sarbanes-oxley practice overview and methodology wednesday, october 27th, 2004 mark lachniet,...
TRANSCRIPT
Sarbanes-Oxley Practice Overview and Methodology
Wednesday, October 27th, 2004
Mark Lachniet, Analysts International
Introductions
• Mark Lachniet ([email protected])• Technical Director, Security Group• Certified Information Systems Auditor (CISA)• Certified Information Systems Security
Professional (CISSP)• Technical certifications from Novell, Microsoft,
Linux Professional Institute, CheckPoint, etc. • Member of the High Tech Crime Investigation
Association (HTCIA)• Former I.S. Director at a K-12 School district
Analysts International Corporate Profile
• Employees: 3000+• Locations: 35 offices • Clients: More than 1,000 • Exchange (Symbol): Nasdaq (ANLY)• Annual Revenue:Over $425 Million• Headquartered in Minneapolis• Local offices in Auburn Hills, Lansing,
Grand Rapids, Toledo• A diversified IT services company• In business for 37 years
Analysts’ Security Practice
A holistic approach to security consulting– Internal and External Vulnerability Assessments
– Web Application Vulnerability Assessment
– Security Needs Assessment
– Managed Firewall Services
– Sarbanes-Oxley 404 Consulting
– Business Continuity Planning & Disaster Recovery
– Intrusion Detection & Protection
– Incident Response, Admin Termination & Forensics
– Network infrastructure and design
Sarbanes-Oxley: Bane or Boon?
• If you have been in the trenches, you know how overwhelming and tedious SOX efforts can be
• Technical people are especially vulnerable to this, as it involves *documentation*
• However, the end result of SOX legislation should be a massive improvement in:– The visibility of I.T. and auditing as a critical part
of the organization’s success– An increased emphasis on risk management and
mitigation– Better documentation, procedures and policies– Better security of the organization
• If nothing else, SOX is a “big stick” to wield in the name of best practices
Not Everyone Agrees…..
The I.T. Component of SOX
• Section 404 requires internal controls on “material” (financially significant) processes – this includes I.T
• At a recent ISACA conference on SOX, the prevailing opinion was that there are two general categories – general and application controls
• However, there doesn’t seem to be any consensus in the industry as to what level of assessment is appropriate
• The external auditors won’t seem to commit to an opinion, and there is very little guidance from the PCAOB
• When in doubt, go with COSO, CoBIT, and ISO17799
The Need for Sarbanes-Oxley I.T. Help
• Many organizations do not have the internal personnel resources to:– Understand and assess risks and controls on
complex I.T. systems– Manage large compliance efforts– Map business processes and identify key controls
and IT resources– Analyze organizational best practices (I.T.
“common controls”)– Design and perform tests of controls– Document findings and process for external
auditors– Coordinate between external auditors, internal
auditors, internal I.T. and management• I.T. costs may average 20% of all compliance costs!
• In addition to personnel resources, there is a need for:– A mature and documented methodology
– A mature assessment toolkit (control matrices, data collection documents, issue tracking, test templates, etc.)
– Assistance with installation and configuration of compliance-related software (e.g. Microsoft SOX Accelerator, spreadsheet comparison tools, etc.)
