Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· Directory
· Downloads
· FAQ
· Forums
· Search
· Sox_Admin
· Statistics
· Submit News
· Surveys
· Top 10
· Your Account

Sarbox Compliance
The appropriately named Sarbanes-Oxley Compliance Toolkit includes a whole range of materials specifically put together to both introduce, and take you through this most important of legislation.

For detailed information see the toolkit's own website: Sarbanes-Oxley Compliance


SOX Act and Security
As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.

The SOX email storage requirements can be fulfilled using the GFI MailArchiver


SOX Advertisers


Sarbanes What?
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!

Sarbanes-Oxley Act Forum: Forums

The Sarbanes Oxley Act :: View topic - SOX and IT Security
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin 

SOX and IT Security

 
Post new topic   Reply to topic    The Sarbanes Oxley Act Forum Index -> Sarbanes-Oxley: IT Issues
View previous topic :: View next topic  
Author Message
JSB
Newbie
Newbie


Joined: Jan 11, 2007
Posts: 6
Location: UK

PostPosted: Thu Jan 11, 2007 9:55 am    Post subject: SOX and IT Security Reply with quote

Working in the IT security sector I am involved in writing checks to protect windows and UNIX servers against insider and outsider threats.
We have been working to provide a SOX compliance policy which has been outlined to us by a large accountant firm.

This policy contains around 20 checks, which considering our base product contains an average of 450 checks per OS seems extremely small.

Since part of SOX is to secure access to data, I would have expected system security experts to define the policies in this area and not accountants.

The further I probe into the SOX impact on IT security I realize there is no definition, even in a loose term of areas, which would enable someone to program a compliant policy. Thus it is open to interpretation, which is frightening considering the account firm which has defined a SOX compliance policy for securing servers has missed all the vital areas of an intruder attack.

I downloaded a new copy of some penetration software (freely available from the web) and ran it across our network. This interface is so simple to use now that anyone could use it, more important I was able to capture all clear text from the network including all clear text passwords very easily (Yes we use telnet and ftp for testing purposes), no more having to know how to use nmap. Encrypted passwords, capture from sniffing packets, were easily decrypted using the hash tables provided unless they were of at least a medium strength. This software could be downloaded and easily used by any user to compromise the entire company network and every connected server.

My question is this:

Have system security policies been created for SOX if so where are they. To qualify this it should contain clear guidelines on Security.

Example of some general areas:
User perms, file perms, services, protocols, ssl, service wrappers, banners, shares access and mounts, trusts, security modules and baselining for most areas.

If anyone has information on where I can obtain this documentation (must be accredited by SOX and NOT a benchmark or best practice guide) please let me know.

Thank you in advance
Back to top
View users profile
harrywaldron
SoxGuru
SoxGuru


Joined: Jan 12, 2006
Posts: 849
Location: Roanoke, Virginia

PostPosted: Thu Jan 11, 2007 2:52 pm    Post subject: Reply with quote

Hi and welcome to the forums icon_smile.gif Below are some threads that might help you start this process:

What is: COSO, COBIT, and SOX 404
http://www.sarbanes-oxley-forum.com/modules.php?name=Forums&file=viewtopic&t=1516

Free PDF copy of COBIT 4.0
http://www.sarbanes-oxley-forum.com/modules.php?name=Forums&file=viewtopic&t=1920
Back to top
View users profile Visit posters website
JSB
Newbie
Newbie


Joined: Jan 11, 2007
Posts: 6
Location: UK

PostPosted: Fri Jan 12, 2007 4:28 am    Post subject: Reply with quote

Thanks Harry,

I checked out the links but they are the same as my original starting point with SOX a few months ago.

The whole issue of securing access to data held within computers is part of SOX. There is nothing in 404 that states what level of security is needed.
Thus anyone can right a security policy that does a very minimum to protect their network / servers to potentially get a sign off as SOX compliant. It would not be until after an intrusion occurred causing damage or theft of certain data, sparking another Enron style case that their security measures are going to be judged as adequate for the purpose of SOX or not.

For our client base we need to be able to know what security messages are needed at a detailed level so we can produce SOX policies for different operating systems. These policies we can then state to the client are SOX compliant or not (well this is our best guess from what we have read so far).

I am more then confident that the level of security checks we provide far exceeds any levels of security that would be acceptable as SOX compliant, however without at least an accredited technical guide to SOX 404 we are not going to be able to state to our clients that they will be fully SOX compliant with regards to their IT system security if they use our product.

Our clients want a legal sign off that their IT security compiles with SOX we can at this point not give it to them. IT security is does not work on grey areas, you can either be hacked at a one breach point through know methods or the breach point has been secured.

You can now see my dilemma in that we provide down to system level coding, security checks against insider and outsider intrusions for our clients who wish to be SOX compliant using our software. In the eyes of the law our clients need to be able to state their IT security is fully SOX compliant because they use our product. Our clients are 1000+ server companies minimum up to …..

