Separating Fact from Fiction: Security Technologies for Regulatory Compliance Diana Kelley, Senior AnalystBurton Group

Agenda

Regulatory compliance – One size does not fit all• And compliance is not a product • Why “SOX-in-a-box” is a myth

Compliance frameworks• A systematic, comprehensive approach• Policy first

Tools that can help• Building a toolbox• Management and Compliance “dashboards”

Compliance: The Biggest Time Waster of 2005?

August 2005 Share Conference on-line

registrant poll

Looking back from the year 2015 at wasteful or

ineffective efforts in 2005• 28% - Sarbanes-Oxley compliance

• 23% - Deployment of unproven technologies

• 19% - Purchase of unneeded technologies

Source: ComputerWorld, August 23, 2005,

http://www.computerworld.com/hardwaretopics/hardware/story/0,10801,104118,00.html

Regulatory Compliance – One Size Does not Fit All

Compliance is a not a product• Combination of people, process, and technology

Why “SOX-in-a-box” is a myth• Or a misnomer

• Enterprise IT systems are extremely complex

• Regulations are not prescriptive

• Regulations may have competing requirements Ex: Log file retention times Ex: PII storage

Sarbanes-Oxley

Section 404, a, 2 of the regulation: "[an

internal control report, which shall] contain an

assessment, as of the end of the most recent

fiscal year of the issuer, of the effectiveness of

the internal control structure and procedures

of the issuer for financial reporting."

Control Weaknesses Reporting During SOX Compliance Work

Lack of adequate system documentation

Lack of audit training and experience

Lack of management oversight

Too many privileges (IT personnel often had too many privileges, and there was insufficient separation of duties), such as multiple IDs, generic IDs

Inadequate handling of privilege changes related to promotions and job re-assignment

Documentation for small, routine maintenance tasks was often non-existent or inadequate

PCI Data Security Standard

Build and maintain a secure network

Protect cardholder data

Maintain a vulnerability management program

Implement strong access control measures

Regularly monitor and test networks

Compliance Frameworks

Created by an organization to simplify the compliance process

A set of policies, procedures, and technologies that normalizes the organization’s approach to compliance

Benefits of compliance frameworks

• Consistent policy based approach to compliance

• Separation of concerns

• Reduced reporting time

• Easier maintenance

• Centralized control

Legal matters

What is the company required to supply, by law?• Audit compliance

ISO, SAS70 HIPAA, SOX, GLBA, EUDD

• Who is accountable for lack of compliance?

• Will fees be levied or ops shut down?

Why it matters• Business continuity

• Audit success

• Policy enforcement

• Reporting requirements

A Systematic Comprehensive Approach

First things first - What constitutes compliance?• Work with internal and external audit teams

• Use “a suitable, recognized control framework established by a body of experts that followed due-process procedures.”

http://www.sox-online.com/release-20040308-1.pdf

• Understand there is a legacy – exceptions will have to be documented

• Establish control frameworks

• Translate policies to technical policies The bits and bytes of compliance EX: Hierarchical administrator or superuser accounts

Identify what can be automated, and what can’t

Control Framework Example

Control

Objectives

Organization

Control Activities

IT Control

ActivitiesDuties are separated

between debit/credit

accounting functions

Management creates

separate job titles and

responsibilities

Role-based access control

Management approval of

access requests

Changes to customer

information are approved

and accurate

Customers are mailed

confirmation “opt-in” letters

Logs are periodically

reviewed

Secure log server

Tamperproof audit record

Health information is

protected from unauthorized

access

Employees are trained in

proper information handling

Network isolation

Outbound content control

Financial information

integrity is maintained

Managers explicitly attest to

information currency,

accuracy, and validity

Application code formally

tested before move to

production

Thinking through Compliance Requirements

What standards does the company need to adhere to?

What devices/apps need to be covered?

• Standard devices

• Legacy systems

• Home-grown applications

• Internal -- Policies

ISO compliance

• External --

SOX, HIPAA, GLBA

Partners

The Devil’s in the Details

Some Gotchas• Heterogeneous environments increase complexity

• The weakest link device/application

• Adherence to corporate standards, but failure in audit

• Application development

• Requirements for new devices – can new devices be added

quickly within the compliance framework?

COSO

Committee of Sponsoring Organizations of the Treadway Commission (COSO) is widely accepted around the world as an acceptable baseline framework for compliance• Prescribes risk management to achieve internal control objectives including

efficiency and effectiveness of operations, financial reporting, and legal/regulatory compliance

COSO mandates that management:• Set control objectives for the enterprise

• Identify events that can cause substantial negative consequences to the enterprise and therefore affect shareholder value

• Assess risks associated with those events

The COSO cube• Objectives

Strategy Operations Reporting Compliance

• Entity’s Units Entity Division Business unit Subsidiary

• Components Internal environment Objective setting Event identification Risk assessment Risk response Control activities Information and communication Monitoring

CoBiT – IT Governance Institute

A set of documents and resources that represent a framework of guiding objectives and processes for IT governance and audit control

An increasingly important guideline for properly implementing security controls within an organization

Many internal auditors choose CoBiT as an important foundation for audit activity within IT organizations

CoBiT contains 34 control areas over four high-level domains.

A conceptual diagram of a mapping from five COSO components to the high-level four CoBiT domains to SOX section 302 and section 404 compliance.

COSO Components and CoBiT Domains/Objectives (Source: ISACA’s “IT Control Objectives for Sarbanes-Oxley”)

ISO17799

A detailed, internationally accepted security standard

Covers 10 major sections• Business continuity planning

• System access control

• System development and maintenance

• Physical and environmental security

• Compliance

• Personnel security

• Security organization

• Computer and operations management

• Asset classification

• Security policy

Used by many companies around the world as their IT baseline

A Note on Framework Adoption

Don’t adopt any framework’s controls blindly• Must show evidence that ALL the controls your company

specified are working

COBIT has 34 control domains; each requires as many as

10 control activities

• However, be prepared to justify differences to auditors

Building a Toolbox - Realistically

Tools are not like stretch socks that can expand to fit

the needs of a vast regulatory mandate

Enabling tools for increased efficiency and automation

• Reporting

• Change management

• Technical policy management

• Documentation management

• Compliance checks

Not a simple problem…There are many “moving parts” in the compliance toolbox• Compliance is a large project

• Compliance may touch all systems in the enterprise

Devices and applications have disparate logs and reporting• There is no audit log standard

• Proprietary applications may not have adequate logging or access to logs

If the data collected from the devices is to be trusted, security of the information on the device and in transit is a critical consideration• Agentless solutions are, usually easier to deploy

• But may result in less audit control over the data prior to hand off

Many of the ingredients may already be in your cupboard!

Many existing tools can be used in the compliance program• Auditing

• Documentation

• Network Management

Vendors are changing product features and positioning in response to the need for a compliance-oriented perspective• Providing additional hooks for process integration

• Compliance oriented reporting

Financial Applications – Oracle and SAP

Many products contain (and are developing more) features that, if used correctly, help organizations with compliance• Project organization for documentation, testing, and sign-off for

internal controls

• Test procedures based on the risk management framework defined by COSO

• Workflow procedures that accelerate testing and sign-off

• Object-level analysis of segregation of duties (SOD)

• Authorization administration

• Real-time drill-down analysis and reporting

Document, Document, Document

Many of the regulations have heavy documentation requirements• Flow charts of internal controls

• Written policies and procedures associated with those controls

• Ability to access appropriate policies in a hierarchical view

A documentation system that can capture and present critical policies and procedures is required• Some vendors have released documentation tools specifically

designed to aid in the compliance process Ex: Lotus Workplace for Business Controls and Reporting,

OpenPages SOX Express.

