® ibm software group © ibm corporation security: a fundamental requirement for compliance with...
Post on 19-Dec-2015
219 views
TRANSCRIPT
®
IBM Software Group
© IBM Corporation
Security: a Fundamental Requirement for Compliance with Sarbanes-Oxley
Jeanette Fetzer
a COBIT® oriented approach…
IBM Software Group | Tivoli software
2
The changing global regulatory and business environment requires security, identity, access and ongoing audit capabilities. Compliance is now driving critical dependencies on many business processes
Most organizations manage large and complex IT environments with many user types to support business processes.
Infrastructure costs have been outpaced by spending on management and administration.
Fast-changing external forces and unpredictable workload make it difficult to meet service levels.
Market dynamics are creating new IT challenges
ComplexitySpeed of Change
Cost Compliance
IBM Software Group | Tivoli software
3
People in different roles with different objectives each move toward more systematic governance approaches
GovernanceGovernance
Reduce IT & business risk
Increase valuefrom investment
Cut compliance cost
Governance is not a new way to manage. It’s always there, it’s a question of effectiveness.
IBM Software Group | Tivoli software
4
An integrated approach helps unify governance processes and create the necessary alignment.
Resource Governance
FinancialGovernance
ITGovernance
LegalGovernance
SourcingGovernance
Financial Physical IPHuman ITAlliances
Tangible AssetsEnterprise Resources
Intangible Assets Organizational Capabilities
Corporate Governance
Shareholders Stakeholders
Board of Directors
Sr. Executives
Business insight
Security & controls
Policies & procedures
Alignand
trade off
Businesspriorities
Source/resource
Buy, build, share, reuse
ValueanalysisReadiness
Risk Analysis
Outcomes demonstration
Integrated Governance
IBM Software Group | Tivoli software
5
How do you know what controls to put in place?Focus : Sarbanes-Oxley seeks to strengthen corporate accountability
Requires certification and documentation of internal controls over financial reporting,
Intends to enhance measures for internal checks and balances through governance
SOX is not specific in what controls must be in place
Guidelines such as COBIT® and ISO 17799 are used
Source : IT Control Objectives for Sarbanes-Oxley, IT Governance Institute, 2004
Making SOX actionable…
Through 2010, public companies that do not adopt a compliance management architecture will spend 50 percent more annually than their peers to achieve Sarbanes-Oxley compliance.
Source: Gartner, 2005
SOX
PCAOB COSO
COBIT
StandardsISO 17799ISO 13335NIST 800-53ITIL
IBM Software Group | Tivoli software
6
Other sources of Best Practices, Procedures and Guidelines
WHATWHAT
HOWHOW
ITIL
COBIT
ISO9000
ISFBest Practices
IBM IT Process Model
COBIT® defines an IT Process & Control Framework, and complements other process
models and sources of best practice. COBIT provides a recognisable measure of IT Governance that incorporates risk measurement and reporting.
FDA
Generally speaking, all Process Models attempt to achieve the same objectives, but have different levels of abstraction
ISO20000ITSM
ISO17799
IBM Software Group | Tivoli software
7
Plan & Organize Aligning Business & IT
Acquire & Implement Integrating technology solution
acquisition into the business process
Deliver & Support Service Delivery : confidentiality,
integrity & availability
Monitor & Evaluate Assessing for quality and
compliance with control requirements
Overall COBIT framework
Source: COBIT 4.0, ITGI
IBM Software Group | Tivoli software
8
Controls relevant to compliance cross a broad spectrum as demonstrated in the COBIT IT control objectives recommended for SOX compliance
Program Development & Program Change
Acquire or develop application software
Develop and maintain policies and procedures
Install and test application software and technology infrastructure
Manage changes
Computer operations & access to programs and data
Define and manage service levels
Ensure systems security
Manage the configuration
Manage problems and incidents
Manage data
Manage operations
Source : IT Control Objectives for Sarbanes-Oxley, IT Governance Institute, 2004 & Market Management
IBM Software Group | Tivoli software
9
Control Objectives for Compliance initiativesSOX HIPAA GLBA SEC Basel II USA
Patriot ActSB 1386 PCI / CISP
Manage Change X X X X X X X
Ensure System Security X X X X X X X X
Manage Configuration X X X X X
Manage Problems & Incidents
X X X X X
Manage Data X X X X X X X
Manage Operations X X X X X X X X
Manage 3rd Party Services
X X X X X X X
Acquire or Develop Application Software
X X
Acquire Technology Infrastructure
X X
Develop & Maintain policies & procedures
X X
Install & Test Application SW and Infrastructure
X X
Define & Manage Service Levels
X X X X X X X X
Customer data validation & privacy protection
X X X X X X
Application Controls X X X X X X X
IBM Software Group | Tivoli software
10
Ensuring system security – what’s involved?
