® ibm software group © ibm corporation security: a fundamental requirement for compliance with...

®

IBM Software Group

© IBM Corporation

Security: a Fundamental Requirement for Compliance with Sarbanes-Oxley

Jeanette Fetzer

a COBIT® oriented approach…

IBM Software Group | Tivoli software

2

The changing global regulatory and business environment requires security, identity, access and ongoing audit capabilities. Compliance is now driving critical dependencies on many business processes

Most organizations manage large and complex IT environments with many user types to support business processes.

Infrastructure costs have been outpaced by spending on management and administration.

Fast-changing external forces and unpredictable workload make it difficult to meet service levels.

Market dynamics are creating new IT challenges

ComplexitySpeed of Change

Cost Compliance


3

People in different roles with different objectives each move toward more systematic governance approaches

GovernanceGovernance

Reduce IT & business risk

Increase valuefrom investment

Cut compliance cost

Governance is not a new way to manage. It’s always there, it’s a question of effectiveness.


4

An integrated approach helps unify governance processes and create the necessary alignment.

Resource Governance

FinancialGovernance

ITGovernance

LegalGovernance

SourcingGovernance

Financial Physical IPHuman ITAlliances

Tangible AssetsEnterprise Resources

Intangible Assets Organizational Capabilities

Corporate Governance

Shareholders Stakeholders

Board of Directors

Sr. Executives

Business insight

Security & controls

Policies & procedures

Alignand

trade off

Businesspriorities

Source/resource

Buy, build, share, reuse

ValueanalysisReadiness

Risk Analysis

Outcomes demonstration

Integrated Governance


5

How do you know what controls to put in place?Focus : Sarbanes-Oxley seeks to strengthen corporate accountability

Requires certification and documentation of internal controls over financial reporting,

Intends to enhance measures for internal checks and balances through governance

SOX is not specific in what controls must be in place

Guidelines such as COBIT® and ISO 17799 are used

Source : IT Control Objectives for Sarbanes-Oxley, IT Governance Institute, 2004

Making SOX actionable…

Through 2010, public companies that do not adopt a compliance management architecture will spend 50 percent more annually than their peers to achieve Sarbanes-Oxley compliance.

Source: Gartner, 2005

SOX

PCAOB COSO

COBIT

StandardsISO 17799ISO 13335NIST 800-53ITIL


6

Other sources of Best Practices, Procedures and Guidelines

WHATWHAT

HOWHOW

ITIL

COBIT

ISO9000

ISFBest Practices

IBM IT Process Model

COBIT® defines an IT Process & Control Framework, and complements other process

models and sources of best practice. COBIT provides a recognisable measure of IT Governance that incorporates risk measurement and reporting.

FDA

Generally speaking, all Process Models attempt to achieve the same objectives, but have different levels of abstraction

ISO20000ITSM

ISO17799


7

Plan & Organize Aligning Business & IT

Acquire & Implement Integrating technology solution

acquisition into the business process

Deliver & Support Service Delivery : confidentiality,

integrity & availability

Monitor & Evaluate Assessing for quality and

compliance with control requirements

Overall COBIT framework

Source: COBIT 4.0, ITGI


8

Controls relevant to compliance cross a broad spectrum as demonstrated in the COBIT IT control objectives recommended for SOX compliance

Program Development & Program Change

Acquire or develop application software

Develop and maintain policies and procedures

Install and test application software and technology infrastructure

Manage changes

Computer operations & access to programs and data

Define and manage service levels

Ensure systems security

Manage the configuration

Manage problems and incidents

Manage data

Manage operations

Source : IT Control Objectives for Sarbanes-Oxley, IT Governance Institute, 2004 & Market Management


9

Control Objectives for Compliance initiativesSOX HIPAA GLBA SEC Basel II USA

Patriot ActSB 1386 PCI / CISP

Manage Change X X X X X X X

Ensure System Security X X X X X X X X

Manage Configuration X X X X X

Manage Problems & Incidents

X X X X X

Manage Data X X X X X X X

Manage Operations X X X X X X X X

Manage 3rd Party Services

X X X X X X X

Acquire or Develop Application Software

X X

Acquire Technology Infrastructure

X X

Develop & Maintain policies & procedures

X X

Install & Test Application SW and Infrastructure

X X

Define & Manage Service Levels

X X X X X X X X

Customer data validation & privacy protection

X X X X X X

Application Controls X X X X X X X


10

Ensuring system security – what’s involved?

Identity management

User account management

Security testing, surveillance & monitoring

Security incident definition

Malicious software detection, prevention and correction

Security incident definition

Malicious software detection, prevention and correction

Network security


11

Identity ManagementManage users, identities and access rights and monitor user activity on all IT systems.

