The Challenges and Myths of Sarbanes-Oxley Compliance

W H I T E P A P E R The Challenges and Myths of Sarbanes-Oxley Compliance Meeting the requirements of regulatory legislation on the iseries. SOX-001 REV1b FEBRUARY 2005 Bytware, Inc. All Rights Reserved.

2 The Challenges and Myths of Sarbanes-Oxley Compliance Enron. WorldCom. Tyco. These are all names that immediately bring to mind corruption, and following the accounting scandals that ushered in this decade the Government and Congress set out to do something about the problem. The solution was the passing in 2002 of the Public Company Accounting Reform and Investor Act better known as Sarbanes-Oxley (SOX). The goal of the Act is to hold publicly traded companies accountable for corporate financial reporting and governance. With deadlines to begin certification of the adequacy of internal accounting controls starting as early as November 15, 2004, companies are scrambling to comply with a rather lengthy and vague set of regulations. Meanwhile, software vendors are rushing to the table with promises of simple compliance through technology. The Myth of One-Click Compliance There s a lot being thrown around about how specific software applications can make a company SOX-compliant. In reality, the majority of the Act deals with procedural and cultural practices that ensure the integrity, accuracy, and security of corporate records. Most of the buzz centers on Section 404: Management Assessment of Internal Controls. It is this section that large publicly traded companies ($75 million+ cap) must comply with before the November 15 deadline (extended from the original June 15 deadline). Smaller companies those with a cap below $75 million have until June 15, 2005 to comply. equipped with tools for securing, monitoring, and logging built right into the operating system. (The exception is virus protection, though enablement for this has been built into the new i5/os V5R3, allowing easy tie-in to the third-party anti-virus tool.) While third-party software packages can build upon OS/400 s standard toolkit, and can certainly enhance an operator s capabilities, none of these packages are critical for compliance with SOX. Vendors who claim otherwise are not being straightforward with customers. Built-in Security The iseries provides excellent object level security features to control access to resources who can read a particular file, for example. These security features are built into every iseries system, whether you use them or not. Contrary to some vendor claims, the iseries can provide field-level security as well. You may need tools to supplement the iseries security, such as restricting access during certain time periods, or allowing users to read a particular file but not to download it. Take the time to learn what you have, and how it can be used for your organization before investing in tools that provide little value to what is already available to you. Built-in Logging Also provided with the iseries are excellent logging facilities to track the activity occurring on the system the System History Log, Message Queues, and Journals, just to The overall spirit of the Act is one of increased security and integrity, placing the interests of stockholders ahead of executives. Despite the fact that much of the Act is vague, promises of one-click compliance abound. The fact of the matter is that the needs of each organization are different and there is no one solution to ensure compliance. Regardless of the claims of some vendors, software solutions are merely tools to assist with the implementation of sound internal procedures arrived at through planning, scoping, documenting, and analyzing. Software solutions cannot provide take-two-and-call-mein-the-morning cures for inadequate processes and a lax corporate atmosphere. Already have the Basic Tools? For companies who rely on the iseries for operations, it may come as a surprise that most of what is needed to comply technologically is already sitting in their computer rooms. IBM s OS/400 comes Executives and managers who fail to ensure that adequate measures are in place to meet the requirements of SOX could be held legally responsible.

The Challenges and Myths of Sarbanes-Oxley Compliance 3 name a few. Many activities are automatically logged, such as when particular users sign on and off, and you can enable additional logging for many other types of activities as well. These logs provide a detailed accountability to what is occurring on the iseries. These logs can be monitored proactively to identify potential problems, or post-mortem to trace a particular problem. Five Steps to Compliance An article entitled Sarbanes-Oxley: Road to Compliance that ran on the eweek website (www.eweek.com) on February 16, 2004, breaks down compliance with SOX into five steps: 1. Planning Form a compliance committee and select software to assist in compliance process. 2. Scoping Determine what information needs to be documented and is material to company. 3. Documentation Document business processes and controls in place to ensure accurate information. 4. Gap Analysis Identify and remediate inadequate controls. 5. Implementation, Evaluation, & Monitoring Controls Document and update controls as needed, then turn them over to the audit team which evaluates the depth and effectiveness of the controls. Develop ongoing process for monitoring controls. Built-in Monitoring Lastly, in the area of monitoring, the iseries provides good tools for keeping tabs on the health and status of your system including security related events. iseries Navigator can monitor messages and logs for specific events and notify an administrator when a particular condition occurs. Depending on your needs, you may want to supplement the iseries monitoring tools to provide additional features, such as problem escalation, or scheduling of specific types of alerts to different groups of people. Following the five steps can create an atmosphere that is suited to SOX compliance. Pulling in the technology that is built into your iseries can build the foundation and then third-party applications can take that infrastructure to the next level. How Can Bytware Solutions Help? First of all, it is important again to understand that software solutions are tools, not cures. Bytware offers several applications that can assist in compliance with SOX once a company has put a framework into place. Independent auditing firms have been relying upon a set of guidelines from 1992 called The Control Objectives for Information and Related Technology, better known simply as COBIT. On the following pages is a list of specific objectives and the Bytware product(s) that can assist.

4 The Challenges and Myths of Sarbanes-Oxley Compliance COBIT Objectives for SOX Compliance Many of these objectives have been paraphrased. The complete COBIT objectives are available for free online from the IT Governance Institute at: www.usmd.edu/leadership/usmoffice/ AdminFinance/IAO/is/cobit-control-guidelines.pdf. PO9: PLANNING AND ORGANIZATION Assess Risk PO9.2: Risk Assessment Approach This objective calls upon Management to establish a general risk assessment approach, defining boundaries and methodologies with regard to security risk and vulnerabilities. It directs Management and security specialists to identify vulnerabilities and IT specialists to identify tools with which to control the vulnerabilities. StandGuard can help. You can use StandGuard s ability to identify and log access to sensitive files and libraries through unusual means or during unusual times. Once you have identified these sources, you can create rules and filters to allow or reject these types of activity. AI3: ACQUISITION AND IMPLEMENTATION Acquire and Maintain Technology Infrastructure AI3.7: Use and Monitoring of System Utilities This objective calls for policies and techniques to be implemented for using, monitoring, and evaluating the use of system utilities. Responsibilities for using sensitive software utilities should be clearly defined and understood by developers, and the use of the utilities should be monitored and logged. Messenger and StandGuard can help. You can use either MessengerConsole or MessengerPlus to monitor the OS/400 and iseries security audit journals for usage of software utilities and commands and log these events to a message queue or e-mail log. You can use StandGuard to monitor and log the use of certain OS/400 and iseries commands and values, such as PWRDWN- SYS RESTART(*NO), for example. DS5: DELIVERY AND SUPPORT Ensure Systems Security DS5.1: Manage Security Measures This objective states that IT security should be managed such that security measures are in line with business requirements including: Implementing the IT security plan. Monitoring the implementation of the IT security plan. StandGuard and Messenger can help. You can use StandGuard to define rules that log and control access to company data through network services such as FTP and ODBC. You can use Messenger to monitor StandGuard s rules and notify IT personnel of exceptions. Messenger s Audit Journal Monitor can look for possible intrusions and notify IT personnel. DS5.2: Identification, Authentication, and Access This objective specifies that the logical access to and use of IT computing resources should be restricted by the implementation of adequate identification, authentication, and authorization mechanisms, linking users and resources with access rules. Such mechanisms should prevent unauthorized personnel, dialup connections, and other system (network) entry ports from accessing computer resources and minimize the need for authorized users to use multiple logins. Procedures should also be in place to keep authentication and access mechanisms effective (e.g. regular password changes.) StandGuard can help. You can use StandGuard to create access rules and filters to log and prevent access to company data through unauthorized entry points. For example, do not allow Telnet access if IP address is outside defined range or time period. DS5.3: Security of Online Access to Data This objective states that, in an online IT environment, IT management should implement procedures in line with the security policy that provides access security control based on the individual s demonstrated need to view, add, change, and delete data. StandGuard can help. You can use StandGuard to define rules and filters to log and control access to company data via network services such as FTP and ODBC, and further define the types of allowed access Add, Change, or Delete, for example. DS5.5: Management Review of User Accounts This objective specifies that Management should have a control process in place to review and confirm access rights periodically. Periodic comparison of resources with recorded accountability should be made to help reduce risk of errors, fraud, misuse, or unauthorized alteration. StandGuard s User List can help. You can use StandGuard s rules and filters reports to show the resources users can access through network services. StandGuard s usage information can show the usage frequency of these filters to determine policy effectiveness. Review the public usage information to verify that you are within compliance standards. DS5.7: Security Surveillance This objective states that IT security administration should ensure that security activity is logged and any indication of imminent security violation is reported immediately to all who may be concerned, internally and externally, and is acted upon in a timely manner. StandGuard and Messenger can help. You can use StandGuard to log access to critical system files via network services, and Messenger can be used to alert personnel

The Challenges and Myths of Sarbanes-Oxley Compliance 5 to StandGuard s warnings about unauthorized or unexpected access. DS5.10: Violation and Security Activity Reports This objective states that IT security administration should ensure that violation and security activity is logged, reported, reviewed, and appropriately escalated on a regular basis to identify and resolve incidents involving unauthorized activity. The logical access to the computer resources accountability information (security and other logs) should be granted based upon the principle of least privilege, or need-to-know. StandGuard and MessengerConsole can help. You can use StandGuard to log security violations through network services, and extract data from the system security audit journal. Messenger can in turn monitor these events and notify and escalate security violations to the appropriate personnel. DS5.17: Protection of Security Functions This objective directs that all security related hardware and software should at all times be protected against tampering to maintain their integrity and against disclosure of secret keys. In addition, organizations should keep a low profile about their security design, but should not base their security on the design being secret. StandGuard and StandGuard Anti-Virus can help. You can use StandGuard to secure files from being inappropriately updated or deleted via network services. Additionally, StandGuard Anti-Virus can detect, prevent, and remove viruses and malicious code. DS5.19: Malicious Software Prevention, Detection, and Correction This objective states that, regarding malicious software, such as computer viruses or Trojan horses, management should establish a framework of adequate preventative, detective, and corrective control measures, and occurrence response and reporting. Business and IT management should ensure that procedures are established across the organization to protect information systems and technology from computer viruses. Procedures should incorporate virus protection, detection, occurrence response, and reporting. StandGuard and StandGuard Anti-Virus can help. You can use StandGuard to secure files from being inappropriately updated or deleted via network services. Additionally, StandGuard Anti-Virus can detect, prevent, and remove viruses and malicious code. DS9: DELIVERY AND SUPPORT Manage the Configuration DS9.5: Unauthorized Software This objective specifies that clear policies restricting the user of personal and unlicensed software should be developed and enforced. The organization should use virus detection and remedy software. Business and IT management should periodically check the organization s personal computers for unauthorized software. Compliance with the requirements of software and hardware license agreements should be review on a periodic basis. StandGuard Anti-Virus can help. You can use StandGuard Anti-Virus to detect, prevent, and remove viruses and malicious code. DS10: DELIVERY AND SUPPORT Manage Problems and Incidents DS10.1: Problem Management System This objective calls upon IT management to define and implement a problem management system to ensure that all operational events which are not part of the standard operation (incidents, problems, and errors) are recorded, analyzed and resolved in a timely manner. Emergency program change procedures should be promptly tested, documented, approved, and reported. Incident reports should be established in the case of significant problems. MessengerConsole and MessengerPlus can help. You can use Messenger to monitor for errors and abnormal conditions and alert operations staff automatically. DS10.2: Problem Escalation This objective states that IT management should define and implement a problem escalation to ensure that identified problems are solved in the most efficient way on a timely basis. These procedures should ensure that these priorities are appropriately set. The procedures should also document the escalation process for the activation of the IT continuity plan. MessengerConsole and MessengerPlus can help. You can use Messenger to escalate event notification to backup personnel or management when critical events have exceeded their defined time limit tolerances. DS10.3: Problem Tracking and Audit Trail This objective calls for a problem management system that provides for adequate audit trail facilities that allow tracing from incident to underlying cause (e.g. package release or urgent change implementation) and back. It should work closely with change management, availability management, and configuration management. MessengerConsole and MessengerPlus can help. You can use Messenger s ability to track event history, including time of creation, replies, commands, notifications, escalations, and acknowledgments.