Auditor s Checklist. A XYPRO Solution Paper. MAY, 2009 XYPRO Technology Corporation

Transcription

1 Auditor s Checklist A XYPRO Solution Paper MAY, 2009 XYPRO Technology Corporation 3325 Cochran Street, Suite 200 Simi Valley, California U.S.A. info@xypro.com Telephone: FAX: Copyright 2009 by XYPRO Technology Corporation. All rights reserved.

2 Trademark Acknowledgments The following are trademarks or service marks of Hewlett-Packard Company: Distributed System Management (DSM) NonStop Kernel EDIT NonStop SQL ENFORM PATHCOM Enscribe PATHWAY Event Management Service (EMS) SAFECOM FUP SAFEGUARD Guardian SCUP MEASURE SPOOLCOM NETBATCH TACL NonStop TEDIT The following are trademarks or service marks of XYPRO Technology Corporation: XY-2K XYCLOPS XYDOC XYDOC II XYGATE XYGATE/AC XYGATE/CD XYGATE/CM XYGATE/EFTP XYGATE/ESDK XYGATE/FE XYGATE/KM XYGATE/LD XYGATE/MA XYGATE/MI XYGATE/OS XYGATE/PC XYGATE/PM UM XYGATE/PQ XYGATE/SE XYGATE/SE40 XYGATE/SM XYGATE/SP XYGATE/SR XYGATE/SW XYGATE/UA XYPRO XYTIMER XYWATCH The PCI Data Security Standard has been compiled by the PCI Security Standards Council. For more information, please consult December, 2007 XYPRO Technology Corporation

3 TABLE OF CONTENTS Introduction Integrity Authentication Authorization Auditing Encryption Access Control Operating Systems & Network Application Security...14 December, 2007 XYPRO Technology Corporation Page i

4 Introduction Security regulation has taken the forefront in the current decade. Significant monetary losses due to lessened corporate regulation and concerns for individual privacy in a time of large data mining have motivated many legislative establishments and voluntary cooperative organizations to create standards for secure behavior. Four such sets of standards are presented in this document: PCI, SOX, HIPAA and SB1386. The Payment Card Industry Data Security Standard (PCI) Version 1.2 is a standard of security for all payment card transactions agreed upon by the members of the Payment Card Industry Council, which includes VISA, Mastercard, American Express, Discovery Card and JCP. This standard is being phased in within the United States and internationally to secure retail transactions between a cardholder and the merchant accepting the transaction, between the merchant accepting the transaction and the merchant s bank, and between the bank and the payment card organization. The Sarbanes-Oxley Act of 2002 (SOX) targets internal controls over accounting procedures and financial reporting. It also brings pressure on the information security organization within a corporation to provide the underlying assurance needed to produce accurate accounting and reporting. While the SOX legislation has no specific security standards, the Control Objectives For Information And Related Technology (COBIT) have been created to provide a structure to meet SOX requirements. Even though the Sarbanes-Oxley Act of 2002 is a law of the United States of America, it is applied to any company that has a presence in the USA, and so it must be part of the security considerations of any corporation doing international business in the USA. The government of the United States of America created the Health Insurance Portability and Accountability Act (HIPAA) to reduce health care fraud and abuse, introduce and implement administrative simplification to increase the effectiveness and efficiency of the health care system, and protect the health care information of individuals against unauthorized access. The State of California passed the legislation SB1386 in response to several breaches of privacy in databases containing personal information. This legislation a person or business that conducts business in California, that owns or licenses computerized data that includes personal information to disclose any breach of the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. XYPRO Technology Corporation Page 1

5 The Auditor s Checklist The spreadsheet on the following pages presents a view of various security requirements and how they are viewed in the context of the security standards described above. The specific standard to which a security requirement relates, is listed in the corresponding column. This allows you to easily find and reference a particular security requirement. The spreadsheet also includes references to discussions of these topics in the two definitive HP NonStop information security handbooks. ume 1 refers to: HP NonStop Server Security: A Practical Handbook (ISBN-13: ) and ume 2 refers to: Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL (ISBN: ). XYPRO has designed this document primarily for educational purposes. Readers should note that no regulatory, legislative, or advisory body has endorsed this document. Accordingly, companies should seek counsel and appropriate advice from their risk advisors and auditors. The IT professional should always consult his or her own professional judgment to specific control circumstances presented by the particular systems or information technology environment. Internal controls, automated or manual, no matter how well designed and operated, can provide only reasonable assurance of achieving control objectives and can never achieve certainty. The likelihood of achievement is affected by limitations inherent to internal control. These include the realities that human judgment in decision-making can be faulty and the breakdowns in internal control can occur because of human factors such as errors of inappropriate override of internal controls. XYPRO Technology Corporation Page 2

6 Item Discussion Security Handbook 1.00 Integrity 1.01 Protect personal information from improper alteration or destruction 1.02 Implement security measures to ensure that electronically transmitted personal information is not improperly modified without detection pp ; pp ; pp PCI SOX (Cobit) HIPAA SB1386 Your Findings 3 ( c) (e) 1.03 Deploy measures to prevent malicious code and update them regularly 1.04 Ensure that measures to prevent malicious code execute regularly and produce audit logs of execution and findings 1.05 Deploy file integrity monitoring software to monitor critical system resources and alert appropriate personnel p523 2; pp53-54 p523 2; p54 pp XYPRO Technology Corporation Page 3

7 2.00 Authentication 2.01 Management should establish procedures to ensure timely account management p95 User Account Management 2.02 Management should have a control process in place to review and confirm access rights periodically 2.03 Users should control the activity of their proper accounts pp94-95 Management Review of User Accounts User Control of User Accounts 2.04 Assign a unique userid to each user 2.05 Do not use group, shared, or generic accounts or passwords 2.06 Ensure proper user authentication and password management for all users p94 8 User Control of User Accounts p User Control of User Accounts p (a)(1) 2.07 Authenticate each user based on his unique userid 1; p94 p Identification, Authentication, and Access (d) Implied 2.08 Two-factor authentication for network access Authenticate users before resetting passwords XYPRO Technology Corporation Page 4

8 2.10 Reset passwords at least every 90 days 2.11 Require a minimum length of 7 characters 2.12 Ensure that each password contains at least 1 numeric and 1 alphabetic character 2.13 Maintain a password history value of at least 4 iterations 2.14 Set AUTHENTICATE- MAXIMUM-ATTEMPTS to permit a maximum of 6 attempted password entries before handling bad password event 2.15 Set AUTHENTICATE-FAIL- TIMEOUT to a minimum of 30 minutes when a bad password event occurs or implement AUTHENTICATE-FAIL- FREEZE or AUTHENTICATE- FAIL-STOP 2.16 If AUTHENTICATE-FAIL- FREEZE is used, ensure that the SUPER.SUPER and security administrator userids cannot be affected by the AUTHENTICATE-FAIL- FREEZE 2.17 Force users to change new passwords immediately after 1;p116 1;p116 1;p111 p116 1;p115 1;p131 1;p131 1;p131 p User Account Management XYPRO Technology Corporation Page 5

9 resets 2.18 Force SUPER.SUPER password to change regularly 2.19 Secure SUPER.SUPER password so that it can only be used by authorized personnel when needed for specific job functions 2.20 Force NULL.NULL password to change regularly or FREEZE NULL.NULL userid 1;p122 p86 p p Unique ID per person p Segregation of duties 2.22 Temporary and vendor accounts should become inactive at appropriate time 2.23 Remove userids of terminated users 2.24 Remove userids that haven't been used in >90 days 2.25 Force users to change new passwords immediately after resets 2.26 Change name of SUPER.SUPER userid to a nondefault value (i.e., NOT SUPER.SUPER) when network is new p User Account Management p User Account Management p User Account Management p117 p User Account Management (a1) Implied XYPRO Technology Corporation Page 6

10 2.27 Change NULL.NULL when node is new to a non-default value (i.e., NOT NULL.NULL) when node is new p Authorization 3.01 Establish a procedure for linking all access to system resources to an individual user Management should implement procedures to provide authorized access to resources based on the individual's demonstrated need to view, add, change, or delete data The userid structure used by the computing resource must support segregation of duties to ensure that personnel are peforming only those duties stipulated for their respective jobs and positions Auditing ch 5 p Security of Online access to data Segregation of Duties 4.01 Implement automated audit trails to reconstruct all individual user accesses to personal data pp72-79 ch Use and monitoring of system utilities (b) Implied XYPRO Technology Corporation Page 7

11 4.02 Implement automated audit trails to reconstruct the following events, for any activity performed by as user logged on as SUPER.SUPER and accountable to the user's unique userid Implement automated audit trails to reconstruct access to all audit trails 4.04 Implement automated audit trails to reconstruct invalid logical access attempts 1;p Use and monitoring of system utilities Use and monitoring of system utilities Use and monitoring of system utilities (b) (b) (b) Implied Implied Implied 4.05 Implement automated audit trails to reconstruct use of identification and authentication mechanisms 4.06 Implement automated audit trails to reconstruct initialization of the audit logs Use and monitoring of system utilities Use and monitoring of system utilities (b) (b) Implied Implied 4.07 Implement automated audit trails to reconstruct creation and deletion of system -level objects; Use and monitoring of system utilities (b) Implied 4.08 Implement audit trails and reporting procedures to ensure that security activity is logged 10.3 Security Surveillance XYPRO Technology Corporation Page 8

12 4.09 Implement reporting to ensure that any indicatotion of imminent security violation is reported immediately to all who may be concerned and is acted upon in a timely manner 4.10 Implement reporting to ensure that violation and security activity is logged, repoted, reviewed and appropriately escalated on a regular basis to identify and resolve incidents involving unauthorized activity pp7-11 pp Security Surveillance Violation and Security Activity Reports 4.11 Secure all audit trails to prevent modification 4.12 Limit viewing of audit trails to those users that require this access to perform their duties 4.13 Back up audit trails to a separate platform to ensure redundancy Review audit logs daily Retain audit trail for at least one 10.7 year, with minimum of three months online 4.16 Alerts for intrusion detection and file integrity 4.17 Alert personnel about suspected intrusion attempts Violation and Security Activity Reports 11.4 XYPRO Technology Corporation Page 9

13 4.18 Produce quarterly reports certified by the CEO/CFO that any material changes or deficiencies in control have been reported to the audit committee 4.19 Produce internal control reports annually 4.20 Produce rapid and current reports on material changes in operations 4.21 Ensure that attempts to tamper with the security of computing resoures can be detected 4.22 Any breach of security must be reported to the person whose information was disclosed Section 302: CEO/CFO Certification of Annual, Semi- Annual, and Quarterly Reports Section 404(a): Internal Control Reports Section 409: Real- Time Disclosure Section 1102: Corporate Fraud Accountability XYPRO Technology Corporation Page 10

14 5.00 Encryption 5.01 Encrypt personal information, including: first, last, middle name or initial, social security number, drivers license number or other govt issue ID, account number, credit card number, debit card number, access code or password, PIN number 2; pp Security of online access to data (a); (e) Render personal account information unready anywhere it is stored by using -strong one way hash -truncation -index tokens and pads -strong cryptography with key management 2; pp Secure encryption keys Limit access to encryption keys Cryptographic keys must be generated, changes, revoked, certified, sored, used and archived in a secure manner Cryptographic Key Management 5.06 Ensure encryption uses strong algorithm: SSL/TLS, DES168, AES 4.1 XYPRO Technology Corporation Page 11

15 5.07 Encrypt all passwords at all times 5.08 Encrypt all non-console adminstrative access 5.09 Fully document and implement all key manage processes and procedures: -Generation of strong keys -Secure distribution of keys -Secure storage of keys -Periodic changing of keys -Split knowledge and establishment of dual-control of keys -Prevention of unauthorized substitution of keys -Replacement of know or suspected compromised keys -Revocation of old or invalid keys 1;p115 2;p XYPRO Technology Corporation Page 12

16 6.00 Access Control 6.01 Limit access to computing resources to individuals who require the access to perform their duties p Deny access to computing resources unless the inidividual has a demonstrated and authorized need to access the resource 6.03 Document usage policies for critical system resources and document all personnel with access 6.04 Access to computing resources should expire after 15 minutes of inactivity p94-95 p143 pp7-11 1;p (a)(1) 6.05 Modem sessions should expire after a defined period of inactivity 6.06 Vendor access should be activitated only when needed with immediate deactivation when finished XYPRO Technology Corporation Page 13

17 7.00 Operating System & Network 7.01 Disable all unneeded networks services 7.02 Monitor all access to network resources and application data 7.03 Syncronize all system clocks and times 7.04 Configure system security parameters to prevent misuse 7.05 Remove all unnecessary functionality pp Do not use vendor defaults p Control the addition, deletion, and modification of userids and identification objects such as tokens or credentials pp Application Security 8.01 Separate test, development, production environments 8.02 Test all products and product updates before implementation into production 8.03 Separate test, development and production duties 8.04 Evaluate all application updates; apply appropriate updates on a timely basis ch 7 p523 p523 p XYPRO Technology Corporation Page 14

18 8.05 Develop requirements for all application updates. Review all requirements against implementation 8.06 Ensure that test data does not contain live information 8.07 Ensure that live data files do not contain test information 8.08 Use appropriate change control to ensure that the changes made to the application are applied in an orderly manner and that the change is recorded in a source code maintainenance system 8.09 Authenticate access to application information 8.10 Ensure all web-facing applications are secure p XYPRO Technology Corporation Page 15