Best practices Automate manually-implemented

processes for controlling access to IT resources

Centralize access policy and related internal controls

Properly verify authenticity of all users based on potential liability

Tivoli products Tivoli Identity & Access Management

portfolio

Source : COBIT 4.0, IT Governance Institute, 2005 & Tivoli Market Management


12

End-to-end Identity and Access Management

Synchronize Identity Stores

HR NOSWhite Pages

Charge CentersTelephony

HR

Partner Directory

Identity Integration

eMail Directory

User Provisioning

Identity-Driven User Accounts

Identity-Driven Access and Disclosure Control

Access Control

Users

Accounts

Controls

Enforcement: who can come in and what they can do

Managing user accounts across

an IT environment

Automatically synchronize

data

TDI

TIM

TAM


13

User Account ManagementEnsure that requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are addressed by user account management.

Best practices Manage identity lifecycle: provision,

deprovision.

Monitor account activity: dormant accounts, irregular activity.

Segregation of Duties

Centralize access policy and related internal controls

Review / recertify access periodically

Tivoli products Tivoli Identity Manager

Tivoli Identity Manager Express

Cisco Secure

ACS

Cisco Secure

ACS

Business Applications

Authoritative Identity Source

(Human Resources, Customer Master, etc.)

TIM Trusted Identity Store

Accounts

jcd0895jdoe03

doej

John C. Doe

Sarah K. Smith

smiths17

Sarah_s4

ackerh05

nbody

Sarah’s Manager

RecertificationRequest

Access Revalidated and Audited

11

22

33

44

55

Eliminate orphan accounts by matching accounts with identities, also verify access rights via account

recertification



14

Security Testing, Surveillance and MonitoringProactive real-time monitoring of network and systems for compliance with security policies and historical reporting to demonstrate compliance.

Best practices

Determine security policy and implement throughout infrastructure

Monitor to ensure security policies are relevant and enforced

Monitor network, systems, users and applications for potential breaches or misuse

Provide proof of controls and effectiveness to audit and compliance bodies

Tivoli products

Tivoli Security Compliance Manager

Tivoli Security Operations Manager

Reports from TSCM and TSOM demonstrate to audit and compliance that controls are in place and

whether or not they are effective.



15

Security Incident DefinitionClearly define and communicate potential security incidents so they can be handled correctly.

Best practices Develop an IRP that includes

classification/severity of potential incidents

Outline escalation procedures for incidents within the IRP

Monitor infrastructure continuously and in real-time to detect potential incidents

Investigate and respond to incidents to mitigate potential problems

Escalate across IT-silos to facilitate incident response and problem resolution

Tivoli products Tivoli Security Operations Manager Frequency

Event

Class

Eve

nt

Cla

ss

Domain

Freq

Fre

qu

en

cy

Tivoli Security Operations Manager enables centralized monitoring and analysis of security

events and a dashboard from which to investigate potential security incidents.



16

Malicious software prevention, detection & correctionEnsure that preventive, detective and corrective measures are in place to protect information systems and technology from malware.

Best practices Develop policies for all systems that

address what software and activities are allowed

Monitor continuously to ensure that policies are followed/enforced

Respond to security incidents quickly to mitigate damage from malware

Close loop by fixing misconfigurations and implementing any lessons learned

Tivoli products Tivoli Security Operations Manager


Ext.

IDS/IPS

Wireless AP

Servers

Desktops

VPNWWW

````

`````Vulnerbility

Scanner

Internet

TSOMInfected hosts

isolated from network

When a worm (e.g. Zotob) infects a network, Tivoli Security Operations Manager detects it quickly and

assists customers in minimizing the damage.



17

Network SecurityEnsure operational security management is in place to authorize access and control information flows from and to networks.

Best practicesManage network access

Enforce security compliance

Tivoli products Tivoli Security Compliance Manager & Cisco

Integration


Compliant client is granted access to production network

Tivoli Security Compliance Manager Server

Tivoli Provisioning Manager

Cisco network access device* with

NAC support

Cisco Secure Access Control

Server

Optional Cisco Content Engine to locally store

remediation files

Remediation

Compliance

* Network access can be via router, switch, VPN concentrator, or wireless access point