Identity management
User account management
Security testing, surveillance & monitoring
Security incident definition
Malicious software detection, prevention and correction
Security incident definition
Malicious software detection, prevention and correction
Network security
IBM Software Group | Tivoli software
11
Identity ManagementManage users, identities and access rights and monitor user activity on all IT systems.
Best practices Automate manually-implemented
processes for controlling access to IT resources
Centralize access policy and related internal controls
Properly verify authenticity of all users based on potential liability
Tivoli products Tivoli Identity & Access Management
portfolio
Source : COBIT 4.0, IT Governance Institute, 2005 & Tivoli Market Management
IBM Software Group | Tivoli software
12
End-to-end Identity and Access Management
Synchronize Identity Stores
HR NOSWhite Pages
Charge CentersTelephony
HR
Partner Directory
Identity Integration
eMail Directory
User Provisioning
Identity-Driven User Accounts
Identity-Driven Access and Disclosure Control
Access Control
Users
Accounts
Controls
Enforcement: who can come in and what they can do
Managing user accounts across
an IT environment
Automatically synchronize
data
TDI
TIM
TAM
IBM Software Group | Tivoli software
13
User Account ManagementEnsure that requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are addressed by user account management.
Best practices Manage identity lifecycle: provision,
deprovision.
Monitor account activity: dormant accounts, irregular activity.
Segregation of Duties
Centralize access policy and related internal controls
Review / recertify access periodically
Tivoli products Tivoli Identity Manager
Tivoli Identity Manager Express
Cisco Secure
ACS
Cisco Secure
ACS
Business Applications
Authoritative Identity Source
(Human Resources, Customer Master, etc.)
TIM Trusted Identity Store
Accounts
jcd0895jdoe03
doej
John C. Doe
Sarah K. Smith
smiths17
Sarah_s4
ackerh05
nbody
Sarah’s Manager
RecertificationRequest
Access Revalidated and Audited
11
22
33
44
55
Eliminate orphan accounts by matching accounts with identities, also verify access rights via account
recertification
Source : COBIT 4.0, IT Governance Institute, 2005 & Tivoli Market Management
IBM Software Group | Tivoli software
14
Security Testing, Surveillance and MonitoringProactive real-time monitoring of network and systems for compliance with security policies and historical reporting to demonstrate compliance.
Best practices
Determine security policy and implement throughout infrastructure
Monitor to ensure security policies are relevant and enforced
Monitor network, systems, users and applications for potential breaches or misuse
Provide proof of controls and effectiveness to audit and compliance bodies
Tivoli products
Tivoli Security Compliance Manager
Tivoli Security Operations Manager
Reports from TSCM and TSOM demonstrate to audit and compliance that controls are in place and
whether or not they are effective.
Source : COBIT 4.0, IT Governance Institute, 2005 & Tivoli Market Management
IBM Software Group | Tivoli software
15
Security Incident DefinitionClearly define and communicate potential security incidents so they can be handled correctly.
Best practices Develop an IRP that includes
classification/severity of potential incidents
Outline escalation procedures for incidents within the IRP
Monitor infrastructure continuously and in real-time to detect potential incidents
Investigate and respond to incidents to mitigate potential problems
Escalate across IT-silos to facilitate incident response and problem resolution
Tivoli products Tivoli Security Operations Manager Frequency
Event
Class
Eve
nt
Cla
ss
Domain
Freq
Fre
qu
en
cy
Tivoli Security Operations Manager enables centralized monitoring and analysis of security
events and a dashboard from which to investigate potential security incidents.
Source : COBIT 4.0, IT Governance Institute, 2005 & Tivoli Market Management
IBM Software Group | Tivoli software
16
Malicious software prevention, detection & correctionEnsure that preventive, detective and corrective measures are in place to protect information systems and technology from malware.
Best practices Develop policies for all systems that
address what software and activities are allowed
Monitor continuously to ensure that policies are followed/enforced
Respond to security incidents quickly to mitigate damage from malware
Close loop by fixing misconfigurations and implementing any lessons learned
Tivoli products Tivoli Security Operations Manager
Tivoli Security Compliance Manager
Ext.
IDS/IPS
Wireless AP
Servers
Desktops
VPNWWW
````
`````Vulnerbility
Scanner
Internet
TSOMInfected hosts
isolated from network
When a worm (e.g. Zotob) infects a network, Tivoli Security Operations Manager detects it quickly and
assists customers in minimizing the damage.
Source : COBIT 4.0, IT Governance Institute, 2005 & Tivoli Market Management
IBM Software Group | Tivoli software
17
Network SecurityEnsure operational security management is in place to authorize access and control information flows from and to networks.
Best practicesManage network access
Enforce security compliance
Tivoli products Tivoli Security Compliance Manager & Cisco
Integration
Tivoli Security Operations Manager
Compliant client is granted access to production network
Tivoli Security Compliance Manager Server
Tivoli Provisioning Manager
Cisco network access device* with
NAC support
Cisco Secure Access Control
Server
Optional Cisco Content Engine to locally store
remediation files
Remediation
Compliance
* Network access can be via router, switch, VPN concentrator, or wireless access point
Non-compliant client is sent to remediation
network to remedy non-compliance issues
Device with: • Tivoli Security Compliance
Manager Client • Cisco Trust Agent
Enterprise ApplicationsEnterprise Applications
Source : COBIT 4.0, IT Governance Institute, 2005 & Tivoli Market Management
IBM Software Group | Tivoli software
18
Proving it to the auditor…Tivoli security portfolio reports
General Audit Event Details Report
General Audit Event History
Audit Event History by User
Failed Authentication History
Failed Authorization History
Locked Account History
User Password Change History
Administrator and Self-Care Password Change History
Certificate Expiration Report
Most Active Accessors Report
Authorization Event History by Action
General Administration Event History
User Administration Event History
Group Administration Event History
Security Server Audit Event History
Resource Access By Accessor Report
Resource Access By Resource Report
Monitor and log all security activities
Perform Provisioning Activities
User Administration Event History
Group Administration Event History
Provisioning Activities performed by Individual
Server Availability Report
Services
Policies
General Authorization Event History
Locked Account History
User Password Change History
Administrator and Self-Care Password Change History
Maintain effective authentication and access
General Authentication Event History
Failed Authentication Event History
Authenticate All Users
Identity Management
General Audit Event Details Report
General Audit Event History
Audit Event History by User
Failed Authentication History
Failed Authorization History
Locked Account History
User Password Change History
Administrator and Self-Care Password Change History
Certificate Expiration Report
Most Active Accessors Report
Authorization Event History by Action
General Administration Event History
User Administration Event History
Group Administration Event History
Security Server Audit Event History
Resource Access By Accessor Report
Resource Access By Resource Report
Monitor and log all security activities
Perform Provisioning Activities
User Administration Event History
Group Administration Event History
Provisioning Activities performed by Individual
Server Availability Report
Services
Policies
General Authorization Event History
Locked Account History
User Password Change History
Administrator and Self-Care Password Change History
Maintain effective authentication and access
General Authentication Event History
Failed Authentication Event History
Authenticate All Users
Identity Management
Individual Accounts
Accounts by Role
Accounts on Service
Entitlement by individual
General Administration Event History
ACI
Follow Appropriate Segregation of Duties
Individual Accounts
Accounts by Role
Accounts on Service
Entitlement by individual
Reconciliation Status
Non-compliant accounts
Periodically Review Access Rights
Policies governing a role
Approvals/Rejections
Pending Approvals
Suspended Accounts
Suspended People
Define User Account Management Procedures
User Account Management
Individual Accounts
Accounts by Role
Accounts on Service
Entitlement by individual
General Administration Event History
ACI
Follow Appropriate Segregation of Duties
Individual Accounts
Accounts by Role
Accounts on Service
Entitlement by individual
Reconciliation Status
Non-compliant accounts
Periodically Review Access Rights
Policies governing a role
Approvals/Rejections
Pending Approvals
Suspended Accounts
Suspended People
Define User Account Management Procedures
User Account Management
Mean Time to Ticket Acknowledgement Total Ticket Volume for Priorities Mean Time to Ticket Resolution
Supports timely investigation of unauthorized activities
Incident Resolution Status by Watchlist – SOX-related systems Analyst Responsiveness Trend Report Incident Time to Resolution ReportIncident Time to Resolution Trend Report
Incidents and problems are recorded, analyzed and resolved in a timely manner
Incident and Problem Management
Mean Time to Ticket Acknowledgement Total Ticket Volume for Priorities Mean Time to Ticket Resolution
Supports timely investigation of unauthorized activities
Incident Resolution Status by Watchlist – SOX-related systems Analyst Responsiveness Trend Report Incident Time to Resolution ReportIncident Time to Resolution Trend Report
Incidents and problems are recorded, analyzed and resolved in a timely manner
Incident and Problem Management
Top Destination Threats by Event Class - SOX
Top Events by Event Class – SOX
Top 20 Source IPs by Watchlist - SOX
Asset Vulnerability Detail by Watchlist – SOX
Top Repeated Connections
Top Destination IPs by Event Class
Top Repeated Connections from Sensor
Top Destination IPs for Protocol
Top Destinations by Sensor
Top Repeated Connections with Dest Port
Top Destinations by Watchlist – SOX
Top Source IPs
Top Source IPs for Event Class
Top Dest Threats and Respective Source Threats by Event
Top Source IPs for Protocol
Top Dest Threats and Respective Source Threats for IP
Top Sources by Sensor
Top Sources by Watchlist
Monitor and log all security activities
Operational Security Management
Top Destination Threats by Event Class - SOX
Top Events by Event Class – SOX
Top 20 Source IPs by Watchlist - SOX
Asset Vulnerability Detail by Watchlist – SOX
Top Repeated Connections
Top Destination IPs by Event Class
Top Repeated Connections from Sensor
Top Destination IPs for Protocol
Top Destinations by Sensor
Top Repeated Connections with Dest Port
Top Destinations by Watchlist – SOX
Top Source IPs
Top Source IPs for Event Class
Top Dest Threats and Respective Source Threats by Event
Top Source IPs for Protocol
Top Dest Threats and Respective Source Threats for IP
Top Sources by Sensor
Top Sources by Watchlist
Monitor and log all security activities
Operational Security Management
IBM Software Group | Tivoli software
19
Kohl’s Department StoresClient requirements Manage user identification and access rights to
increase the accessibility of business-critical systems and avoid the security breaches associated with personnel turnover
Improve the company’s ability to comply with Sarbanes-Oxley (SOX) regulations
Solution Bolstered information technology (IT) security by
engaging IBM Global Technology Services to implement an automated identity management solution based on IBM Tivoli® Access Manager, IBM Tivoli Identity Manager and IBM Tivoli Directory Integrator applications
Installed powerful IBM eServer™ pSeries® servers to support the security software
Benefits Allows Kohl’s to provision a new account in 20 minutes
instead of 3 weeks, reducing the per-account cost from US$230 to US$15
Enables the client to save 60 hours of IT labor per week, since fewer password resets are required
Helps to put Kohl’s in compliance with SOX regulations
kohls.com
InternalMenomonee Falls, Wisconsin
United StatesAmericas
Industry: RetailProfile: An apparel and home products retailer with more than 560 stores across 37 U.S. statesSize: 10,000 or moreCategory: Infrastructure Solutions – IT Security
IBM Software Group | Tivoli software
20
Controls relevant to compliance cross a broad spectrum as demonstrated in the COBIT IT control objectives recommended for SOX compliance
Program Development & Program Change
Acquire or develop application software
Rational
Develop and maintain policies and procedures
Tivoli Configuration Manager
Tivoli License Manager
ITSM Release Management
CCMDB
Install and test application software and technology infrastructure
Tivoli Configuration Manager
Tivoli Provisioning Manager
Tivoli Release Management
CCMDB
Manage changes Tivoli Release Management
Tivoli Configuration Manager
Tivoli Provisioning Manager
CCMDB
Computer operations & access to programs and data
Define and manage service levels
Tivoli Service Level Advisor
Tivoli Manager for Transaction Performance
Tivoli Composite Application Manager
Tivoli Intelligent Orchestrator
Ensure systems security
Tivoli Identity Manager
Tivoli Access Manager
Tivoli Federated Identity Manager
Tivoli Security Compliance Manager
Tivoli Security Operations Manager
Tivoli Directory Server
Tivoli Directory Integrator
Manage the configuration
Tivoli Configuration Manager, Tivoli Provisioning Manager, Tivoli Release Management, CCMDB
Manage problems and incidents
Tivoli Event Correlation, Tivoli Release Management, Tivoli Security Operations Manager
CCMDB
Manage data Tivoli Configuration Manager, Tivoli Provisioning Manager, CCMDB, Tivoli Storage Manager
Manage operations Tivoli Release Management, Tivoli Configuration Manager, Tivoli Provisioning Manager, CCMDB, Tivoli Workload Scheduler, Tivoli Event Correlation, Tivoli Service Level Advisor, Tivoli Monitoring, Tivoli Security Operations Manager
Source : IT Control Objectives for Sarbanes-Oxley, IT Governance Institute, 2004 & Market Management
Mapping of Tivoli products to COBIT Control Objective areas
IBM Software Group | Tivoli software
21
An innovative vision for the optimal intersection of People, Process, Information and Technology
Optimize the sharing of information across people, processes and technology
Establish decision-making policies to collaborate across organizations
Automate and integrate IT processes aligned to business
Leverage IBM’s modular approach to achieve your business goals
IBM IT Service Management
IBM Software Group | Tivoli software
22
Benefits of Compliance Improve efficiency and reduce costs
Productivity enhanced by automating previously manual processes
Enhance compliance readiness Flexibility to address the growing number of regulations Consistent and more comprehensive approach
enhances accuracy and speed of reporting
Improve effectiveness IT process integration enables a more consistent and
comprehensive method for policy management and enforcement
Reduce risk Better manage who has the ability to change what in
your infrastructure Tracking and reporting on authorized and unauthorized
activity enables the identification of potential exposures
IBM Software Group | Tivoli software
23
Summary
Compliance can be an enabler – in terms of managing risks and improving operating efficiencies.
Integrated governance helps you to derive business value out of your IT investments
Look to control frameworks and standards to help guide your efforts
Security is very relevant to compliance
IBM Tivoli can help: Industry leading portfolio of security solutions
Broad coverage advantageous for heterogeneous environments
Strong audit, monitoring and reporting capabilities
IBM Software Group | Tivoli software
24
Disclaimers and TrademarksNo part of this document may be reproduced or transmitted in any form without written permission from IBM Corporation.
Product data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. Any statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
THE INFORMATION PROVIDED IN THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IBM EXPRESSLY DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements (e.g. IBM Customer Agreement, Statement of Limited Warranty, International Program License Agreement, etc.) under which they are provided.
IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer's business and any actions the customer may need to take to comply with such laws.
The following terms are trademarks or registered trademarks of the IBM Corporation in either the United States, other countries or both: DB2, e-business logo, eServer, IBM, IBM eServer, IBM logo, Lotus, Tivoli, WebSphere, Rational, z/OS, zSeries, System z.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States and/or other countries.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States and other countries.
Other company, product, or service names may be trademarks or service marks of others.
ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.
COBIT® is a registered trademark of the Information Systems Audit and Control Association and the IT Governance Institute.
ISACA is a Registered Trade mark of The Information Systems Audit and Control Association
IT Infrastructure Library® is a Registered Trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
IBM Software Group | Tivoli software
25