Any thoughts ?
Back to top
View users profile
lekatis
SoxGuru
SoxGuru


Joined: Feb 15, 2005
Posts: 302
Location: USA

PostPosted: Fri Jan 12, 2007 5:45 am    Post subject: Reply with quote

Dear JSB, your questions are really interesting and in fact these are the questions in every IT and information security department.

Issue 1:
You said: “I would have expected system security experts to define the policies in this area and not accountants”
Answer 1:
Sarbanes Oxley is an effort to provide reasonable assurance to shareholders (not absolute assurance). It is compliance, not information security. The reason of the act is to restore investor confidence, not to improve information security or IT governance
It is a minimum, a framework, not a best practice or a detailed guideline.

Issue 2:
You said: “I realize there is no definition, even in a loose term of areas, which would enable someone to program a compliant policy. Thus it is open to interpretation, which is frightening considering the account firm which has defined a SOX compliance policy for securing servers has missed all the vital areas of an intruder attack”
Answer 2:
I agree with you. If you have a good information security environment, Sarbanes Oxley as a minimum level of assurance does not seem important.
But, remember:
A. Investors pay our salaries.
B. Investors did not trust companies and senior management after Enron and World Com. They did not want to invest any more. Without their money, there are no more salaries.
C. Sarbanes Oxley restored investor confidence
D. We still have our salary as investors trust companies again
E. After that, we can do our best, over and above Sarbanes Oxley, for information security.

Issue 3:
You said: ”Have system security policies been created for SOX if so where are they”
Answer 3:
There are no “official” policies. Do not search. You have to document your policies and to persuade the auditors.

Issue 4:
You said:”There is nothing in 404 that states what level of security is needed”
Answer 4:
This is correct. Senators and representatives can not explain to IT and InfoSec persons what to do. For example, Senator Paul Sarbanes has graduated from Princeton and Harvard Law School. Not the best career path for information security.

Issue 5:
You said:”Thus anyone can right a security policy that does a very minimum to protect their network / servers to potentially get a sign off as SOX compliant”
Answer 5:
You still have to persuade the external auditors.

Issue 6:
You said:”It would not be until after an intrusion occurred causing damage or theft of certain data, sparking another Enron style case that their security measures are going to be judged as adequate for the purpose of SOX or not”
Answer 6:
Enron had nothing to do with hacking. Investors know that there is a risk called external fraud, hacking etc. but they accept this risk. What they do not accept is a CEO and/or a CFO misleading them and doing all the wrong things.

Issue 7:
You said: “without at least an accredited technical guide to SOX 404 we are not going to be able to state to our clients that they will be fully SOX compliant with regards to their IT system security if they use our product”
Answer 7:
You do not need any accredited technical guide to be able to state to clients that they are fully SOX compliant. You need to understand the expectations of the external auditors and to help your clients test and document how they use your products. The external auditors must have a “qualified opinion” that your clients comply. This is your target. Not better information security.
_________________
George Lekatis
President of the Sarbanes Oxley Compliance Professionals Association (SOXCPA)
www.sarbanes-oxley-association.com
Back to top
View users profile Send email Visit posters website
JSB
Newbie
Newbie


Joined: Jan 11, 2007
Posts: 6
Location: UK

PostPosted: Fri Jan 12, 2007 6:30 am    Post subject: Reply with quote

Dear George,

Thank you for the reply,

This means once we have completed the current SOX policy we are working on for an Auditor (current project for a client) we have an IT systems security policy that is SOX compliant (The Auditor being a very large American firm recognized under SOX).

I appreciate your comments they have been the best and by far the most informative I have seen in the last 4 months.
Back to top
View users profile
calvin
MasterSoxer
MasterSoxer


Joined: Jul 25, 2005
Posts: 101
Location: US

PostPosted: Fri Jan 12, 2007 12:57 pm    Post subject: Reply with quote

lekatis wrote:


Answer 3:
There are no “official” policies. Do not search. You have to document your policies and to persuade the auditors.

Answer 6:
Enron had nothing to do with hacking. Investors know that there is a risk called external fraud, hacking etc. but they accept this risk. What they do not accept is a CEO and/or a CFO misleading them and doing all the wrong things.


Nice reply George.

A lot of people in IT relate SOX to Information security. SOX compliance in IT touches some part of Information security and its mostly process driven rather then product driven. An example would be IDS/IPS. A lof of IT departments think that its mandated by SOX which is not true.

I understand the Infosec guys when they think that controls under SOX are simply not enough for prevention of something like say hacking. The point is prevention of hacking is not the focus of SOX act.

What IT needs is a process centric approach for SOX compliance and not product or personnel centric. These processes need to be repetitive, managed and auditable. That said, two areas in IT which are most important for SOX and overlap with Information security are change management and access to systems.

