|
|
|
Features
< Back
Sarbanes Oxley : Finance : Risk Management
Vulnerability Management Unifies Risk Management and SOX Compliance
By
Dave Eike
|
|
Dave Eike
Director of Enterprise Solutions
Shavlik Technologies
|
Objective
Get auditors and compliance officers to understand that vulnerability management improves real system security while simultaneously assuring SOX compliance.
Executive Summary
Compliance with Sarbanes Oxley Section 404 is expensive, labor intensive, and unfortunately subject to divergent interpretations. The differences in responsibilities between management and auditors can turn contentious when priorities for security and compliance come into conflict. The demands of security and compliance can only become aligned with tools that are integrated into the normal business process. Security and compliance management solutions provide an automatic improvement in real security while providing continuous evidence of compliance
Background
SOX 404, as currently reflected in SEC Statement #5, requires the management of public companies in the United States oversee the preparation and presentation of annual financial reports that accurately portray the financial results of the period and the current status of the enterprise. SOX 404 further requires that all such reports be “signed off” by competent and independent financial officers. But even though both management and auditors must sign the same financial statements, their respective duties often put them at odds. Specifically, management may have compelling reasons to emphasize risk management over SOX compliance, while auditors have a clear duty to determine whether financial and information controls meet applicable standards and best practices. Obviously security and compliance should not lead in divergent directions, but the gap has been hard to bridge. This is particularly true when the PCs and servers that comprise part of the financial reporting system are factored into the process.
Management Responsibilities
Management’s responsibility under SOX is to implement internal controls on the business processes and systems that are used to produce financial reports. This is done by identifying key resources and then applying the requisite combination of prudent policies, procedures and security mechanisms to ensure the integrity of financial data. For most public companies financial reporting software generally runs on mainframe computers with sophisticated software. However, financial information systems are inextricably linked to other vital network components, such as PCs and servers that may directly or indirectly affect the security of financial systems. Consequently, “prudent” managers have a duty to safeguard the entire financial reporting infrastructure, not just those applications used to produce financial statements.
Auditors and Security Frameworks
External SOX auditors, on the other hand, have a much narrower responsibility to assess SOX compliance by measuring the degree to which necessary policies and controls have been documented and tested on the systems used to produce financial reports. This is not as clear cut as it sounds, however, because SOX Section 404 is not prescriptive regarding the technologies and processes required for compliance. As a consequence, auditors have referred to pre-existing security frameworks such as COSO, CoBIT, and ISO 17799 to ascertain whether appropriate controls are in place.
Developed in 1992, the COSO Framework states that internal controls include the control environment, risk assessment, control activities, information and communication, and monitoring. COSO was formally recognized by the SEC, in its Final Rule on Management’s Controls, stating that the COSO framework “may be used as an evaluation framework for purposes of management's annual internal control evaluation and disclosure requirements.”
Another framework, CoBIT, stands for Control Objectives for Information and related Technology. CoBIT interprets COSO from an IT perspective. The CoBIT Executive Summary states, “for IT to be successful in delivering against business requirements, management should put an internal control system or framework in place. The COBIT control framework contributes to these needs by:
• Making a link to the business requirements
• Organizing IT activities into a generally accepted process model
• Identifying the major IT resources to be leveraged
• Defining the management control objectives to be considered
The International Standards Organization (ISO) released standard ISO 27002/17799 in the year 2000 with an emphasis on information security. The ISO framework “provides a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings.” With broad support in many countries ISO 17799 is becoming a recognized information security standard.
The effect of having three different reference frameworks that may be used as guides for SOX compliance is confusing and offers differing interpretations as to what is appropriate in a given instance. Much is left to the discretion of auditors in determining whether an organization’s controls are adequate for SOX compliance. That imprecision leads to tense discussions with management if SOX compliance is at issue.
Conflicts between security and compliance
This difference in missions between management and auditors often means that they perceive issues and respond to priorities differently and therefore may disagree on the correct course of action. For example, management may perceive a potential security breach that needs immediate attention while the auditors are instead urging better documentation of certain business processes. Sadly this can lead to two types of important problems:
• Systems that are in fact secure may not be compliant
• System that are SOX 404 compliant may not in fact be secure
Because SOX certifications are an annual event, there is a tendency to focus on the system at one point in time rather than think about what happens in the course of normal operations. This is salient because systems tend to “drift” from an ideal state as changes are made in equipment, policies and personnel.
Bridging the gap between security and compliance for PCs and Servers
Obviously there is a fundamental need to unify security and risk management and compliance. These important activities should not be in conflict, but rather recognized as two coherent parallel processes that can benefit from being closely aligned. Security and risk management sets the scope and scope drives the key controls to be tested for compliance. Real security cannot be achieved without identifying key assets, processes and risks, and compliance is much more valuable when it truly reflects the security posture of the system.
The most fundamental step to help management and auditors get on the same page is to give them reports from the same base of information. Waiting for a thick report near the end of the reporting period does not work because it is too late to make significant adjustments for the sake of compliance, and because security vulnerabilities must be dealt with immediately. In other words, an annual checkup does little to improve security and results in only periodic compliance.
There is a clear need for a continuous process of analysis, remediation, reporting, and feedback that responds to the responsibilities of managers and auditors. The essential goal is to move systems into a state of compliance (a security baseline) and then not only continuously maintain that compliant state but also generate audit reports that prove the systems remain compliant. In that manner, security and compliance become twin outcomes of the same ongoing process.
Automated security and compliance systems are quite natural in the large mainframes used to produce financial reports for many companies, but have been largely absent for the myriads of PCs and servers that feed information into the mainframe systems. The immense effort required to manually document large numbers of machines dictated that only periodic reports could be produced. For example, just configuring a PC properly from a security standpoint can involve over 500 separate checklist items. Patching software can also be a tedious and hazardous process. When these complex tasks are multiplied by thousands or even tens of thousands of machines, it becomes obvious that a manual process cannot possibly succeed in being timely or cost effective. Consequently, PC and servers have been a weak link in full SOX 404 compliance.
Fortunately a new class of “vulnerability management” products is now available to fully automate both configuration management and patch management. Using network scanners, software agents or both, vulnerability management systems inspect each PC or server for current configuration and patch levels, make automatic changes or upgrades, and then create a report of all such remediation. These reports can then be refactored to specifically consider the requirements for a given standard - such as SOX or PCI – that will meet audit requirements. Meanwhile, managers receive alerts and reports of any conditions that do not conform to corporate security policies. Thus, vulnerability management systems not only ensure and prove continuous compliance for PCs and servers but also provide the information needed by executives for affirmative risk management. Drawing from the same base of information unifies the perspective of managers and auditors and eliminates the need to reconcile separate management and audit reports. Better still, automated security and compliance systems save money by eliminating a lot of painstaking manual processes. It also helps to ensure that the security state of systems are continuously improved and the systems remain in a constant state of compliance readiness.
While vulnerability management systems by themselves do not complete all SOX requirements, they create a secure foundation on which other security and technologies can build. By plugging the weaknesses in operating system configurations and keeping software patches current, an organization avoids upwards of 60 to 70% of online attacks. With known exploits foreclosed, user authentication and ID management products, anti- malware products, intrusion detection systems, and other security technologies can operate effectively.
Like anything else, vulnerability management products vary in quality and scope. Look for products that provide:
• automatic identification, remediation and reporting regarding out of compliance events
• strong authentication of system administrators
• robust change control management
• report templates specifically designed for SOX compliance
• policy templates for SOX compliance
Summary
Vulnerability management systems enable organizations to comply with SOX requirements for PCs and servers that are involved in the financial reporting system. Because auditors and executives can continuously obtain SOX specific reports drawn from the same system, reporting is streamlined and disagreements minimized. Compared to manual remediation and reporting processes, automation improves accuracy and timeliness, and is much more cost effective.
Vulnerability Management Systems Implement a Continuous Process of Assessment, Remediation and Reporting To Ensure Standards Compliance
Dave Eike
Director of Enterprise Solutions
Shavlik Technologies
|
|
|
|
|