Network Monitoring

Monitoring performance, continuity of service, and service levels are CoBiT control objectives and very often compliance requirements

Many organizations have network monitoring solutions in place from leading vendors such as IBM Tivoli, HP OpenView, and Computer Associates Unicenter

These solutions manage components that are already on a network; there is no need to replace these systems

However, many can be configured to provide evidence of control in support of compliance reporting

Change Management/Project Management

Change management tools deploy policy and configuration changes to a managed set of target devices and track the changes made• Many companies already have some change management systems

in place

The compliance process is a large project – and needs to be managed as such

Project management tools and workflow can help:• Manage the assignment of tasks to individuals

• Track the level of completeness

• Provide reports to show overall progress and current status

Identity Management

Not called out specifically in many regulations, and not

one of the CoBiT controls

• However - unique user IDs and authenticators are recommended

by CoBiT and required for many regulations such as HIPAA

• Without unique user IDs, tracking and controlling access and

usage on systems housing healthcare, financial, and other

sensitive data would be impossible

IdM as in important part of the compliance process for

most organizations

Log Aggregation and Storage

Centralized storage of log and audit file activity

Managing this storage process is critical

• How will the information be parsed when answers are needed?

Can the Storage Area Network (SAN) handle the data?

• Many organizations have SANs from established vendors such as

Symantec/Veritas and IBM/Tivoli

• Will the additional audit log data storage requirements overtax

the SAN?

Perimeter Controls and Isolation

Firewalls can be used to cordon off critical systems into

highly protected zones

Virtual local area networks (VLANs) can be created to

segregate systems involved in processing healthcare

information or reporting financials

intrusion detection and prevention solutions can be

implemented to provide additional monitoring of access

to systems and prevent attacks

Forensics

Network forensic tools capture all of the traffic on a network or network segment and record it for later use• Help administrators and auditors track users and system access

• Used after an incident has occurred to piece together where systems failed and how to make them more robust in the future

Endpoint forensic tools can be used to examine the contents of a hard drive, and, in some cases, recover deleted information that may contain valuable evidence

Note: historical forensics and legal forensics are not the same

Security Event Information Management

SEIM tools are designed to monitor and manage security within an organization• Aggregate

• Normalize

• Correlate

Intelligent correlation is the key to avoid the “drowning in data” syndrome• Compliance specific correlation rules may be time intensive to

create

• Know thy systems and requirements in advance

Compliance Dashboards?

*Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Personal Information Protection and Electronic Documents Act (PIPEDA)

Compliance Dashboards

An emerging space• Portal-based view into metrics, configuration settings and other indicators of

activity

• But most regulations are not prescriptive enough to translate to a “one size fits all” portal view

And vendors may focus on different areas of compliance (SOX, HIPAA, Basel II)

• Dashboards can be customized to report on areas of compliance based on company defined indicators

But the company must determine the controls and indicators to be monitored

Even with customization the dashboard will (most likely!) not be able to supply transparency and reporting on every component of compliance

The Tool TaxonomyTool Type Compliance Function

Financial applications Native security capabilities

Project management, workflow Compliance project, sign-offs

Documentation (everywhere) Compliance project, evidence of control activities

Identity management Separation of duty, access control, audit

Management and monitoring Audit, change management, control, etc.

Firewalls, perimeter devices Isolation, layered defense

SIM/SEM, forensics Layered defense

Compliance dashboards Partial views of compliance areas or custom built

A Quick Checklist

Read the regulations and determine target compliance policies and requirements

Perform a security gap analysis

Identify gaps between existing practices and the targets

Determine the steps needed to close the gaps – and document any exceptions

Create an action plan for on-going compliance and assessment

Implement, monitor and maintain

Call in outside experts as needed

Conclusion

Compliance may not be a product – but

products can help ease the burden

Create a compliance framework for the

enterprise

New regulations are inevitable – frameworks

help keep organizations compliance hardy