Quick Links
Advertise with Sarbanes Oxley Compliance Journal
Features


< Back

Sarbanes Oxley : Technology : Section 404

After the Auditors Leave


Demonstrating 404 Compliance On Demand

By Tom Kuhr
Tom Kuhr
VP of Marketing
Preventsys
It is a dirty secret of Sarbanes-Oxley that won't surface for a while, but will move to the forefront as the security and internal control landscape changes. Most attention around Section 404 compliance has revolved around documenting and creating the proper internal controls for employees? access to financial systems - ensuring only authorized people have access, and that access history is stored and can be audited. But what happens now, after the auditors leave ? when a problem or change in a control occurs?

Over the past year, we've seen the world of hackers evolve from graffiti-producing ?script kiddies? and virus writers to extortionists, organized crime units, and corporate espionage specialists. This move towards more damaging, but significantly less visible computer crime is evidenced by the increase in ?phishing? attacks and Spyware incidents, and decrease in annoying email viruses and worms. Real criminals are starting to take advantage of security holes and are using them to make money. It?s not uncommon to hear of hackers using extortion techniques against large companies, threatening to bring down websites or extranets with denial-of-service attacks unless ransom payments are made. Nobody wants to talk about them - they are embarrassing, and usually solved with a payment of less than $20,000. But, they are pointing to a bigger issue: what's to stop a competitor from paying an experience hacker to break into your organization and tamper with your financial systems?

Section 404 of Sarbanes-Oxley is all about internal controls: deciding what they are, documenting them in detail, and testing against them at least once a year to make sure they're actually working. To ensure reliability of this information, the financial systems involved in building, storing and producing financial information need be kept secure from malicious attacks - not just unauthorized entry. When it comes to testing the integrity of financial systems, however, it is not a once-a-year job. 404 compliance means understanding the state of security of financial systems every day of the year - not just when the auditors show up.

The three defining attributes of a secure system - one that can be trusted to produce and protect financial information from any form of corruption - are confidentiality, integrity and availability. The CoBIT and COSO frameworks provide a starting point for building controls to manage both confidentiality (ensuring only authorized users have access to specific information) and integrity (ensuring data is not corrupted). Interestingly, availability is secondary here, as long as financial information can be proven to be authentic and tamper-free.

Many corporations have adopted the practice of doing an audit for 404 three times a year - one internal audit done mid-year, one internal audit performed right before the auditors arrive, and then the ?official? annual audit. Some have even retained two auditing firms, one to do that second audit a month or so before the official audit, so they have time to fix any outstanding issues. But, what if three times a year is not enough, regardless of whether an attack is executed by external hackers or insiders? Are semi-annual manual audits enough to guarantee that the integrity of financial data has been maintained through all reporting cycles?

Your CEO and CFO just cannot legitimately vouch that no system has been compromised unless you are checking for controls violations all the time. And by 'all the time', it?s not every six months or even every month - it?s just about every day. What would happen if a security breach led to the corruption of data or intentional manipulation of material financial information, but you didn't discover it for six months? What are the consequences of having to publicly disclose that your systems were breached, and your company must restate its reports for a six or nine month time period? How will that affect shareholder value? How will that affect sales and marketing? Malicious threats, although not as obvious, are just as real as an accountant entering incorrect financial data, a mail clerk accessing the accounting system, or an executive intentionally altering sales information.

Keys for Ensuring Financial Data Integrity Presumably, your auditors have helped you decide what controls are appropriate for your organization and you've documented them in detail with flowcharts and control matrices. What most organizations haven't quite grasped yet is the magnitude of managing financial systems confidentiality and integrity on a regular basis, even though the controls only need to be audited annually. Whether it is the responsibility of your IT, information security, or internal audit groups, companies must embrace these key steps to ensure continued 404 compliance:
  1. Identify financially significant systems - know exactly which devices are subject to controls, and track them over time. This is your baseline to measure progress as the network changes and grows.
  2. Ensure 100% systems coverage - test all levels (network, OS, application) with vulnerability scanners and configuration managers, and test all types of computers and devices. Keep systems patched as recommended by vendors.
  3. Test frequently and automatically - audit against compliance controls on financial systems regularly (daily), without an external audit team, using an automated, scheduled, frequent testing process.
  4. Pinpoint violations and resolve them - identify security flaws, misconfigurations, and policy violations in financial systems, networks, and wireless that can act as attack gateways to controlled systems.
  5. Do it every day - Integrate this identify, test, find and fix process with other IT and security functions to make it part of everyone?s daily job.
Identify Financially Significant Systems A company with ten thousand employees will have, on average, 15,000 to 20,000 network-enabled devices on it, including desktops and servers, but also printers, PDA?s, firewalls, routers, wireless access points, and mainframes - anything connected to the network is a potential gateway for an attack.

Depending on how your financial systems are segmented from the network, how many personnel and buildings have access, and how your global organization contributes their own financial data, ?financially significant systems? can mean hundreds upon hundreds of devices. It?s not enough to ensure that the ERP servers and databases are secure; you have to be able to prove that every device that has direct access to those systems, and even every device that is one step away from a device that has direct access is secure.

An important thing to remember is networks change on a constant basis. Forward thinking companies are at least able to account for all network devices on a daily basis, and provide historical, auditable records for these assets. As the security and compliance teams work their way from the inside out, they find that if networks are not architected correctly, or a firewall setting is incorrect, the financial system is accessible to the entire company, not just the finance department. The only way to measure and stay up to date is with an automated discovery process.

Using an IT inventory or asset management system is a great start. However, these systems are usually not up to date, and can?t account for assets that aren?t supposed to be on the network - the things you should be most worried about. In some companies, more than 10% of the network changes from day to day. Tracking who?s authorized and who?s not, and ensuring that these systems are secure is a huge task, and can only be accomplished through an automated discovery and asset inventory process.

Comprehensive Coverage
After defining what you need to test, you have to ensure that you test it all. Your systems have potentially thousands of vulnerabilities and violations of ?best practices? security rules and you can?t find them all using a single tool. Auditors use a variety of products to audit IT systems, including a variety of vulnerability scanners that look for holes in software applications, operating systems and databases. In addition, they check network architecture, routers, wireless networks, mainframes, and AS/400?s web servers. They also manually inspect machine configurations and settings. According to the Gartner Group, in 2003 approximately 65% of successful cyberattacks exploited configuration errors, rather than vulnerabilities or software defects.

The audit team, except in rare cases, perform audits by doing ?spot checks? or testing small sample sizes of the network for vulnerabilities and violations, and extrapolating their findings to the entire network. This is a good way to get a feel for the average security of these systems, but it is not a way to guarantee that systems cannot or have not been compromised. Because a network is only as secure as its weakest link, each and every machine, device, and application should be checked for integrity. Someone with malicious intent is not going to attempt to crack a highly secure database directly. They will find the easiest way in, like a mis-configured desktop with network access to the database, and work their way in at the application level. Detection of application-level attacks is much more difficult to detect, and if done with skill, can look like normal user access.

The next part of this problem is that comprehensive coverage creates too much data. Good auditors evaluate systems with multiple tools, but the amount of data produced by each specialized tool can be enormous, and using three tools to test three layers of a single machine (network, OS, application) leads to even more information. Auditors spend about 15% of their time setting up and running tests, and the rest manually matching and mapping information from one tool?s results to another. This manual correlation and interpretation weeds out false positive and false negatives, and creates a comprehensive picture of the settings of each asset. Human expertise adds insight to network architecture issues and security best practices that these tools can do on their own; as by themselves they only explore a small portion of the big picture. It can take days or weeks to produce a manually prepared report from an audit, and because of the dynamics of a typical network, but by the time the report is available, it is already out of date.

Frequent, Automated Testing
Comprehensive coverage of any one machine can be achieved through the use of multiple auditing tools, and comprehensive coverage of the entire network can be accomplished with either a very large audit team, or with an auditing tool that can be easily scaled to test a large network. But, because the network changes on a regular basis and new vulnerabilities are announced on a daily by software and hardware vendors, audits must also be frequent, so manual audits are unable to meet this need.

