to do. For example, Senator Paul Sarbanes has graduated from Princeton and Harvard Law School. Not the best career path for information security.
Issue 5:
You said:”Thus anyone can right a security policy that does a very minimum to protect their network / servers to potentially get a sign off as SOX compliant”
Answer 5:
You still have to persuade the external auditors.
Issue 6:
You said:”It would not be until after an intrusion occurred causing damage or theft of certain data, sparking another Enron style case that their security measures are going to be judged as adequate for the purpose of SOX or not”
Answer 6:
Enron had nothing to do with hacking. Investors know that there is a risk called external fraud, hacking etc. but they accept this risk. What they do not accept is a CEO and/or a CFO misleading them and doing all the wrong things.
Issue 7:
You said: “without at least an accredited technical guide to SOX 404 we are not going to be able to state to our clients that they will be fully SOX compliant with regards to their IT system security if they use our product”
Answer 7:
You do not need any accredited technical guide to be able to state to clients that they are fully SOX compliant. You need to understand the expectations of the external auditors and to help your clients test and document how they use your products. The external auditors must have a “qualified opinion” that your clients comply. This is your target. Not better information security. _________________ George Lekatis
President of the Sarbanes Oxley Compliance Professionals Association (SOXCPA)
www.sarbanes-oxley-association.com
This means once we have completed the current SOX policy we are working on for an Auditor (current project for a client) we have an IT systems security policy that is SOX compliant (The Auditor being a very large American firm recognized under SOX).
I appreciate your comments they have been the best and by far the most informative I have seen in the last 4 months.
Answer 3:
There are no “official” policies. Do not search. You have to document your policies and to persuade the auditors.
Answer 6:
Enron had nothing to do with hacking. Investors know that there is a risk called external fraud, hacking etc. but they accept this risk. What they do not accept is a CEO and/or a CFO misleading them and doing all the wrong things.
Nice reply George.
A lot of people in IT relate SOX to Information security. SOX compliance in IT touches some part of Information security and its mostly process driven rather then product driven. An example would be IDS/IPS. A lof of IT departments think that its mandated by SOX which is not true.
I understand the Infosec guys when they think that controls under SOX are simply not enough for prevention of something like say hacking. The point is prevention of hacking is not the focus of SOX act.
What IT needs is a process centric approach for SOX compliance and not product or personnel centric. These processes need to be repetitive, managed and auditable. That said, two areas in IT which are most important for SOX and overlap with Information security are change management and access to systems.
Joined: Jan 12, 2006 Posts: 849 Location: Roanoke, Virginia
Posted: Fri Jan 12, 2007 2:28 pm Post subject:
calvin wrote:
Nice reply George
I agree -- Both George's and Calvin's good replies helped clarify a few things for me
calvin wrote:
A lot of people in IT relate SOX to Information security. SOX compliance in IT touches some part of Information security
These boundary lines aren't well understood by the public, those implementing SOX, or even auditing it for compliancy. Sometimes too many things are rolled up in the SOX umbrella, including non-applicable items.
I'm also starting to read through the 209 page COBIT 4.0 documentation, as it's an accepted approach for fulfilment of SOX 404 requirements. There's quite a bit of IT security related items and best practices embedded throughout, so it's indeed easy for confusion to set in.
calvin wrote:
I understand the Infosec guys when they think that controls under SOX are simply not enough for prevention of something like say hacking
Agreed -- In the past, I worked several years in IT security, before moving more into a project and application development role. Regardless of SOX requirements, companies need strong security defences to protect against a hostile environment of spam, viruses, spyware, targeted attacks, etc.
calvin wrote:
That said, two areas in IT which are most important for SOX and overlap with Information security are change management and access to systems
This nails down the two primary focal points that are directly related to SOX. Still, it's easy for implementers to see a lot of indirect security relationships with SOX and infer beyond this. For example without good security, your IT financial systems have increased risk factors. Still, you don't want to carry SOX compliancy too far out of scope.
The compliancy for SOX (to satisfy regulators) and a strong security program (to satisfy customers and internal needs) are BOTH fundamental for companies. Even though there's logically some overlap, an already strong security program can reduce the need to do above and beyond what's needed in the SOX 404 area
Posted: Mon Jan 15, 2007 10:46 am Post subject: SOX and IT Security
To perhaps clarify, I would add that the relevance of SOX to IT is not directly for security at all, but aims rather at management oversight. I have observed many organizations where the technical team is very good and security relatively tight, but management really has no clue and just happens to have gotten lucky. In order to build long-term consistency in information security, a culture of security has to permeate management. Most commonly, when management is not doing proper oversight, they don't get lucky and have a rigorously implemented secure infrastructure. SOX demands that they do the oversight portion of the equation.
Documenting a SOX compliant policy is also really only a beginning. Depending on how the controls are specified there may be 10,000 more things remaining to be done. An IT general control may only specify that procedures exist and are followed, but there must be then some method of documenting that they are followed. In creating the procedures, IT managers achieve actual read-world security by reviewing the way things are done and deciding what their staffs really should be doing, usually in consultation with their staff who has to perform the work. This results in an educational process for the IT department, sometimes for the entire organization in the case of personnel training types of controls. Further, the procedure communicates how things should be done in a way that creates a more complete implementation that is more consistently performed over time by multiple technicians who may never otherwise communicate. The requirement for management to review the documentation of procedures being followed enforces these requirements and, as a side effect, creates greater awareness of security issues amongst management. This often leads to improvements in budgeting and staff assigned to security. The general control leads to specific security practices.
So, while SOX controls are very general, I believe that they contribute to actual security in ways both direct and indirect.
Joined: Jan 12, 2006 Posts: 849 Location: Roanoke, Virginia
Posted: Mon Jan 15, 2007 2:05 pm Post subject:
Thank you iaraudit for adding more good comments and perspective to the thread Your comments, plus those of George and Calvin, have helped me fine tune how IT security controls better fit within the SOX framework.
Thank you all for the responses to this thread so far. It puts the original question into full context with regards to SOX and what as a whole is being achieved.
From my perspective the hardest part of SOX was the lack of understanding of where IT security fitted in to the whole scheme, and what our part as an IT security company played. The information in this thread has been provided with so much clarity that any SOX confused IT related person (me) can follow as a supplement to 404 or other related SOX documentation.
This thread will now provide me with a stable information supplement to which I can direct people.
Thank you all. I am beginer in SOX. This topic really helped in understanding the diffrence of responsibilties between the technical side and management side while implementing SOX. Its not only about securing the systems its more about securing the processes.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
Below are some threads that might help you start this process:
