SOX-Operating System/Database Testing 1960



  • Hi All,

    Under SOX Audit the auditor has to test whether the optimum level of access control is implemented for the particular OS/DB. Currently auditor is carrying out this testing through the scripts which are created by them. Executing the scripts on each server becomes tedious as lot of process is involved internally. (I have to request the execution of scripts to the Vendor companies which has developed the system and currently managing it.)
    As the SOX audit is going to be every year i am ( a employee of company which is getting audited) looking for some automatic approach like some software which will execute the scripts for me remotely(all servers) and generate the results which i can give to auditor.
    I will really appreciate the tool or software information regarding this.
    Also if anyone is already using please share your opinions also.
    Thank you in advance
    Vikram



  • I would question whether the auditor really needs to do this.



  • Hi Vikram and welcome to the forums 🙂
    SOX 404 addresses financial controls on IT automated systems, ensuring they are properly controlled. For example with DBs, the focus of the audit would be on security rights and access controls. For example, audit might review who has ‘read only’, write, table update, or other forms of privileged accesses.
    Most likely the audit firm is using this list which is derived through scripts is associated to reviewing DB security access and autonomy controls. I’m suspecting you all are gathering user/file/service rights from your servers and consolidating them into a report?
    As Denis shares, it’s good to question this need with audit and share the extra work/expense with your own management. Maybe there’s a way to negotiate another less expensive approach or maybe the risk is such that the audit firm doesn’t need to examine controls at this granular of a level?
    Still, even if you have to continue doing it, it’s worthwhile from a risk management standpoint to question anything that incurs extraordinary expense (esp. going outside to your vendor). The audit firm is providing a service to your company to judge whether controls are sufficient but not to set the entire framework for management controls of the SOX process.
    This gathering of access rights may still need for this to be done. But if you can work out a better and less expensive approach, it’s worthwhile to explore and negotiate options.
    Good luck 🙂



  • Vikram
    Giving due respect to Dennis and Harry, if you still need an automation software, depending upon your platform, try MKS Implementer.
    All the best.



  • Just noted that my reply has been somewhat truncated 8O
    Anyway, here are a couple of further thoughts:
    Under SOX Audit the auditor has to test whether the optimum level of access control is implemented for the particular OS/DB
    This is most certainly not the case. The auditor should be testing that security meets some minimum standards and concluding on whether it is adequate overall. It need not be optimal nor best practice.
    Currently auditor is carrying out this testing through the scripts which are created by them. Executing the scripts on each server becomes tedious as lot of process is involved internally.
    It is not unknown for the auditor to run tools or scripts to test access security and/or the effectiveness of automated controls on a clients system, whether it be a tool like Virsa or Bindview or directly running SQL queries, test packs, etc.
    However, the auditor has no right to do this and must exercise a great deal of caution in doing so i.e. you don’t really want to screw up a client’s systems.
    If this is causing you a great deal of inconvenience then it is perfectly well within your rights to refuse - or at least engage them in a discussion around easier ways of achieving their objectives.
    If you want to add a couple more details I could potentially suggest other ways they could go about this.



  • Sorry for turning late here…was busy in searching and studying the tool…%0A_at_Dennis, harry, Chhaava…%0Ai m extremely happy and thankful for u guys sharing your views…%0A_at_ harry%0Ai got the objective of testing the OS/DB level access…but as u pointed out it cost me extra as i have to outsource that work to the development %0Acompany and pay them hefty amount though technically it is only question %0Aof running a small script…thats why i was trying to find out about a tool %0Awhich i can manage with the help of job scheduling thing and i did not %0Ahave to disturb our business development for this tests…%0A_at_Dennis%0AYou are right auditor has to check min standards…i made mistake there…%0AAbout the testing, this time ( in jan our testing got over) we ran the %0Ascripts which were given by the auditor after testing them on development environment. Well 80% scripts ran perfectly and some gave problems…%0AYou guys won’t believe i spend my whole jan in just trying to schedule the test in between the business development(avoidable) and explaining the developement team why it is needed (this is unavoidable at the start)…%0Athats why i decided to search for a automatic option for the next time and %0Asave my time… %0A_at_Chhaava%0AThanks for the tool info…will try to find out about it also…%0AI came across the tools like BindView(mentioned by dennis also) and IPLocks… In between those currently i am studying the bindview product…%0Athe features looks promising on paper but i have to play with it first to comment anything abt it…%0ABy Any chance anyone tried BindView(bv-Control)… %0AThanks again for your comments guys …looking forward to explore many things in SOX…