Non-compliant client is sent to remediation

network to remedy non-compliance issues

Device with: • Tivoli Security Compliance

Manager Client • Cisco Trust Agent

Enterprise ApplicationsEnterprise Applications



18

Proving it to the auditor…Tivoli security portfolio reports

General Audit Event Details Report

General Audit Event History

Audit Event History by User

Failed Authentication History

Failed Authorization History

Locked Account History

User Password Change History

Administrator and Self-Care Password Change History

Certificate Expiration Report

Most Active Accessors Report

Authorization Event History by Action

General Administration Event History

User Administration Event History

Group Administration Event History

Security Server Audit Event History

Resource Access By Accessor Report

Resource Access By Resource Report

Monitor and log all security activities

Perform Provisioning Activities



Provisioning Activities performed by Individual

Server Availability Report

Services

Policies

General Authorization Event History




Maintain effective authentication and access

General Authentication Event History

Failed Authentication Event History

Authenticate All Users

Identity Management

General Audit Event Details Report

General Audit Event History

Audit Event History by User

Failed Authentication History

Failed Authorization History




Certificate Expiration Report

Most Active Accessors Report

Authorization Event History by Action




Security Server Audit Event History

Resource Access By Accessor Report

Resource Access By Resource Report


Perform Provisioning Activities



Provisioning Activities performed by Individual

Server Availability Report

Services

Policies

General Authorization Event History




Maintain effective authentication and access

General Authentication Event History

Failed Authentication Event History

Authenticate All Users

Identity Management

Individual Accounts

Accounts by Role

Accounts on Service

Entitlement by individual


ACI

Follow Appropriate Segregation of Duties

Individual Accounts

Accounts by Role

Accounts on Service


Reconciliation Status

Non-compliant accounts

Periodically Review Access Rights

Policies governing a role

Approvals/Rejections

Pending Approvals

Suspended Accounts

Suspended People

Define User Account Management Procedures

User Account Management

Individual Accounts

Accounts by Role

Accounts on Service



ACI

Follow Appropriate Segregation of Duties

Individual Accounts

Accounts by Role

Accounts on Service


Reconciliation Status

Non-compliant accounts

Periodically Review Access Rights

Policies governing a role

Approvals/Rejections

Pending Approvals

Suspended Accounts

Suspended People

Define User Account Management Procedures

User Account Management

Mean Time to Ticket Acknowledgement Total Ticket Volume for Priorities Mean Time to Ticket Resolution

Supports timely investigation of unauthorized activities

Incident Resolution Status by Watchlist – SOX-related systems Analyst Responsiveness Trend Report Incident Time to Resolution ReportIncident Time to Resolution Trend Report

Incidents and problems are recorded, analyzed and resolved in a timely manner

Incident and Problem Management

Mean Time to Ticket Acknowledgement Total Ticket Volume for Priorities Mean Time to Ticket Resolution

Supports timely investigation of unauthorized activities

Incident Resolution Status by Watchlist – SOX-related systems Analyst Responsiveness Trend Report Incident Time to Resolution ReportIncident Time to Resolution Trend Report

Incidents and problems are recorded, analyzed and resolved in a timely manner

Incident and Problem Management

Top Destination Threats by Event Class - SOX

Top Events by Event Class – SOX

Top 20 Source IPs by Watchlist - SOX

Asset Vulnerability Detail by Watchlist – SOX

Top Repeated Connections

Top Destination IPs by Event Class

Top Repeated Connections from Sensor

Top Destination IPs for Protocol

Top Destinations by Sensor

Top Repeated Connections with Dest Port

Top Destinations by Watchlist – SOX

Top Source IPs

Top Source IPs for Event Class

Top Dest Threats and Respective Source Threats by Event

Top Source IPs for Protocol

Top Dest Threats and Respective Source Threats for IP

Top Sources by Sensor

Top Sources by Watchlist


Operational Security Management

Top Destination Threats by Event Class - SOX

Top Events by Event Class – SOX

Top 20 Source IPs by Watchlist - SOX

Asset Vulnerability Detail by Watchlist – SOX

Top Repeated Connections

Top Destination IPs by Event Class

Top Repeated Connections from Sensor

Top Destination IPs for Protocol

Top Destinations by Sensor

Top Repeated Connections with Dest Port

Top Destinations by Watchlist – SOX

Top Source IPs

Top Source IPs for Event Class

Top Dest Threats and Respective Source Threats by Event

Top Source IPs for Protocol

Top Dest Threats and Respective Source Threats for IP

Top Sources by Sensor

Top Sources by Watchlist


Operational Security Management


19

Kohl’s Department StoresClient requirements Manage user identification and access rights to

increase the accessibility of business-critical systems and avoid the security breaches associated with personnel turnover

Improve the company’s ability to comply with Sarbanes-Oxley (SOX) regulations

Solution Bolstered information technology (IT) security by

engaging IBM Global Technology Services to implement an automated identity management solution based on IBM Tivoli® Access Manager, IBM Tivoli Identity Manager and IBM Tivoli Directory Integrator applications

Installed powerful IBM eServer™ pSeries® servers to support the security software