– Assistance with remediation efforts
– Flexible, industry-aware consultants
– Independence from the external auditor
The Need for Sarbanes-Oxley I.T. Help
Analysts International’s Approach
• The following is how Analysts International approaches assessing I.T. controls for SOX compliance (it is not the only way)
• Hopefully the methodology might be of value to you
• Preliminary feedback from auditors has been positive
• Break the project into discrete stages:– Requirements Definition– “Model Office” (a single application)– Ongoing compliance testing– Documentation for external auditors
• Requirements Definition Phase– Define Roles & Responsibilities – ID approx Number of Systems– ID approx Number of Business Processes– Define Toolkit– Develop Taxonomy– ID Timeframes
• “Model Office”– Test run on one example business process– Attain “buy-in” from external auditor on
methodology• Ongoing compliance Testing
– General IT controls assessment– Remainder of application, DB and OS assessments
A Typical SOX Engagement
Where An External Consultant Fits
Customer CFO / CEO(Overall Responsibility)
Project ManagerAIC
GeneralFinancialControls
Cust FinanceDirector
I.T. ApplicationControls
AIC
I.T. CommonControls
AIC
SupplementalProject Work
AIC
AnalystsInternational
Sarbanes-Oxley404 Consulting
Roles andResponsibilities
AIC Responsibility
Customer Responsibility
Legend
Project Management
• Provide oversight and guidance for the overall compliance effort
• Act as primary customer liaison for scheduling, communication, status updates, meeting facilitation
• Perform training and awareness seminars as needed for customer staff and executives
• Work as “document master” to establish document management standards and hierarchies, track documents and maintain order
• Maintain project task lists and schedules, open issues, status hours used and remaining
• Oversee and track remediation efforts
SOX Tools – Issue Tracking
• Must have some way to codify results and track them over time (not all results may be SOX material)
Analyzing Financial Controls
AnalystsInternational
Sarbanes-Oxley404 Consulting
Roles andResponsibilities
AIC Responsibility
Partial Responsibility
Customer Responsibility
Legend
GeneralFinancialControls
Cust FinanceDirector
Business ProcessMapping
Identify FinancialControls
Attestation andReporting
Coordinate withExternal Auditors
Test FinancialControls
• Perform business process mapping– Use existing business continuity documents?– With customer-specified tool (e.g. ProVision)– With Visio (if not specified)
• Help establish and populate a controls matrix• Help Identify and test key controls (esp. I.T.)• Prepare documentation
– About the process used– About the findings of the compliance effort
• Interface with the external auditor to answer any questions, discuss issues, etc.
Analyzing Financial Controls
SOX Tools - Process Maps
SOX Tools - Control Matrices
• Base matrix on COSO at a minimum
Analyzing I.T. Common Controls
AnalystsInternational
Sarbanes-Oxley404 Consulting
Roles andResponsibilities
AIC Responsibility
Partial Responsibility
Customer Responsibility
Legend
I.T. CommonControls
AIC
Security NeedsAssessment
based onISO17799, CobiT,
COSO
DocumentGeneral Controls
Identify ControlWeaknesses
RecommendRemediationStrategies for
ControlWeaknesses
Analyzing I.T. Common Controls
• A comprehensive analysis of Common I.T. controls based on the Analysts International “Security Needs Assessment Service” (SNAS)
• Assessment criteria is based on industry standards – ISC^2 CBK, CoBIT, COSO, ISO17799/BS7799
• Topics range from administrative (e.g. policies and procedures) to specific and very technical (e.g. firewall configurations)
• Document existing environment• Identify shortcomings and material weaknesses• Recommend remediation strategies (with estimated
costs and security gains)• Many organizations are now requiring similar
assessments of their partners (e.g. Visa’s CISP program, local automotive companies)
I.T. Common Control Scope
• Physical Security– Facilities and grounds– Server room and wiring closets– Secure storage and handling of electronic and printed data
• Network Security– Network and Wireless security– Internet border / IDS / Firewall security– Partner / vendor data security
• Logical Security– System build and hardening– Password security– Directory design and authentication systems– Malware / anti-virus protection:– System Logging– Application development practices
I.T. Common Control Scope
• Administrative Practices– Remote access / remote user administrative practices– Information systems support staff administrative
procedures– End user administrative policies– Information classification– Information systems coordination with human resources– Separation of duties– Vendor / external organization management– Incident response procedures– Change control systems– System documentation– Service Level Agreement (SLA) management– Risk assessment practices and procedures– Disaster recovery – Backup practices and storage
Common Controls Example
• Start with a survey, then get supporting documentation
Analyzing I.T. Applications
AnalystsInternational
Sarbanes-Oxley404 Consulting
Roles andResponsibilities
AIC Responsibility
Partial Responsibility
Customer Responsibility
Legend
I.T. ApplicationControls
AIC
Map B.P’s toservers and Apps
Analyze AppSoftware Controls
Test AppSoftware Controls
Document AppSoftware Controls
Analyze ServerControls
Document ServerControls
• Map business processes to technological systems• Identify underlying technology that must be
functional and properly configured in order to have effective application controls:– Application software package– Database platform– Operating system– Dependant systems (authentication systems, logging
systems, etc.)• Perform data collection to understand the application
and identify controls that need testing• Perform testing of application controls• Perform security analysis of supporting system
Analyzing I.T. Applications
Application Controls Example
• Focus on control features within the application, and on the development of the application
Analyzing Operating Systems
• The security of the underlying operating system is a critical control
• Without a secure OS, the applications access control and auditing capabilities can be circumvented
• Requires specific, technical, low level analysis of OS options, settings, patch level and configuration
• Review server “hardening” procedures• Review server access control systems• Analyze best practices for OS platform and perform
a gap analysis through interview, substantive testing• Perform vulnerability assessments (security scans)
of network-connected devices
Operating System Controls Example
Analyzing Databases
• Most SOX-material applications also have a back-end database component
• Common examples are Oracle, Microsoft SQL server, DB2, etc.
• In many cases, end users can connect directly to the database using ODBC query tools like Crystal Reports or Excel for reporting purposes (!)
• Access control and logging at the database level may be weak (e.g. users granted too many rights)
• The controls on each of these databases needs to be evaluated and documented
• In addition, the practices of database administrators (DBA’s) should be assessed
• Some implications for “data recoverability” (e.g. rollback capability, backup procedures)
Database Control Example
• In this case, we did a hands-on and web application test of Oracle security
A defined testing process is essential…
Basic datacollection forApp(s) andServer(s)
External audit?(e.g. SAS-70)
Analyze auditreport
Gap analysisEvaluate controls
& assess risks
Analyze workflowand/or narrative w/
SME
Workflow /narrativeaccurate?
Need to perform Level 2Control Test(s)?
Design Level 2Control test(s)
Use automatedtools?
Perform gapanalysis
Conduct manualtest(s) per design
Test(s)conclusive?
BP passed alltests?
Begin remediationprocess
Identify next BP toevaluate
No
Yes
No
Yes
Yes
No
Yes
NoDocument BPcontrol testing
statusYes
Start
No
No
404 App Control Testing Flow (draft)
Determine additionalareas to be tested
Implies web app
Determine areasnot tested byautomated tool
The test is somewhowinadequate; enhance or modifytest
Control test failurereport should befast-tracked tomotivated “controlfixer”
App may haveSAS-70 or may bestraight-forwardenough to certifyw/o additionalLevel 2 ControlTesting
This processpotentiallycomplicatedhands-on testdesign(e.g. button-pushing)
rev: 17 May 2004
Physical docs involved:- BP ProVision Workflow andnarrative- Word App and Server Survey- Excel Risks & Controls- Test Plan & Results- External test results
Cust SME fixesworkflow /narrative
Yes
Extauditreport
Test script
Test script –updated toreflect testresults
General IT App andServer evaluationdocs
Risks & Controlsspreadsheet (filledout for current BP)
Risks & Controlsupdated to reflecttest status
Risks & Controlsupdated to reflecttest status
ProVisionworkflow and/ornarrative
General IT,Server, and Appeval docs
(Updated) Risks &Controlsspreadsheet
Control classindicated
Remediation
Performautomated Level 2
Control Test
Test script –updated toreflect testresults
Level 2 Testing
Level 1 Testing
Control Testing Level Legend
Business Review& Sign-off
IT review app andserver issues list;finalize interview
docs
External audit?(e.g. SAS-70)
Analyze auditreport
Gap analysisEvaluate controls
& assess risks
Need to perform Level 2Control Test(s)?
Design Level 2Control test(s)
No
Yes
Yes
Determine additionalareas to be tested
Implies web app
App may haveSAS-70 or may bestraight-forwardenough to certifyw/o additionalLevel 2 ControlTesting
Extauditreport
General IT App andServer evaluationdocs
Risks & Controlsspreadsheet (filledout for current BP)
(Updated) Risks &Controlsspreadsheet
Control classindicated
External audit?(e.g. SAS-70)
Analyze auditreport
Gap analysisEvaluate controls
& assess risks
Need to perform Level 2Control Test(s)?
Design Level 2Control test(s)
No
Yes
Yes
Determine additionalareas to be tested
Implies web app
App may haveSAS-70 or may bestraight-forwardenough to certifyw/o additionalLevel 2 ControlTesting
Extauditreport
General IT App andServer evaluationdocs
Risks & Controlsspreadsheet (filledout for current BP)
(Updated) Risks &Controlsspreadsheet
Control classindicated
A defined testing process is essential…
Supplemental Project Work
AnalystsInternational
Sarbanes-Oxley404 Consulting
Roles andResponsibilities
AIC Responsibility
Partial Responsibility
Customer Responsibility
Legend
SupplementalProject Work
AIC
Configureinformation
managementsystem (MicrosoftSOX accelerator)
Technical testingand remediation
of securityshortcomings
DevelopCorporateStandards
Manual, policies,procedures
• Assist with management of customer-specific and/or data management systems
• Develop customer policies and practices– Corporate Standards Manuals– Forms and processes (e.g. ID maintenance)– Job Descriptions, reporting hierarchies– Technical security policies (VPN, Firewall, Anti-
Virus, server hardening, etc.)– Change management systems– Application development practices (SDLC)
• Technical remediation of SOX-material control weaknesses
Supplemental Project Work
In-House Technical Expertise
• All SOX efforts managed through the Analysts International Security group full-time staff– Staffed by experienced and qualified individuals
(CISA, CISSP, MBA, etc.)– Ensures consistency and quality– Ensures effective project management
• Supplemental help from other practice groups– App. Dev., Microsoft, Novell, UNIX, Cisco,
AS/400• Additional resources through sub-contractors and
Analysts Staffing practice– Large projects– Remote locations– Specialized subject-matter experts
Recurring Issues
• Based on experience so far, the following issues almost always seem to show up:– Logging and audit systems are almost always
weak (improve settings, and use automated tools)– Policies and procedures are usually inadequate to
meet auditors’ standards– Access control, authentication and password
security is weak (poor passwords, poor coordination with H.R., management overhead)
– Change control systems are informal or absent– Control of spreadsheets, desktop databases– Outsourced and partnered functions must also be
assessed
Outsourcing and Partners
• It is the organization’s responsibility to ensure that the products and services used have adequate controls
• For service providers, obtain a SAS-70• For products, may require testing• Many organizations have put a special emphasis on
the security of partner organizations (rightly so!)• Case in point – a local automotive manufacturer we
work with now requires a formal assessment for all web applications bearing their domain name or logo:– Documentation of SOX materiality– Comprehensive site audits– “Ethical hack” testing of all web servers and apps– Extensive documentation of application logic
Next Steps?
• Hopefully, more guidance from the PCAOB on the minimum that is required for compliance (especially in I.T. so organizations can “hit the mark”)
• More implementation of targeted software solutions to minimize labor overhead and manage risk mitigation efforts
• More and better products to manage general IT controls (log analysis, user provisioning, enterprise network management tools, technical tools to enforce organizational policy, patch management, etc.)
• Standardized (free?) assessment methodologies and toolkits that pass muster
• Tax breaks to recoup compliance costs???
Discussion
Mark LachnietCISSP, CISA, MCSE, MCNE, CCSE, LPIC-1, SCSPTechnical Director, Security GroupAnalysts International(517) 336-1004 (voice)(517) 336-1100 (fax)mailto: [email protected]
Jack BrahceDirector, Security GroupAnalysts International(517) 336-1025 (voice)(517) 336-1100 (fax)mailto: [email protected]