XYGATE & SOX COMPLIANCE A Solution Paper January, 2005 XYPRO Technology Corporation 3325 Cochran Street, Suite 200 Simi Valley, California 93063-2528 U.S.A. Email: support@xypro.com Telephone: + 1 805-583-2874 FAX: + 1 805-583-0124
Copyright 2005 by XYPRO Technology Corporation. All rights reserved. Trademark Acknowledgments The following are trademarks or service marks of Hewlett-Packard Company: Distributed System Management (DSM) EDIT ENFORM Enscribe Event Management Service (EMS) FUP Guardian MEASURE NETBATCH NonStop NonStop Kernel NonStop SQL PATHCOM PATHWAY SAFECOM SAFEGUARD SCUP SPOOLCOM TACL TEDIT The following are trademarks or service marks of XYPRO Technology Corporation: XY-2K XYCLOPS XYDOC XYDOC II XYGATE XYGATE/AC XYGATE/CD XYGATE/CM XYGATE/EFTP XYGATE/ESDK XYGATE/FE XYGATE/KM XYGATE/LD XYGATE/MA XYGATE/MI XYGATE/OS XYGATE/PC XYGATE/PM UM XYGATE/PQ XYGATE/SE XYGATE/SE40 XYGATE/SM XYGATE/SP XYGATE/SR XYGATE/SW XYGATE/UA XYPRO XYTIMER XYWATCH
TABLE OF CONTENTS INTRODUCTION...1 OVERVIEW OF SOX MANDATES...1 SOX APPLICATION IN THE HP NONSTOP SERVER WORLD...2 Use and Monitoring System Utilities...3 Segregation of Duties...3 Identification, Authentication, and Access...4 Security of Online Access to Data...5 User Account Management...5 Management Review of User Accounts...6 User Control of User Accounts...6 Security Surveillance...6 Violation and Security Activity Reports...7 CryptoKey Management...7 CONCLUSION...8 DISCLAIMER...8 XYGATE PRODUCT TABLE...9
INTRODUCTION Due to the losses in the U.S. stock markets in recent years, the United States Congress passed the Sarbanes-Oxley Act of 2002 ( SOX ). Although this act mainly targets internal controls over accounting procedures and financial reporting, it brings pressure on Information Technology ( IT ) groups to help their companies move toward compliance by providing greater physical and electronic security of IT resources. SOX applies to any publicly traded company in the U.S. including any and all divisions and wholly owned subsidiaries. It also applies to any non-u.s. public multinational company doing business in the U.S. This paper shows where SOX is applicable to HP NonStop Server enterprises and how XYPRO products can help IT managers in their compliance efforts. It provides a summary list of SOX objectives and explains the XYGATE product(s) applicable to each one. Product tables at the end of this document describe each product cross-referenced to the objectives it can be used to achieve. OVERVIEW The main thrust of SOX is the requirement that companies establish and maintain accounting procedures that prevent manipulation of accounting data. Compliance requires that systems be able to identify any person that violates established accounting methods or alters existing financial data in an effort to manipulate the company s financial performance statements. Specifically SOX mandates the following: CEOs/CFOs are prohibited from altering corporate financial data for their own personal gain through previously questionable, but now specifically illegal, actions. CEOs/CFOs are required to implement financial and IT controls to prevent and detect any attempted financial manipulation. It must be certified on a quarterly basis that financial and IT controls are in place and are effective. External auditors must review and attest to the accuracy of these certifications. This proactive approach with review and certification by auditors places a new burden on IT personnel in NonStop environments. In the past IT departments have generally benefited from auditor s lack of experience in the Guardian world, but for SOX compliance, controls implementing the security requirements will have to be positively stated and demonstrable to auditors in order for the certification to take place. SOX is comprised of eleven main titles, further divided into sections that detail the legal expectations for compliance. The act can be found in its entirety at http://www.law.uc.edu/ccl/soact/soact.pdf. Many of the sections deal with checks and balances at high levels of an organization, but some sections are particularly important for IT departments looking to assist their companies with compliance: Section 302 - CEO/CFO Certification of Annual, Semi-Annual, and Quarterly Reports Company CEOs/CFOs must certify that they have reported any deficiencies or material changes in internal controls to the audit committee. Page 1