Calvin
Back to top
View users profile
harrywaldron
SoxGuru
SoxGuru


Joined: Jan 12, 2006
Posts: 849
Location: Roanoke, Virginia

PostPosted: Fri Jan 12, 2007 2:28 pm    Post subject: Reply with quote

calvin wrote:
Nice reply George


I agree -- Both George's and Calvin's good replies helped clarify a few things for me icon_smile.gif

calvin wrote:
A lot of people in IT relate SOX to Information security. SOX compliance in IT touches some part of Information security


These boundary lines aren't well understood by the public, those implementing SOX, or even auditing it for compliancy. Sometimes too many things are rolled up in the SOX umbrella, including non-applicable items.

I'm also starting to read through the 209 page COBIT 4.0 documentation, as it's an accepted approach for fulfilment of SOX 404 requirements. There's quite a bit of IT security related items and best practices embedded throughout, so it's indeed easy for confusion to set in.

calvin wrote:
I understand the Infosec guys when they think that controls under SOX are simply not enough for prevention of something like say hacking


Agreed -- In the past, I worked several years in IT security, before moving more into a project and application development role. Regardless of SOX requirements, companies need strong security defences to protect against a hostile environment of spam, viruses, spyware, targeted attacks, etc.

calvin wrote:
That said, two areas in IT which are most important for SOX and overlap with Information security are change management and access to systems


This nails down the two primary focal points that are directly related to SOX. Still, it's easy for implementers to see a lot of indirect security relationships with SOX and infer beyond this. For example without good security, your IT financial systems have increased risk factors. Still, you don't want to carry SOX compliancy too far out of scope.

The compliancy for SOX (to satisfy regulators) and a strong security program (to satisfy customers and internal needs) are BOTH fundamental for companies. Even though there's logically some overlap, an already strong security program can reduce the need to do above and beyond what's needed in the SOX 404 area
Back to top
View users profile Visit posters website
iaraudit
Newbie
Newbie


Joined: May 15, 2006
Posts: 3

PostPosted: Mon Jan 15, 2007 10:46 am    Post subject: SOX and IT Security Reply with quote

To perhaps clarify, I would add that the relevance of SOX to IT is not directly for security at all, but aims rather at management oversight. I have observed many organizations where the technical team is very good and security relatively tight, but management really has no clue and just happens to have gotten lucky. In order to build long-term consistency in information security, a culture of security has to permeate management. Most commonly, when management is not doing proper oversight, they don't get lucky and have a rigorously implemented secure infrastructure. SOX demands that they do the oversight portion of the equation.

Documenting a SOX compliant policy is also really only a beginning. Depending on how the controls are specified there may be 10,000 more things remaining to be done. An IT general control may only specify that procedures exist and are followed, but there must be then some method of documenting that they are followed. In creating the procedures, IT managers achieve actual read-world security by reviewing the way things are done and deciding what their staffs really should be doing, usually in consultation with their staff who has to perform the work. This results in an educational process for the IT department, sometimes for the entire organization in the case of personnel training types of controls. Further, the procedure communicates how things should be done in a way that creates a more complete implementation that is more consistently performed over time by multiple technicians who may never otherwise communicate. The requirement for management to review the documentation of procedures being followed enforces these requirements and, as a side effect, creates greater awareness of security issues amongst management. This often leads to improvements in budgeting and staff assigned to security. The general control leads to specific security practices.

So, while SOX controls are very general, I believe that they contribute to actual security in ways both direct and indirect.
Back to top
View users profile Visit posters website
harrywaldron
SoxGuru
SoxGuru


Joined: Jan 12, 2006
Posts: 849
Location: Roanoke, Virginia

PostPosted: Mon Jan 15, 2007 2:05 pm    Post subject: Reply with quote

Thank you iaraudit for adding more good comments and perspective to the thread icon_smile.gif Your comments, plus those of George and Calvin, have helped me fine tune how IT security controls better fit within the SOX framework.
Back to top
View users profile Visit posters website
JSB
Newbie
Newbie


Joined: Jan 11, 2007
Posts: 6
Location: UK

PostPosted: Wed Jan 17, 2007 4:42 am    Post subject: Reply with quote

Gentlemen,

Thank you all for the responses to this thread so far. It puts the original question into full context with regards to SOX and what as a whole is being achieved.
From my perspective the hardest part of SOX was the lack of understanding of where IT security fitted in to the whole scheme, and what our part as an IT security company played. The information in this thread has been provided with so much clarity that any SOX confused IT related person (me) can follow as a supplement to 404 or other related SOX documentation.
This thread will now provide me with a stable information supplement to which I can direct people.
Back to top
View users profile
jsox
Newbie
Newbie


Joined: Feb 08, 2007
Posts: 4

PostPosted: Fri Feb 09, 2007 12:47 am    Post subject: Reply with quote

Thank you all. I am beginer in SOX. This topic really helped in understanding the diffrence of responsibilties between the technical side and management side while implementing SOX. Its not only about securing the systems its more about securing the processes.
Back to top
View users profile


Display posts from previous:   
Post new topic   Reply to topic    The Sarbanes Oxley Act Forum Index -> Sarbanes-Oxley: IT Issues All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Forums ©

 
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters.
Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox.
Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.