as4 SOX Compliance at AEB Gesellschaft zur Entwicklung von Branchen-Software mbh

Transcription

1 as4 SOX Compliance at AEB Gesellschaft zur Entwicklung von Branchen-Software mbh January, 2014

2

3 1 Basic Information The requirements for service providers, especially those outlined in Section 404 of the Sarbanes- Oxley Act (SOX), oblige companies that are subject to SOX to include outsourced compliancerelevant tasks in their internal controls. These controls can be simplified by commissioning an SAS 70 report (certification) on the outsourced services. To comply with SOX requirements, this must be an SAS 70 type 2 report. 1 In this report, the service provider describes its own internal control system (data privacy, data security, access security, data integrity, etc.). This control system must be sophisticated enough to achieve the stated objectives. And it must be fully implemented. 2 The relevance is then certified by an external auditor. 3 This document fills that role by describing all the control systems of the AEB GmbH computer center services, including examples with applicable documents. The measures can be of technical or organizational type. They must be (proved) state-of-the-art and also cover the human factor. 1 Summarized from: Institute of Information Systems of the University of Bern, Switzerland, work report no. 190: Compliance Verification in IT Outsourcing, Gerhard F. Knolmayer, August Available online (in German) at 2 Summarized from: Institute of Public Auditors in Germany (IDW): IDW auditing standard: Auditing with partial outsourcing of accounting to service organizations (IDW AuS 331). In: Die Wirtschaftsprüfung 56 (2003) 18, pp American Institute of Certified Public Accountants: AICPA Audit Guide. Service Organizations: Applying SAS No. 70, as Amended. With Conforming Changes as of May 1, AICPA, New York Compliance with the requirements for service providers in Section 404 of the Sarbanes-Oxley Act 1

4 2 Description of IT General Controls 2.1 Application Process Control» Ensures that applications are correctly implemented and process data correctly. Both the services and the associated technologies and processes are tested by the ATLAS coordinating office (KoSt) at the Karlsruhe Regional Finance Office and certified only if all requirements are mapped. The testing and certification logs are also available from the ATLAS coordinating office. 2.2 Organizational Control Data Privacy The company s Data Protection Officer tests and controls compliance with the provisions of the German Federal Data Protection Act (BDSG). Some of the following organizational and security controls are required in 9 BDSG. System Management assigns access rights. IT/Organization carries out regular random checks of access rights and a complete check each quarter with the authority to object to or veto a particular access right. Legal approves and initials contracts and provides guidance for the company s Data Privacy Officer and IT/Organization Input Control» Ensures that it is possible to subsequently check and determine whether and by whom personal data was entered into data processing systems, modified or deleted. All systems that process personal data keep a log of all data entry, modifications and deletions. Personalized user accounts in applications Order Control» Ensures that personal data from orders can only be processed according to the client s instructions. The customer handles user and rights administration at the user level. Contracts (f.e. concerning outsourced data processing) define the obligations of both parties Only the database administrators from System Management have access to this data, working according to defined purposes. 2 Compliance with the requirements for service providers in Section 404 of the Sarbanes-Oxley Act

5 2.2.4 Separation Control» Ensures that data collected for different purposes can be processed separately. Separation of: Employee data Customer contact data Customer test data (project work, customer developments) Remote maintenance access data Customer data in the AEB computer center System level: Customer data in the computer center is administered in strict separation and in separate systems (databases, etc.) from customer data in the P.M. Belz Group. Different applications: Customer data and employee data are processed using separate applications. Rights within the application Customer contact data is strictly separated from remote maintenance access data. 2.3 Security Control From a high-level-view operation of ISMS (Information Security Management System in context with ISO 27001) ensures IT-security management in a continuous PDCA-life-cycle as a process. This process based on assets includes protection needs analysis and detailed risk management (estimation, evaluation, treatment). Most important security criterions: Availability Confidentiality Integrity ISMS itself includes regularly internal and external audits and management reviews. A further level is ensuring high security awareness for staff by adequate comprehensive package of measures (f.e. training). For an overview to Information Security please see also our Information Security Guideline in Physical Access Control» Blocks unauthorized parties from physical access to data processing systems that process and use personal data. Security patrol service Control of identity (reception desk, registration of guests, security awareness measures) Servers and remote maintenance routers are protected by controlled access (coded locks) to the server room. Remote maintenance systems are secured as follows: Compliance with the requirements for service providers in Section 404 of the Sarbanes-Oxley Act 3