Section 404(a) - Internal Control Reports Each annual report must include an "internal control report" stating that management is responsible for an adequate internal control structure and an assessment by management of the control structure's effectiveness. Section 404(b) - External Auditor Attestation Related to Internal Controls The accounting firm must attest to, and report on, management's assertions regarding its assessment of the effectiveness of the company's internal controls. Section 409 - Real-Time Disclosure Corporations will be required to disclose, on a rapid and current basis (48 hours), additional information concerning material changes in its financial condition or operations. Section 1102 - Corporate Fraud Accountability This section imposes penalties for anyone who tampers with a record, document, or other object with the intent to impair the object's integrity or availability for use in an official proceeding. SOX APPLICATION TO NONSTOP SERVER SYSTEMS SOX regulations were written to be general enough to apply to a diverse array of corporate financial structures, hence no exact roadmap or formula can be extracted to generically guide all companies into compliance. In addition, much of the regulation mandates that guidance and commitment come from the top of an organization down. One helpful tool used by many auditing firms for guiding a company toward SOX compliance is The Control Objectives for Information and related Technology ( COBIT ). COBIT lists 34 highlevel control objectives. These high-level objectives are further broken down into some 300 plus detailed objectives. COBIT is certainly not the only tool for guiding a company into SOX compliance and without detailed knowledge of an individual firm s financial practices/procedures and its IT department, no complete list of requirements could be compiled, but a representative list of objectives common to the majority of IT departments can be reasonably made. By listing some of these objectives it becomes easy to see how the implementation of the security software tools offered by XYPRO can ease the job of becoming SOX compliant. One first step that anyone involved in this type of effort should make is to obtain the definitive book, HP NonStop Server Security: A Practical Handbook, authored by XYPRO and published by HP. A second step would be the use of XYGATE s Security Compliance Wizard. This Wizard, with its user friendly GUI can greatly assist in determining the differences between the current protections in place on a NonStop system and those required by a best practices approach. What follows is a representative list of COBIT objectives, each with an explanation about how XYPRO s XYGATE products can facilitate an IT department s compliance efforts with regards to its HP NonStop Server enterprise. Page 2
COBIT objective: Use and Monitoring of System Utilities Policies and techniques should be implemented for using, monitoring, and evaluating the use of systems utilities. Responsibilities for using sensitive software utilities should be clearly defined and understood by personnel, and the use of the utilities should be monitored and logged. This COBIT objective seeks to secure system utilities by controlling and monitoring their use. XYGATE Access Control, Process Control and CMON products can be of great value in accomplishing this objective. These products not only provide safe, controlled access to system utilities running as powerful userids but restrict commands and subcommands within each utility to those appropriate for each user s job tasks. These tools supply auditing down to the keystroke level. XYGATE Merged Audit reports on the combined audit logs of Safeguard as well as all XYGATE products. Automatic alerting for specified security events allows you to send messages to an EMS process, third-party IP monitor or any email addresses you choose. This combination of features facilitates the meeting of SOX monitoring requirements in an efficient and timely manner. COBIT objective: Segregation of Duties Senior management should implement a division of roles and responsibilities that exclude the possibility for a single individual to subvert a process. Management should also make sure that personnel are performing only those duties stipulated for their respective jobs and positions. In particular, a segregation of duties should be maintained between the following functions: Information Systems Use Data Entry Computer Operation Network Management System Administration Systems Development and Maintenance Change Management Security Administration Security Audit This COBIT objective seeks to enforce separation of duties and least privilege. If looking over the list above makes you uneasy, you are not alone. Many managers of IT departments with NonStop computer systems have people functioning in more than one of these categories. To get around the problems, users must be assigned multiple userids and/or aliases in different groups in order to do their jobs. Or, they must share passwords Page 3
and log on as various privileged userids such as SUPER.SUPER or application owners to do their jobs. XYGATE makes it possible to eliminate both the need for users to have multiple userids and the need for sharing privileged userids with the attendant loss of accountability. XYGATE Access Control, Process Control, CMON and Secure Spoolcom Peruse all address this requirement. Instead of juggling a handful of userids and passwords, users can do all their tasks with a single userid and gain pre-defined privileged access. XYGATE s comprehensive audit logs provide full accountability as well as a detailed record of each user s activities. COBIT objective: Identification, Authentication and Access The logical access to and use of IT computing resources should be restricted by the implementation of adequate identification, authentication, and authorization mechanisms, linking users and resources with access rules. Such mechanisms should prevent unauthorized personnel, dial-up connections, and other system (network) entry ports from accessing computer resources and minimize the need for authorized users to use multiple logins. Procedures should also be in place to keep authentication and access mechanisms effective (e.g., regular password changes). This COBIT objective seeks to enforce both access to computer systems and access to system resources once a user has gained access. XYGATE CMON features port entries in the CMACL file to control access based on the user s remote TCP/IP address as well as ASYNC/LAN addresses. When TELNET is used or if libraries provided with XYGATE $CMON are installed on FTP, XYGATE $CMON can determine the incoming IP port address and implement logon controls based on that port. TELNET and FTP can be secured with separate lists to specify who can and cannot use the NonStop system. XYGATE Access Control can limit access to utilities and their subcommands based on the incoming IP port and userid. XYGATE Safeguard Manager eases the administration of userids and aliases, and makes it easier to monitor the system for obsolete or improperly configured IDs. XYGATE User Authentication can be configured to restrict access by IP addresses, terminal name, the object file of the process and the ancestor of the process requesting logon. This product also facilitates two-factor authentication such as RSA Secure ID. XYGATE Password Quality enhances the security of passwords for NonStop systems by controlling password attributes like numbers, uppercase letters or special characters. XYGATE Safeguard Manager eases the administration of Protection Records (ACLs) for files, processes, and devices. It makes it unnecessary for users to learn arcane syntax. Instead, effective file protection rules can easily be built and propagated to other NonStop servers on the network. Page 4
XYGATE Object Security enhances Safeguard protection by creating dynamic protection rules based on wildcarded file masks and other properties such as filecode, filetype, owner and the program requesting access. The results are significantly fewer ACLs and effort are required to efficiently secure system resources. XYGATE Access Control and Process Control components provide granular access to system and application utilities and processes, eliminating the need for users to share powerful userids or keep track of multiple userids. COBIT objective: Security of Online Access to Data In an online IT environment, IT management should implement procedures in line with the security policy that provides access security control based on the individual s demonstrated need to view, add, change, or delete data. This COBIT objective seeks to secure data both in transit and in situ. XYGATE Object Security enhances safeguard s protection by creating dynamic protection rules based on wildcarded file masks and other properties such as filecode, filetype, owner and the program requesting access. This greatly simplifies initial implementation and maintenance of securing system resources and data. XYGATE Spoolcom/Peruse can be configured so operators can manage Spooler jobs without having userids in the powerful SUPER Group and without viewing the contents of job output. This product provides completely granular access to each Spoolcom and Peruse command and subcommand. Privileges can be granted to each individual operator based on device names, properties, job owner and other job properties such as location, report name or creation date. XYGATE File Encryption protects the privacy of file data in-house and in transit, so only authorized users with online access can view or change file content. XYGATE Encrypted FTP and XYGATE Session Encryption ensure privacy for electronically transmitted communications between users. These solutions allow extension of the company s trust perimeter over public networks without risking the compromise of sensitive data. COBIT objective: User Account Management Management should establish procedures to ensure timely action relating to requesting, establishing, issuing, suspending, and closing of user accounts. A formal approval procedure outlining the data or system owner granting the access privileges should be included. The security of third-party access should be defined contractually and address administration and non-disclosure requirements. Outsourcing arrangements should address the risks, security controls and procedures for information systems and networks in the contract between the parties. Page 5
This COBIT objective seeks to enforce secure and efficient procedures for managing the issuance of userids for computer systems. XYGATE Safeguard Manager eases the administration of userids and aliases, and makes it easier to monitor the system for obsolete or improperly configured IDs. COBIT objective: Management Review of User Accounts Management should have a control process in place to review and confirm access rights periodically. Periodic comparison of resources with recorded accountability should be made to help reduce the risk of errors, fraud, misuse, or unauthorized alteration. This COBIT objective seeks to enforce timely monitoring of userids on a system. XYGATE Safeguard Manager simplifies the administration of userids and aliases, and makes it easier to monitor the system for obsolete or improperly configured IDs. XYGATE Safeguard Reports streamlines security auditing for Safeguard activities with a full range of pre-formatted and flexible reports. XYGATE Security Compliance Wizard provides a graphical window into the overall security of a system, including the configuration of all userids and aliases and all Safeguard settings relating to userids and aliases. COBIT objective: User Control of User Accounts Users should systematically control the activity of their proper account(s). Also, information mechanisms should be in place to allow them to oversee normal activity as well as to be alerted to unusual activity in a timely manner. COBIT objective: Security Surveillance IT security administration should ensure that security activity is logged and any indication of imminent security violation is reported immediately to all who may be concerned, internally and externally, and is acted upon in a timely manner. These COBIT objectives seek to enforce timely monitoring of user activity and verification that the activities are justified. Page 6
XYPRO products deliver versatile methods for generating meaningful reports on user activity. XYGATE Access Control supplies down to the keystroke auditing for user actions. XYGATE Safeguard Reports simplifies auditing for Safeguard-only activities with a full range of pre-formatted and flexible reports. XYGATE User Authentication enhances logon error management and logon-specific audit reporting. The XYGATE Merged Audit product, which reports on the combined audit logs of Safeguard and all XYGATE products, also supplies automatic alerts for suspicious or significant activity. COBIT objective: Violation and Security Activity Reports IT security administration should ensure that violation and security activity is logged, reported, reviewed and appropriately escalated on a regular basis to identify, and resolve incidents involving unauthorized activity. The logical access to the computer resources accountability information (security and other logs) should be granted based upon the principle of least privilege, or need-to-know. This COBIT objective not only mandates monitoring for and reporting on suspicious activity, it defines how to design a secure user schema. XYGATE Access Control s down to the keystroke auditing combined with the XYGATE Merged Audit product, which reports on the combined audit logs of Safeguard and all XYGATE products, provide versatile methods for generating meaningful reports on user activity. With XYGATE /MA, automatic alerts for suspicious or significant activity can be sent to your EMS process, your third party IP monitor, or to any email addresses you choose. Once your user schema is in place, XYGATE Safeguard Manager eases the administration of userids and aliases, and makes it easier for authorized users to monitor the system for obsolete or improperly configured IDs. XYGATE Access Control makes it possible for users to do their job with just a single userid, gaining granular access to privileges and powerful utilities, based on the principles of separation of duties, least privilege and need-to-know. COBIT objective: Cryptographic Key Management Management should define and implement procedures and protocols to be used for generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys to ensure the protection of keys against modification and unauthorized disclosure. If a key is compromised, management should ensure this information is propagated to any interested party through the use of Certificate Revocation Lists or similar mechanisms. Page 7
XYGATE Key Management is an easy to use product that requires no knowledge of encryption algorithms, techniques or procedures. It automates most key management functions, including key upgrades, synchronization, de-activation and history keeping. It is a flexible, efficient, cost effective software-based alternative to single-protocol mechanisms and works with or in place of hardware devices. CONCLUSION The guidelines in COBIT are just one method of complying with SOX. Many more exist. What model you use may be determined by upper management. But the methodology is just how you choose to map the requirements in the SOX regulations into real world policies and practices. The XYGATE suite of security tools will ease the transition into a secure environment that SOX compliance will require regardless of the method you use. Regulations like SOX bring more pressure on IT management to incorporate products like the XYPRO line to bring systems into a best practice mode that is just not possible with the native GUARDIAN security environment. The continued protection of company assets like NonStop computers and the data they contain, as well as satisfying the demands of auditors, make the use of security enhancing products like XYGATE increasingly valuable. DISCLAIMER XYPRO has designed this document primarily as educational. Readers should note that this document has not received endorsement from the SEC, the PCAOB or any other standard-setting body. Issues discussed in this paper will evolve over time. Accordingly, companies should seek counsel and appropriate advice from their risk advisors and/or auditors. In determining the propriety of any specific procedure or test, the IT professional should apply his or her own professional judgment to specific control circumstances presented by the particular systems or information technology environment. XYPRO makes no representation or warranties and provides no assurances that an organization s use of this document or XYGATE products will result in full compliance with the requirements of the act. Internal controls whether automated or manual, no matter how well designed and operated, can provide only reasonable assurance of achieving control objectives. The likelihood of achievement is affected by limitations inherent to internal control. These include the realities that human judgment in decision-making can be faulty and that breakdowns in internal control can occur because of human factors such as errors or inappropriate override of internal controls. Page 8
PRODUCT TABLE XYPRO products are available in convenient packages or individually as listed in the following table. Product Description COBIT Objectives NonStop Server Platform Security XYGATE /AC Access Control XYGATE /CMON (Fully Supported) CMON XYGATE /MA Merged Audit XYGATE /OS Dynamic Object Security Enables administrators to grant privileges to NonStop staff according to job function. XYGATE /AC extends native NonStop security into the area of actions, where security is based on what a user does, providing keystroke auditing of sessions initiated in both Guardian and OSS environments. Facilitates your security and access control needs, as well as system performance needs. This fully supported $CMON process supplies auditing of prelogon Guardian userids or aliases, terminal device logon restrictions, double-logon to sensitive userids and parameter customization by userid. Port entries in the CMACL file control access based on TCP/IP address as well as ASYNC/LAN address. XYGATE /CM permits complete end-to-end program execution audits, placement and use of resources specified by user, requesting program, and other criteria. It gives you the ability to make virtually all processes follow $CMON directives on CPU use and priority. Integrates many audit trails across multiple NonStop nodes into a single source for audit information. Pre-formatted reports provide the most commonly requested data and you can create custom reports with timely mixes of information from Safeguard, Measure, EMS and all XYGATE security products. XYGATE /MA also supports automatic alerts, sending messages to a designated EMS process, third-party IP monitor or any email addresses you choose. Brings to HP NonStop servers a dynamic, patternoriented method of Access Control List security for objects. Rules based on many characteristics including object name, Safeguard alias and userid extend the ability to govern the use of operational privileges beyond the Read, Write, Execute and Purge, to include Rename, License, PROGID and the entire operations set supported by NonStop servers. Use and Monitoring of System Utilities Segregation of Duties Identification, Authentication & Access User Control of User Accounts Violation & Security Activity Reports Use and Monitoring of System Utilities Segregation of Duties Identification, Authentication & Access Violation & Security Activity Reports Use and Monitoring of System Utilities Management Review of User Accounts User Control of User Accounts Violation & Security Activity Reports Use and Monitoring of System Utilities Segregation of Duties Identification, Authentication & Access Violation & Security Activity Reports Page 9
Product Description COBIT Objectives XYGATE /PQ Password Quality XYGATE /PC Process Control XYGATE /SM XYGATE /SR XYGATE /SP Safeguard Manager Safeguard Reports Spooler Manager, Peruse & Archive XYGATE /SW Security Compliance Wizard Easily sets and enforces rules to govern password characteristics, systematically standardizing and strengthening passwords for NonStop server support staff. Rules can be pre-specified for any combination of eight different quality characteristics. Alternately a random system generated password can be applied. Updating network passwords across all nodes, automatic expiration at initial logon, password splitting, and warning mode operation are some of the other standard features. Implements the same type of assignable privileges to control the running of processes as XYGATE/AC supplies for interacting with those processes. XYGATE/PC can be configured to allow a nonprivileged userid to STOP, DEBUG, ALTPRI, SUSPEND, and ACTIVATE any other user s running process. Additional keyword-based controls can be placed in the PCACL file to qualify processes by name, owner, hometerm, cpu, and object file name. Unlike the TACL process control commands, XYGATE/PC allows users to manipulate processes using wildcard selection criteria. Enables management of HP NonStop server security via a familiar and friendly Windows interface, streamlining administration for Safeguard global settings, users and aliases as well as Object ACLs. This product is simple to use yet versatile, to meet such security administrator needs as research by object or subject, changes to be applied to a single NonStop node or over many nodes at once. XYGATE /SM s form based screens allow the security manager to focus on What needs to be done, rather than How to do it. Bypasses the arcane and cumbersome syntax, the lack of formatting options and the inflexibility of traditional reporting tools. XYGATE /SR streamlines security audit reporting for Safeguard activity with flexibility and ease. This product provides a full range of pre-formatted reports containing just the information you need. And you can select the content of those reports in a user-friendly check this box fashion. Lets you manage the attributes of HP NonStop server print jobs and control your spooler via a single utility. XYGATE /SP also provides Archive and Compare capabilities. Access is based on job function, without the need to use a SUPER userid. Streamlines efforts to establish, monitor and report on compliance with your information security policy. XYGATE /SW comes preconfigured with all the Best Practices from the definitive reference manual for securing NonStop servers. Using reports revealing how your system security configurations differ from the Best Practice policy base, you can create or modify rules to fit your company s current situation and security policy. Automatically batched collection cycles help you track the implementation of security policies across major events like system upgrades, Identification, Authentication & Access Use and Monitoring of System Utilities Segregation of Duties Identification, Authentication & Access Identification, Authentication & Access User Account Management Management Review of User Accounts Violation & Security Activity Reports Management Review of User Accounts Segregation of Duties User Account Management Management Review of User Accounts User Control of User Accounts Violation & Security Activity Reports Page 10
Product Description COBIT Objectives XYGATE /UA User Authentication application deployment, etc. Supports greater flexibility and control, providing more effective and streamlined user authentication. XYGATE /UA brings such industry-best authentication capabilities to HP NonStop server environment as multi-factor authentication, sophisticated logon error management options at the individual userid level and logon-specific audit reporting. Multi-Platform Encryption Software Identification, Authentication & Access XYGATE /EF Encrypted FTP & Site Security XYGATE /KM Encryption Key Management XYGATE /ESDK Encryption Software Developer Kit XYGATE /FE File Encryption XYGATE /SE Session Encryption Adds protections to FTP, making it easy to encrypt both the data and command channels for transmissions NonStop Server to NonStop Server as well as between NonStop Servers and other system types. XYGATE /EF supports both triple DES and SSL, streamlining key exchange and certificate issues. It also enables you to restrict access to commands and file locations on NonStop server FTP sites to authorized users only. Automates most key management functions and requires no expertise with encryption algorithms. XYGATE /KM supports a variety of key types with centralized static key management for NonStop servers and a subset of functions for endpoints running on NonStop, OS390, Windows, HPUX and Solaris systems. Provides a simple, API-based solution for incorporating strong encryption into your applications, communications and databases via crypto mechanisms tested and proven effective through wide industrial use on a variety of computer platform types. Protects the privacy of file data in-house and in transit. XYGATE /FE runs on multiple computer platforms and may be deployed with fixed encryption keys or with XYGATE /KM for centralized static key management. Composed of related client and server components that provide encryption for just about any type of communications between two computer systems including interactive sessions, transaction sessions and file transfer sessions. Cryptographic Key Management Cryptographic Key Management Cryptographic Key Management Cryptographic Key Management Page 11