The good thing is that the entire network doesn?t need to be checked with the same frequency - different systems and sub-networks have each have their own level of importance to the organization and each can be assigned a separate audit schedule, ranging from a near-continuous hourly basis to daily, weekly, monthly or quarterly. The best thing about very frequent auditing is the amount of work that needs to be done to fix compliance issues after each audit decreases dramatically over time.

With an increased understanding of the network and system architectures, IT decisions, traffic optimization, and cost information on supporting different types of systems, companies that engage in frequent, automated auditing have fine-tuned their IT operations and procurement processes. They can quantitatively determine whether a specific operating system is more or less costly to maintain over time - leading to less expensive purchasing decisions based on real data and not vendor hype.

Pinpointing and Resolving Issues
With frequent, comprehensive testing comes thousands of issues to prioritize and remediate. Having a way to centralize this list, and having a consistent, sound methodology for prioritizing and assigning these issues is crucial for making all systems compliant with the company?s security requirements and controls. Issues must be ranked in order of their importance to the organization using the organization?s own business rules and requirements as agreed upon with auditors and the executive team. Both the severity of the policy violation and the value of the system in question must be part of that calculation. A combination of these parameters will help make reconfiguring a firewall that directly protects an ERP database from a known attack a much higher priority than a misconfiguration of a Windows desktop that is not known to be subject to exploit from known threats.

Issue prioritization methodologies must be well defined and applied consistently to ensure the organization is doing the most to protect itself for the least effort. There are a few nuances to consider, however. ?Asset Value? is traditionally meant the replacement cost of a system or depreciated value of the original equipment cost, but this is a highly inaccurate way to rank seemingly equal security issues. More appropriate are ?Operational Value? - the cost to the company if the system goes down for one hour, and ?Fiduciary Value? - the cost of a regulatory penalty for non-compliance, or even the legal costs associated with a compromised system (e.g. customer data was stolen). If audit results are centralized through an automated system with an integrated asset database and that system has a way to capture business rules and prioritization methodologies, issues can be easily and accurately prioritized. If issues remain on separate lists of data, each generated by a specialized tool it?s much more difficult to determine which is more important, and requires a team of experts to scrutinize the data and compare it to a list of assets and their replacement values.

Find, Fix, Improve
Fixing issues once a year is a losing battle and will never result in verifiably secure and well-controlled systems. The compliance and remediation process works best if it overlaps with other activities that the information security teams and IT organizations normally perform. If systems compliance is treated as a separate process the compliance and IT team?s goals will always be at odds with each other. Companies that are successful at maintaining a regular compliance process treat compliance and security tasks in the same way. They have adopted a single lifecycle process, and integrated one or more automated remediation workflow systems to build a repeatable measurement process. Since everything is tracked and managed centrally, these corporations can easily show measurable improvement over time, and produce high-level as well as detailed reports on-demand.

In addition, if ?to-do?s for compliance remediation are assigned through an existing IT helpdesk system or IT operations system, there is actually no disruption to normal cycles - compliance issues get fixed right alongside other IT issues, and the operations team is just as accountable for them as they are for system availability and reliability.

Again, the good news is the list of issues continues to diminish over time, but only if issues are found and resolved on a regular basis. Just as you can?t eat right and exercise one month out of the year and expect to remain slim, compliance requires you to find, fix and repeat the process daily.

Complying with Sarbanes-Oxley section 404 is not as simple on the surface as it might seem. It requires that IT systems be audited with other computer systems, because the number and frequency of tasks is just too great to cope with manually. That?s what computers were designed for - automating manual tasks - so it makes perfect sense to use an automated system to interpret and manage of large sets of data for the 404 compliance. With an automated auditing and security management solution, compliance can become an integral part of your daily workflow, and not just a quarterly or semi-annual burden. You?ll be able to show the state of compliance to anyone on you audit committee, executive team, or board of directors on demand. You?ll improve your security posture over time, ensuring the integrity of financial systems and all other systems that are important to the business. And, finally, you can define your organizational success metrics and elevate the stature of the compliance team in the mind of your organization by showing real value to business units in terms of better security and reduced operational risk.



Tom Kuhr
VP of Marketing
Preventsys
 Tom Kuhr is the vice president of marketing for Preventsys, an enterprise security management company.



About Us Editorial

© 2019 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY