Auditor s Checklist A XYPRO Solution Paper MAY, 2009 XYPRO Technology Corporation 3325 Cochran Street, Suite 200 Simi Valley, California 93063-2528 U.S.A. Email: info@xypro.com Telephone: + 1 805-583-2874 FAX: + 1 805-583-0124 Copyright 2009 by XYPRO Technology Corporation. All rights reserved.
Trademark Acknowledgments The following are trademarks or service marks of Hewlett-Packard Company: Distributed System Management (DSM) NonStop Kernel EDIT NonStop SQL ENFORM PATHCOM Enscribe PATHWAY Event Management Service (EMS) SAFECOM FUP SAFEGUARD Guardian SCUP MEASURE SPOOLCOM NETBATCH TACL NonStop TEDIT The following are trademarks or service marks of XYPRO Technology Corporation: XY-2K XYCLOPS XYDOC XYDOC II XYGATE XYGATE/AC XYGATE/CD XYGATE/CM XYGATE/EFTP XYGATE/ESDK XYGATE/FE XYGATE/KM XYGATE/LD XYGATE/MA XYGATE/MI XYGATE/OS XYGATE/PC XYGATE/PM UM XYGATE/PQ XYGATE/SE XYGATE/SE40 XYGATE/SM XYGATE/SP XYGATE/SR XYGATE/SW XYGATE/UA XYPRO XYTIMER XYWATCH The PCI Data Security Standard has been compiled by the PCI Security Standards Council. For more information, please consult www.pcisecuritystandards.org. December, 2007 XYPRO Technology Corporation
TABLE OF CONTENTS Introduction...1 1.00 Integrity...3 2.00 Authentication...4 3.00 Authorization...7 4.00 Auditing...7 5.00 Encryption...11 6.00 Access Control...13 7.00 Operating Systems & Network...14 8.00 Application Security...14 December, 2007 XYPRO Technology Corporation Page i
Introduction Security regulation has taken the forefront in the current decade. Significant monetary losses due to lessened corporate regulation and concerns for individual privacy in a time of large data mining have motivated many legislative establishments and voluntary cooperative organizations to create standards for secure behavior. Four such sets of standards are presented in this document: PCI, SOX, HIPAA and SB1386. The Payment Card Industry Data Security Standard (PCI) Version 1.2 is a standard of security for all payment card transactions agreed upon by the members of the Payment Card Industry Council, which includes VISA, Mastercard, American Express, Discovery Card and JCP. This standard is being phased in within the United States and internationally to secure retail transactions between a cardholder and the merchant accepting the transaction, between the merchant accepting the transaction and the merchant s bank, and between the bank and the payment card organization. The Sarbanes-Oxley Act of 2002 (SOX) targets internal controls over accounting procedures and financial reporting. It also brings pressure on the information security organization within a corporation to provide the underlying assurance needed to produce accurate accounting and reporting. While the SOX legislation has no specific security standards, the Control Objectives For Information And Related Technology (COBIT) have been created to provide a structure to meet SOX requirements. Even though the Sarbanes-Oxley Act of 2002 is a law of the United States of America, it is applied to any company that has a presence in the USA, and so it must be part of the security considerations of any corporation doing international business in the USA. The government of the United States of America created the Health Insurance Portability and Accountability Act (HIPAA) to reduce health care fraud and abuse, introduce and implement administrative simplification to increase the effectiveness and efficiency of the health care system, and protect the health care information of individuals against unauthorized access. The State of California passed the legislation SB1386 in response to several breaches of privacy in databases containing personal information. This legislation a person or business that conducts business in California, that owns or licenses computerized data that includes personal information to disclose any breach of the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. XYPRO Technology Corporation Page 1
The Auditor s Checklist The spreadsheet on the following pages presents a view of various security requirements and how they are viewed in the context of the security standards described above. The specific standard to which a security requirement relates, is listed in the corresponding column. This allows you to easily find and reference a particular security requirement. The spreadsheet also includes references to discussions of these topics in the two definitive HP NonStop information security handbooks. ume 1 refers to: HP NonStop Server Security: A Practical Handbook (ISBN-13: 978-1555583149) and ume 2 refers to: Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL (ISBN: 978-1555583446). XYPRO has designed this document primarily for educational purposes. Readers should note that no regulatory, legislative, or advisory body has endorsed this document. Accordingly, companies should seek counsel and appropriate advice from their risk advisors and auditors. The IT professional should always consult his or her own professional judgment to specific control circumstances presented by the particular systems or information technology environment. Internal controls, automated or manual, no matter how well designed and operated, can provide only reasonable assurance of achieving control objectives and can never achieve certainty. The likelihood of achievement is affected by limitations inherent to internal control. These include the realities that human judgment in decision-making can be faulty and the breakdowns in internal control can occur because of human factors such as errors of inappropriate override of internal controls. XYPRO Technology Corporation Page 2
Item Discussion Security Handbook 1.00 Integrity 1.01 Protect personal information from improper alteration or destruction 1.02 Implement security measures to ensure that electronically transmitted personal information is not improperly modified without detection pp 536-537 2; pp225-230 2; pp230-234 PCI SOX (Cobit) HIPAA SB1386 Your Findings 3 ( c) (e) 1.03 Deploy measures to prevent malicious code and update them regularly 1.04 Ensure that measures to prevent malicious code execute regularly and produce audit logs of execution and findings 1.05 Deploy file integrity monitoring software to monitor critical system resources and alert appropriate personnel p523 2; pp53-54 p523 2; p54 pp10-11 5.1 5.2 11.5 XYPRO Technology Corporation Page 3
2.00 Authentication 2.01 Management should establish procedures to ensure timely account management p95 User Account Management 2.02 Management should have a control process in place to review and confirm access rights periodically 2.03 Users should control the activity of their proper accounts pp94-95 Management Review of User Accounts User Control of User Accounts 2.04 Assign a unique userid to each user 2.05 Do not use group, shared, or generic accounts or passwords 2.06 Ensure proper user authentication and password management for all users p94 8 User Control of User Accounts p94 8.5.8 User Control of User Accounts p94 8.5 (a)(1) 2.07 Authenticate each user based on his unique userid 1; p94 p110 8.2 Identification, Authentication, and Access (d) Implied 2.08 Two-factor authentication for network access 8.3 2.09 Authenticate users before resetting passwords 8.5.2 XYPRO Technology Corporation Page 4
2.10 Reset passwords at least every 90 days 2.11 Require a minimum length of 7 characters 2.12 Ensure that each password contains at least 1 numeric and 1 alphabetic character 2.13 Maintain a password history value of at least 4 iterations 2.14 Set AUTHENTICATE- MAXIMUM-ATTEMPTS to permit a maximum of 6 attempted password entries before handling bad password event 2.15 Set AUTHENTICATE-FAIL- TIMEOUT to a minimum of 30 minutes when a bad password event occurs or implement AUTHENTICATE-FAIL- FREEZE or AUTHENTICATE- FAIL-STOP 2.16 If AUTHENTICATE-FAIL- FREEZE is used, ensure that the SUPER.SUPER and security administrator userids cannot be affected by the AUTHENTICATE-FAIL- FREEZE 2.17 Force users to change new passwords immediately after 1;p116 1;p116 1;p111 p116 1;p115 1;p131 1;p131 1;p131 p117 8.5.9 8.5.10 8.5.11 8.5.12 8.5.13 8.5.14 8.5.14 8.5.3 User Account Management XYPRO Technology Corporation Page 5
resets 2.18 Force SUPER.SUPER password to change regularly 2.19 Secure SUPER.SUPER password so that it can only be used by authorized personnel when needed for specific job functions 2.20 Force NULL.NULL password to change regularly or FREEZE NULL.NULL userid 1;p122 p86 p92 2.1 7 p85 2.1 2.21 Unique ID per person p81 8.1 Segregation of duties 2.22 Temporary and vendor accounts should become inactive at appropriate time 2.23 Remove userids of terminated users 2.24 Remove userids that haven't been used in >90 days 2.25 Force users to change new passwords immediately after resets 2.26 Change name of SUPER.SUPER userid to a nondefault value (i.e., NOT SUPER.SUPER) when network is new p103 8.5.6 User Account Management p95 8.5.4 User Account Management p81 8.5.5 User Account Management p117 p87 2.1 8.5.3 User Account Management (a1) Implied XYPRO Technology Corporation Page 6
2.27 Change NULL.NULL when node is new to a non-default value (i.e., NOT NULL.NULL) when node is new p85 2.1 3.00 Authorization 3.01 Establish a procedure for linking all access to system resources to an individual user 10.1 3.02 Management should implement procedures to provide authorized access to resources based on the individual's demonstrated need to view, add, change, or delete data. 3.03 The userid structure used by the computing resource must support segregation of duties to ensure that personnel are peforming only those duties stipulated for their respective jobs and positions. 4.00 Auditing ch 5 p143 12.5.5 Security of Online access to data 12.5.4 Segregation of Duties 4.01 Implement automated audit trails to reconstruct all individual user accesses to personal data pp72-79 ch 5 10.2.1 Use and monitoring of system utilities (b) Implied XYPRO Technology Corporation Page 7
4.02 Implement automated audit trails to reconstruct the following events, for any activity performed by as user logged on as SUPER.SUPER and accountable to the user's unique userid. 4.03 Implement automated audit trails to reconstruct access to all audit trails 4.04 Implement automated audit trails to reconstruct invalid logical access attempts 1;p107 10.2.2 Use and monitoring of system utilities 10.2.3 Use and monitoring of system utilities 10.2.4 Use and monitoring of system utilities (b) (b) (b) Implied Implied Implied 4.05 Implement automated audit trails to reconstruct use of identification and authentication mechanisms 4.06 Implement automated audit trails to reconstruct initialization of the audit logs 10.2.5 Use and monitoring of system utilities 10.2.6 Use and monitoring of system utilities (b) (b) Implied Implied 4.07 Implement automated audit trails to reconstruct creation and deletion of system -level objects; 10.2.7 Use and monitoring of system utilities (b) Implied 4.08 Implement audit trails and reporting procedures to ensure that security activity is logged 10.3 Security Surveillance XYPRO Technology Corporation Page 8
4.09 Implement reporting to ensure that any indicatotion of imminent security violation is reported immediately to all who may be concerned and is acted upon in a timely manner 4.10 Implement reporting to ensure that violation and security activity is logged, repoted, reviewed and appropriately escalated on a regular basis to identify and resolve incidents involving unauthorized activity pp7-11 pp7-11 12.5.2 Security Surveillance Violation and Security Activity Reports 4.11 Secure all audit trails to prevent modification 4.12 Limit viewing of audit trails to those users that require this access to perform their duties 4.13 Back up audit trails to a separate platform to ensure redundancy 10.5 10.5.1 10.5.3 4.14 Review audit logs daily 10.6 4.15 Retain audit trail for at least one 10.7 year, with minimum of three months online 4.16 Alerts for intrusion detection and file integrity 4.17 Alert personnel about suspected intrusion attempts 12.9.5 Violation and Security Activity Reports 11.4 XYPRO Technology Corporation Page 9
4.18 Produce quarterly reports certified by the CEO/CFO that any material changes or deficiencies in control have been reported to the audit committee 4.19 Produce internal control reports annually 4.20 Produce rapid and current reports on material changes in operations 4.21 Ensure that attempts to tamper with the security of computing resoures can be detected 4.22 Any breach of security must be reported to the person whose information was disclosed Section 302: CEO/CFO Certification of Annual, Semi- Annual, and Quarterly Reports Section 404(a): Internal Control Reports Section 409: Real- Time Disclosure Section 1102: Corporate Fraud Accountability 1798.8 XYPRO Technology Corporation Page 10
5.00 Encryption 5.01 Encrypt personal information, including: first, last, middle name or initial, social security number, drivers license number or other govt issue ID, account number, credit card number, debit card number, access code or password, PIN number 2; pp231-232 4 Security of online access to data 164.306 (a); (e) 1798.9 5.02 Render personal account information unready anywhere it is stored by using -strong one way hash -truncation -index tokens and pads -strong cryptography with key management 2; pp231-232 3.4 5.03 Secure encryption keys 3.5 5.04 Limit access to encryption keys 3.5.1 5.05 Cryptographic keys must be generated, changes, revoked, certified, sored, used and archived in a secure manner 3.5.2 Cryptographic Key Management 5.06 Ensure encryption uses strong algorithm: SSL/TLS, DES168, AES 4.1 XYPRO Technology Corporation Page 11
5.07 Encrypt all passwords at all times 5.08 Encrypt all non-console adminstrative access 5.09 Fully document and implement all key manage processes and procedures: -Generation of strong keys -Secure distribution of keys -Secure storage of keys -Periodic changing of keys -Split knowledge and establishment of dual-control of keys -Prevention of unauthorized substitution of keys -Replacement of know or suspected compromised keys -Revocation of old or invalid keys 1;p115 2;p117 8.2 8.4 2.3 3.6 XYPRO Technology Corporation Page 12
6.00 Access Control 6.01 Limit access to computing resources to individuals who require the access to perform their duties p94-95 7.1 6.02 Deny access to computing resources unless the inidividual has a demonstrated and authorized need to access the resource 6.03 Document usage policies for critical system resources and document all personnel with access 6.04 Access to computing resources should expire after 15 minutes of inactivity p94-95 p143 pp7-11 1;p487 7.2 12.3.3 8.5.15 (a)(1) 6.05 Modem sessions should expire after a defined period of inactivity 6.06 Vendor access should be activitated only when needed with immediate deactivation when finished 12.3.8 12.3.9 XYPRO Technology Corporation Page 13
7.00 Operating System & Network 7.01 Disable all unneeded networks services 7.02 Monitor all access to network resources and application data 7.03 Syncronize all system clocks and times 7.04 Configure system security parameters to prevent misuse 7.05 Remove all unnecessary functionality pp102-104 2.2.2 10 10.4 2.2.3 2.2.4 7.06 Do not use vendor defaults p32 2.0 7.07 Control the addition, deletion, and modification of userids and identification objects such as tokens or credentials pp94-95 8.5.1 8.00 Application Security 8.01 Separate test, development, production environments 8.02 Test all products and product updates before implementation into production 8.03 Separate test, development and production duties 8.04 Evaluate all application updates; apply appropriate updates on a timely basis ch 7 p523 p523 p523 6.3.2 6.3.1 6.3.3 6.3 XYPRO Technology Corporation Page 14
8.05 Develop requirements for all application updates. Review all requirements against implementation 8.06 Ensure that test data does not contain live information 8.07 Ensure that live data files do not contain test information 8.08 Use appropriate change control to ensure that the changes made to the application are applied in an orderly manner and that the change is recorded in a source code maintainenance system 8.09 Authenticate access to application information 8.10 Ensure all web-facing applications are secure p523 6.3 6.3.4 6.3.5 6.4 8.5.16 6.5 XYPRO Technology Corporation Page 15