Separating Fact from Fiction: Security Technologies for Regulatory Compliance Diana Kelley, Senior AnalystBurton Group
Agenda
Regulatory compliance – One size does not fit all• And compliance is not a product • Why “SOX-in-a-box” is a myth
Compliance frameworks• A systematic, comprehensive approach• Policy first
Tools that can help• Building a toolbox• Management and Compliance “dashboards”
Compliance: The Biggest Time Waster of 2005?
August 2005 Share Conference on-line
registrant poll
Looking back from the year 2015 at wasteful or
ineffective efforts in 2005• 28% - Sarbanes-Oxley compliance
• 23% - Deployment of unproven technologies
• 19% - Purchase of unneeded technologies
Source: ComputerWorld, August 23, 2005,
http://www.computerworld.com/hardwaretopics/hardware/story/0,10801,104118,00.html
Regulatory Compliance – One Size Does not Fit All
Compliance is a not a product• Combination of people, process, and technology
Why “SOX-in-a-box” is a myth• Or a misnomer
• Enterprise IT systems are extremely complex
• Regulations are not prescriptive
• Regulations may have competing requirements Ex: Log file retention times Ex: PII storage
Sarbanes-Oxley
Section 404, a, 2 of the regulation: "[an
internal control report, which shall] contain an
assessment, as of the end of the most recent
fiscal year of the issuer, of the effectiveness of
the internal control structure and procedures
of the issuer for financial reporting."
Control Weaknesses Reporting During SOX Compliance Work
Lack of adequate system documentation
Lack of audit training and experience
Lack of management oversight
Too many privileges (IT personnel often had too many privileges, and there was insufficient separation of duties), such as multiple IDs, generic IDs
Inadequate handling of privilege changes related to promotions and job re-assignment
Documentation for small, routine maintenance tasks was often non-existent or inadequate
PCI Data Security Standard
Build and maintain a secure network
Protect cardholder data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Compliance Frameworks
Created by an organization to simplify the compliance process
A set of policies, procedures, and technologies that normalizes the organization’s approach to compliance
Benefits of compliance frameworks
• Consistent policy based approach to compliance
• Separation of concerns
• Reduced reporting time
• Easier maintenance
• Centralized control
Legal matters
What is the company required to supply, by law?• Audit compliance
ISO, SAS70 HIPAA, SOX, GLBA, EUDD
• Who is accountable for lack of compliance?
• Will fees be levied or ops shut down?
Why it matters• Business continuity
• Audit success
• Policy enforcement
• Reporting requirements
A Systematic Comprehensive Approach
First things first - What constitutes compliance?• Work with internal and external audit teams
• Use “a suitable, recognized control framework established by a body of experts that followed due-process procedures.”
http://www.sox-online.com/release-20040308-1.pdf
• Understand there is a legacy – exceptions will have to be documented
• Establish control frameworks
• Translate policies to technical policies The bits and bytes of compliance EX: Hierarchical administrator or superuser accounts
Identify what can be automated, and what can’t
Control Framework Example
Control
Objectives
Organization
Control Activities
IT Control
ActivitiesDuties are separated
between debit/credit
accounting functions
Management creates
separate job titles and
responsibilities
Role-based access control
Management approval of
access requests
Changes to customer
information are approved
and accurate
Customers are mailed
confirmation “opt-in” letters
Logs are periodically
reviewed
Secure log server
Tamperproof audit record
Health information is
protected from unauthorized
access
Employees are trained in
proper information handling
Network isolation
Outbound content control
Financial information
integrity is maintained
Managers explicitly attest to
information currency,
accuracy, and validity
Application code formally
tested before move to
production
Thinking through Compliance Requirements
What standards does the company need to adhere to?
What devices/apps need to be covered?
• Standard devices
• Legacy systems
• Home-grown applications
• Internal -- Policies
ISO compliance
• External --
SOX, HIPAA, GLBA
Partners
The Devil’s in the Details
Some Gotchas• Heterogeneous environments increase complexity
• The weakest link device/application
• Adherence to corporate standards, but failure in audit
• Application development
• Requirements for new devices – can new devices be added
quickly within the compliance framework?
COSO
Committee of Sponsoring Organizations of the Treadway Commission (COSO) is widely accepted around the world as an acceptable baseline framework for compliance• Prescribes risk management to achieve internal control objectives including
efficiency and effectiveness of operations, financial reporting, and legal/regulatory compliance
COSO mandates that management:• Set control objectives for the enterprise
• Identify events that can cause substantial negative consequences to the enterprise and therefore affect shareholder value
• Assess risks associated with those events
The COSO cube• Objectives
Strategy Operations Reporting Compliance
• Entity’s Units Entity Division Business unit Subsidiary
• Components Internal environment Objective setting Event identification Risk assessment Risk response Control activities Information and communication Monitoring
CoBiT – IT Governance Institute
A set of documents and resources that represent a framework of guiding objectives and processes for IT governance and audit control
An increasingly important guideline for properly implementing security controls within an organization
Many internal auditors choose CoBiT as an important foundation for audit activity within IT organizations
CoBiT contains 34 control areas over four high-level domains.
A conceptual diagram of a mapping from five COSO components to the high-level four CoBiT domains to SOX section 302 and section 404 compliance.
COSO Components and CoBiT Domains/Objectives (Source: ISACA’s “IT Control Objectives for Sarbanes-Oxley”)
ISO17799
A detailed, internationally accepted security standard
Covers 10 major sections• Business continuity planning
• System access control
• System development and maintenance
• Physical and environmental security
• Compliance
• Personnel security
• Security organization
• Computer and operations management
• Asset classification
• Security policy
Used by many companies around the world as their IT baseline
A Note on Framework Adoption
Don’t adopt any framework’s controls blindly• Must show evidence that ALL the controls your company
specified are working
COBIT has 34 control domains; each requires as many as
10 control activities
• However, be prepared to justify differences to auditors
Building a Toolbox - Realistically
Tools are not like stretch socks that can expand to fit
the needs of a vast regulatory mandate
Enabling tools for increased efficiency and automation
• Reporting
• Change management
• Technical policy management
• Documentation management
• Compliance checks
Not a simple problem…There are many “moving parts” in the compliance toolbox• Compliance is a large project
• Compliance may touch all systems in the enterprise
Devices and applications have disparate logs and reporting• There is no audit log standard
• Proprietary applications may not have adequate logging or access to logs
If the data collected from the devices is to be trusted, security of the information on the device and in transit is a critical consideration• Agentless solutions are, usually easier to deploy
• But may result in less audit control over the data prior to hand off
Many of the ingredients may already be in your cupboard!
Many existing tools can be used in the compliance program• Auditing
• Documentation
• Network Management
Vendors are changing product features and positioning in response to the need for a compliance-oriented perspective• Providing additional hooks for process integration
• Compliance oriented reporting
Financial Applications – Oracle and SAP
Many products contain (and are developing more) features that, if used correctly, help organizations with compliance• Project organization for documentation, testing, and sign-off for
internal controls
• Test procedures based on the risk management framework defined by COSO
• Workflow procedures that accelerate testing and sign-off
• Object-level analysis of segregation of duties (SOD)
• Authorization administration
• Real-time drill-down analysis and reporting
Document, Document, Document
Many of the regulations have heavy documentation requirements• Flow charts of internal controls
• Written policies and procedures associated with those controls
• Ability to access appropriate policies in a hierarchical view
A documentation system that can capture and present critical policies and procedures is required• Some vendors have released documentation tools specifically
designed to aid in the compliance process Ex: Lotus Workplace for Business Controls and Reporting,
OpenPages SOX Express.
Network Monitoring
Monitoring performance, continuity of service, and service levels are CoBiT control objectives and very often compliance requirements
Many organizations have network monitoring solutions in place from leading vendors such as IBM Tivoli, HP OpenView, and Computer Associates Unicenter
These solutions manage components that are already on a network; there is no need to replace these systems
However, many can be configured to provide evidence of control in support of compliance reporting
Change Management/Project Management
Change management tools deploy policy and configuration changes to a managed set of target devices and track the changes made• Many companies already have some change management systems
in place
The compliance process is a large project – and needs to be managed as such
Project management tools and workflow can help:• Manage the assignment of tasks to individuals
• Track the level of completeness
• Provide reports to show overall progress and current status
Identity Management
Not called out specifically in many regulations, and not
one of the CoBiT controls
• However - unique user IDs and authenticators are recommended
by CoBiT and required for many regulations such as HIPAA
• Without unique user IDs, tracking and controlling access and
usage on systems housing healthcare, financial, and other
sensitive data would be impossible
IdM as in important part of the compliance process for
most organizations
Log Aggregation and Storage
Centralized storage of log and audit file activity
Managing this storage process is critical
• How will the information be parsed when answers are needed?
Can the Storage Area Network (SAN) handle the data?
• Many organizations have SANs from established vendors such as
Symantec/Veritas and IBM/Tivoli
• Will the additional audit log data storage requirements overtax
the SAN?
Perimeter Controls and Isolation
Firewalls can be used to cordon off critical systems into
highly protected zones
Virtual local area networks (VLANs) can be created to
segregate systems involved in processing healthcare
information or reporting financials
intrusion detection and prevention solutions can be
implemented to provide additional monitoring of access
to systems and prevent attacks
Forensics
Network forensic tools capture all of the traffic on a network or network segment and record it for later use• Help administrators and auditors track users and system access
• Used after an incident has occurred to piece together where systems failed and how to make them more robust in the future
Endpoint forensic tools can be used to examine the contents of a hard drive, and, in some cases, recover deleted information that may contain valuable evidence
Note: historical forensics and legal forensics are not the same
Security Event Information Management
SEIM tools are designed to monitor and manage security within an organization• Aggregate
• Normalize
• Correlate
Intelligent correlation is the key to avoid the “drowning in data” syndrome• Compliance specific correlation rules may be time intensive to
create
• Know thy systems and requirements in advance
Compliance Dashboards?
*Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Personal Information Protection and Electronic Documents Act (PIPEDA)
Compliance Dashboards
An emerging space• Portal-based view into metrics, configuration settings and other indicators of
activity
• But most regulations are not prescriptive enough to translate to a “one size fits all” portal view
And vendors may focus on different areas of compliance (SOX, HIPAA, Basel II)
• Dashboards can be customized to report on areas of compliance based on company defined indicators
But the company must determine the controls and indicators to be monitored
Even with customization the dashboard will (most likely!) not be able to supply transparency and reporting on every component of compliance
The Tool TaxonomyTool Type Compliance Function
Financial applications Native security capabilities
Project management, workflow Compliance project, sign-offs
Documentation (everywhere) Compliance project, evidence of control activities
Identity management Separation of duty, access control, audit
Management and monitoring Audit, change management, control, etc.
Firewalls, perimeter devices Isolation, layered defense
SIM/SEM, forensics Layered defense
Compliance dashboards Partial views of compliance areas or custom built
A Quick Checklist
Read the regulations and determine target compliance policies and requirements
Perform a security gap analysis
Identify gaps between existing practices and the targets
Determine the steps needed to close the gaps – and document any exceptions
Create an action plan for on-going compliance and assessment
Implement, monitor and maintain
Call in outside experts as needed
Conclusion
Compliance may not be a product – but
products can help ease the burden
Create a compliance framework for the
enterprise
New regulations are inevitable – frameworks
help keep organizations compliance hardy