Benefits Allows Kohl’s to provision a new account in 20 minutes

instead of 3 weeks, reducing the per-account cost from US$230 to US$15

Enables the client to save 60 hours of IT labor per week, since fewer password resets are required

Helps to put Kohl’s in compliance with SOX regulations

kohls.com

InternalMenomonee Falls, Wisconsin

United StatesAmericas

Industry: RetailProfile: An apparel and home products retailer with more than 560 stores across 37 U.S. statesSize: 10,000 or moreCategory: Infrastructure Solutions – IT Security


20

Controls relevant to compliance cross a broad spectrum as demonstrated in the COBIT IT control objectives recommended for SOX compliance

Program Development & Program Change

Acquire or develop application software

Rational

Develop and maintain policies and procedures

Tivoli Configuration Manager

Tivoli License Manager

ITSM Release Management

CCMDB

Install and test application software and technology infrastructure



Tivoli Release Management

CCMDB

Manage changes Tivoli Release Management



CCMDB

Computer operations & access to programs and data

Define and manage service levels

Tivoli Service Level Advisor

Tivoli Manager for Transaction Performance

Tivoli Composite Application Manager

Tivoli Intelligent Orchestrator

Ensure systems security

Tivoli Identity Manager

Tivoli Access Manager

Tivoli Federated Identity Manager



Tivoli Directory Server

Tivoli Directory Integrator

Manage the configuration

Tivoli Configuration Manager, Tivoli Provisioning Manager, Tivoli Release Management, CCMDB

Manage problems and incidents

Tivoli Event Correlation, Tivoli Release Management, Tivoli Security Operations Manager

CCMDB

Manage data Tivoli Configuration Manager, Tivoli Provisioning Manager, CCMDB, Tivoli Storage Manager

Manage operations Tivoli Release Management, Tivoli Configuration Manager, Tivoli Provisioning Manager, CCMDB, Tivoli Workload Scheduler, Tivoli Event Correlation, Tivoli Service Level Advisor, Tivoli Monitoring, Tivoli Security Operations Manager

Source : IT Control Objectives for Sarbanes-Oxley, IT Governance Institute, 2004 & Market Management

Mapping of Tivoli products to COBIT Control Objective areas


21

An innovative vision for the optimal intersection of People, Process, Information and Technology

Optimize the sharing of information across people, processes and technology

Establish decision-making policies to collaborate across organizations

Automate and integrate IT processes aligned to business

Leverage IBM’s modular approach to achieve your business goals

IBM IT Service Management


22

Benefits of Compliance Improve efficiency and reduce costs

Productivity enhanced by automating previously manual processes

Enhance compliance readiness Flexibility to address the growing number of regulations Consistent and more comprehensive approach

enhances accuracy and speed of reporting

Improve effectiveness IT process integration enables a more consistent and

comprehensive method for policy management and enforcement

Reduce risk Better manage who has the ability to change what in

your infrastructure Tracking and reporting on authorized and unauthorized

activity enables the identification of potential exposures


23

Summary

Compliance can be an enabler – in terms of managing risks and improving operating efficiencies.

Integrated governance helps you to derive business value out of your IT investments

Look to control frameworks and standards to help guide your efforts

Security is very relevant to compliance

IBM Tivoli can help: Industry leading portfolio of security solutions

Broad coverage advantageous for heterogeneous environments

Strong audit, monitoring and reporting capabilities


24

Disclaimers and TrademarksNo part of this document may be reproduced or transmitted in any form without written permission from IBM Corporation.

Product data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. Any statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.

THE INFORMATION PROVIDED IN THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IBM EXPRESSLY DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements (e.g. IBM Customer Agreement, Statement of Limited Warranty, International Program License Agreement, etc.) under which they are provided.

IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer's business and any actions the customer may need to take to comply with such laws.

The following terms are trademarks or registered trademarks of the IBM Corporation in either the United States, other countries or both: DB2, e-business logo, eServer, IBM, IBM eServer, IBM logo, Lotus, Tivoli, WebSphere, Rational, z/OS, zSeries, System z.

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States and/or other countries.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Linux is a trademark of Linus Torvalds in the United States and other countries.

Other company, product, or service names may be trademarks or service marks of others.

ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.

COBIT® is a registered trademark of the Information Systems Audit and Control Association and the IT Governance Institute.

ISACA is a Registered Trade mark of The Information Systems Audit and Control Association

IT Infrastructure Library® is a Registered Trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.


25

® ibm software group © ibm corporation security: a fundamental requirement for compliance with...

Documents

governance processes

governance sox

governance institute

business processes

sarbanesoxley compliance

business environment

aligning business

process model c obi