6 Access to remote maintenance data is restricted to authorized persons. Customer remote maintenance computers are in a separate area protected by controlled access (coded locks). Workstation computers are secured as follows: Users must log on through a centrally controlled identity management system. Employees are required to lock their computers. Computers are automatically locked after 15 minutes of idle time Electronic Access Control» Ensures that those authorized to use a data processing system can only access the data for which they are authorized and that personal data is not subject to unauthorized viewing, copying, modification or deletion when it is processed or used or after it is stored. Central rights management separates system access from application access. Users can not change their own rights. Users can not request a change without approval by their supervisor. External access is restricted to VPN- or SSH-secured connections. Regularly Security checks of external access are carried out by appropriately specialized companies. Change management of user rights in accordance with changing roles (f.e. at movements within the company) Transmission Control» Ensures that personal data can not be viewed, copied, modified or deleted without authorization while it is electronically transmitted, transported or saved on storage media and that it is possible to monitor and determine the intended destinations of personal data transferred using data transmission equipment. The enterprise-wide data security policy prohibits all transmission of unencrypted data. All upload/download connections via Internet are secured through either SSL, SSH or VPN. All branch offices or mobile systems rely exclusively on VPN- or SSH-secured connections controlled by AEB. No personal data is stored locally; all data is stored centrally in Stuttgart/Germany. External connections are possible only through approved applications. External connections are possible only through approved services. All remote data transfer connections are logged wherever technically possible. Managed process for disposing of waste with confidential data in accordance with legal requirements Availability Control» Ensures that personal data is protected against random destruction or loss. Redundant systems 4 Compliance with the requirements for service providers in Section 404 of the Sarbanes-Oxley Act

7 Database: clusters Fileserver: clusters File server: SAN systems Uninterruptible power supply, back-up generator (diesel units) Fire alarm or extinguishing systems (with argon pressure) Water detection system Connection to 24/7 security agency Tape protection Daily tape backups Data storage in separate fire containment section Additionally regularly data backups based on Database tools Sophisticated system for monitoring and alerting as part of business continuity management (principle of early detection) System for incident and problem management for external and internal use Providing emergency process Compliance with the requirements for service providers in Section 404 of the Sarbanes-Oxley Act 5

8 3 Description of Application Controls 3.1 Quality Assurance by QM Team Quality is a top priority throughout AEB and is assigned a special status. A QM team is responsible for assuring quality in applications and processes. The QM team based on continuous PDCAlifecycle defines, optimizes and tests the processes of not only application development but maintenance and service. To manage and enforce these common tools like guides, various templates and checklists are used. Main aim is working service- and process-oriented and establishing of cross-product standards. The application testing includes both functional and usability tests. Each update is subject to multiple testing and approval phases. Constant monitoring and implementation ensures that the latest technical requirements are met. Maintenance and service is evaluated and optimized in close cooperation with customers. 3.2 Quality Assurance by Defined Processes All new development steps and application maintenance proceed according to defined processes (principle of transparency). All application development and maintenance tasks are executed as projects with a defined project workflow and a defined process using sample projects, a controlled sophisticated role concept and providing several steps of acceptances needed. In critical steps 4- eyes-principle is mandatory used. Where necessary compliance security checks are intregrated. 3.3 Quality Assurance by External Auditors Applications are tested and certified by external auditors. This testing and certification is based in part on IDW auditing standards and position papers such as IDW AuS 330 ( Auditing for the Use of Information Technology ) or IDS RS FAIT 1 ( Principles of Proper Accounting for the Use of Information Technology ). 6 Compliance with the requirements for service providers in Section 404 of the Sarbanes-Oxley Act