  • I used Bindview for a number of years and had also evaluted other products (LT Auditor, Kane Security Analyst, etc). It’s a good server consolidation tool, password tester, etc. I nicknamed it ‘Blindview’ as I used it for long periods of time and wondered if I might need stronger glasses afterwards 😉
    It’s good to compare and contract products, plus you might receive a discounted price. Also, check out free trial options for a proof-of-concept test just to be sure it’s a good fit.
    Microsoft’s free MBSA security tool might also be helpful for some evaluations. There are also other good FREE tools that are helpful in analyzing security (e.g., nmap) although some tools not be needed just to meet SOX requirements.
    MBSA home page - Please paste to browser and add www
    microsoft.com/technet/security/tools/mbsahome.mspx



  • I used Bindview for a number of years and had also evaluted other products (LT Auditor, Kane Security Analyst, etc). It’s a good server consolidation tool, password tester, etc. I nicknamed it ‘Blindview’ as I used it for long periods of time and wondered if I might need stronger glasses afterwards 😉
    Know what you mean there. The first version of Bindview I used was a DOS version (oops showing my age) and that certainly used give me exactly the same feeling.



  • Thanks harry and Dennis again…
    _at_harry
    The microsoft security analyser is only for microsoft products…so its unlikely i will spend more time to study it as microsoft os are very small
    part of total environment…
    About NMAP its freeware…so don’t trust it… 😉
    Just adding some info… i came across a IBM tool also IBM Tivoli…
    it is good but it needs the client program to be installed on every
    client machine which is bit cumbersome…but features r good…
    any additional info will be appreciated…



  • A few additional comments are noted below 🙂
    Bindview - In looking at the latest web offerings, I saw that they are now part of the Symantec product family (and you might obtain discounts if you use any of their other tools?). I also see some good non-MS support as well, which is important to meeting your needs
    Please add www after pasting to browser
    bindview.com/
    bindview.com/products/index.cfm
    ‘Blindview’ Product Family
    bv-Admin®
    bv-Control®
    bv-Control® for Check Pointž’ FireWall-1®
    bv-Control® for Internet Security
    bv-Control® for Microsoft® Exchange
    bv-Control® for Microsoft® SQL Server
    bv-Control® for NDS® eDirectoryž’
    bv-Control® for NetWare®
    bv-Control® for Oracle®
    bv-Control® for UNIX®
    bv-Control® for Windows® and Active Directory®
    Compliance Manager
    Decision Support Center
    NETinventory®
    Password Self Service
    BindView Policy Operations Center®
    Symantec BindView Policy Manager

    NMAP - While I feel this ‘open source’ security tool is safe to use, based on it’s extensive use in the industry by security professionals, I also agree that folks need to be careful using any tool like this in the public domain.
    TIVOLI - While I’ve seen Tivoli as a network management and automation tool, I found that it can provide security analysis as well. If you can obtain just the components you need from the suite, this might be more cost-effective (as in past evaluations, I found this to be a fairly expensive client/server network management product suite). One advantage I see would be IBM’s commitment to supporting our network management systems like UNIX, Linux, etc …
    paste complete URL to browser
    www-306.ibm.com/software/tivoli/sw-bycategory/index.html
    Security Analysis for Tivoli
    Access
    Identity Management
    Privacy
    Risk
    Other Security


Log in to reply