|
|
|
Features
< Back
Sarbanes Oxley : Technology : Internal Controls
SarbOx IT Control Monitoring for Data Servers
By
Prat Moghe
|
|
Prat Moghe
Founder and CEO
Tizor Systems
|
When Senator Paul Sarbanes and Representative Michael Oxley introduced legislation in the wake of the Enron, Worldcom and Arthur Anderson scandals, the intent was clear and simple: To guarantee to the American people that the information they relied on to make investment decisions was trustworthy and complete. The net result - the Sarbanes-Oxley Act of 2002, which has proven to be anything but clear and simple.
Sarbanes-Oxley Act (SarbOx) consists of eleven Titles, comprising sixty-six Sections spanning from the establishment of new auditing oversight committees to new levels of auditor independence, specific attestation requirements for CEOs and CFOs, and criminal penalties for non-compliance ranging up to 20 years in jail. SarbOx is a sweeping tour de force that is changing the landscape of how public companies control their internal processes. Many view its impact on how major corporations conduct business as the single most dramatic event in the world of commerce since the creation of the New Deal in the 1930s.
Section 404, comprised of only 178 words, is one of the shortest and broadest reaching statutes ever brought to bear on American business. Within it, SarbOx allocates to management the responsibility ?for establishing and maintaining an adequate internal control structure and procedures for financial reporting? and for certifying the ??effectiveness of the internal control structure and procedures.?
While the focus of SarbOx in general, and Section 404 in particular, is in the executive offices and the boardroom, the real impact of the Act is being felt most acutely lower down in the organization. Unfortunately, SarbOx is basically silent on the topic of ?best practices? for the implementation of its requirements. Without any clear set of guidelines as to what processes and controls are necessary to assure that the information being reported to the public is accurate and unadulterated, departmental managers and individuals responsible for specific operations are left to their own devices to define what compliance is and then, even more dauntingly, to implement systems and procedures that actually assure compliance.
2004, the first year of SarbOx compliance for most pubic companies, has proven to be a year of expensive discovery. Corporate personnel, in conjunction with a myriad of consultants, have spent long hours understanding what systems exist to satisfy 404, who has access to those systems and who should really have access to them. While virtually no department has been spared the responsibility of self-examination and scrutiny, IT departments, the fiduciaries of the corporation?s core data jewels, have been most under the gun.
There has been a mad scramble to fill gaps and shore up creaking structures. By one estimate, in 2004 the average Fortune 500 company devoted more than 100,000 person hours to SarbOx activities. Much of this time came out of IT budgets. And now the real work is about to begin.
Over the next few years, the challenge for SarbOx-subject corporations will be to take this one time exercise and ingrain the outcome into their business processes by creating controls that assure compliance. Beyond that, they must then establish ongoing practices for monitoring these controls, adapting them to changing business realities and automating them. Companies that most efficiently accomplish these tasks will not only minimize the risk to their senior executives and corporate image but will also gain new insights into their fundamental business processes, resulting in sustainable competitive market advantages.
Again, the brunt of this requirement will fall to the IT departments. They will have to find and deploy new technologies that can flexibly, cost-effectively, in an automated and reliable manner, implement an anticipated avalanche of requirements from auditors and, thus, lessen the burden on the organization as a whole. But what are the technology requirements that must be met? What technologies exist today that can provide the level of detail about data usage and quality that most SarbOx interpretations demand?
It has not gone unnoticed by management that a major component of their SarbOx solution must reside in the IT department. According to research firm AMR, of the approximately $6 billion that companies will spend this year for SarbOx compliance, about $1.7 billion will be technology oriented, a 43% increase in the last year alone. IT resources are not in question. The question is: What does IT need to do and how can they do it?
IT?s SarbOx Challenge and Data Server Auditing
SarbOx designated the Securities and Exchange Commission as the enforcement authority for the Act. The SEC, in its Final Rule concerning management reporting requirements for Section 404, gives company management latitude to identify and implement controls that are consistent with the realities of their business. The SEC goes on to specifically identify the Control Objectives for Information and Related Technologies (COBIT) of the Commission of Sponsoring Organizations of the Treadway Commission (COSO) as a viable framework for this process.
COBIT is now recognized by most auditors, consultants and attorneys as the source of guidelines for assessing a company?s internal control capabilities.
Perhaps the crucial requirement of COBIT for IT managers is as follows:
CONTROL OBJECTIVE
Management controls should guarantee that sufficient chronological information is being stored in operations logs to enable the reconstruction, review and examination of the time sequences of processing and the other activities surrounding or supporting processing.
The implications of this rule are far reaching, potentially impacting all aspects of the IT operation, but interpretations are still unclear.
So what does this mean for the IT manager in a typical public corporation?
It?s clear from our discussions with IT managers in a number of Fortune 500 companies that they are being buffeted by a growing list of demands to document all changes to their systems, processes and data that may impact the integrity of the information they house and keep this documentation current. This includes not only identifying and recording the gross changes inherent in the implementation of new software systems but also the day to day changes that occur as information is routinely used by company personnel in the context of their jobs.
Plainly stated, IT departments are being asked to audit how every piece of financially relevant data is accessed or changed at every instance of its life within the company. This is a challenge without precedent and one where traditional IT security and auditing technologies are proving to be lacking. Systems have not traditionally been built to handle such usage and often the capability is not even present.
The fundamental requirements, as defined by one major manufacturer, are, at an absolute minimum, to record:
?Session information
?Inserts, updates, deletes
?The elevation of privileges
?Person identifiers
?Log in and log out times
Among all the applications where such requirements may apply, applications that receive most attention are those that store critical financial and business information ? typically transactional systems or data servers. Such systems could be databases, file servers or application servers.
At first blush, it appears that these requirements can be managed by using a combination of the native auditing capabilities of their applications in conjunction with various security products already in place. Most IT management teams we are working with have quickly discovered that this assumption is incorrect.
Existing security and monitoring products fall short of meeting these requirements for a variety of reasons:
? Server-Based Logging approaches involve turning on detailed information access-level logging in existing data servers. This approach demands vast amounts of storage; causes severe performance problems; is incomplete and application specific; and can only address a small part of the problem.
? Identity and Access Management Technologies (IAM) involve user account management, authentication, authorization, and access control to applications within enterprises. IAM systems lack the information-access level visibility required to establish regulatory audit trails.
? Perimeter Products and Technologies (Intrusion Prevention Systems or IPS) are designed to detect and stop unauthorized attacks at lower-levels of the stack, e.g., via worms, viruses and programmed application attacks. These systems are not designed to handle unauthorized access from trusted users inside the perimeter. IPS systems have no knowledge of who is touching what information, a critical requirement of COBIT.
? Security Information Management (SIM) products are designed to monitor and correlate security-related events created by numerous external security devices, such as Firewalls, VPNs, IPS, etc, in order to provide a ?forensics? view. However, these products cannot monitor ?information access? to internal data servers, nor do they provide the ?analytics? needed to detect internal server breaches. They are not data or user behavior aware and are only as good as the logs the underlying applications provide them. As a result, they create high false positives and false negatives leading to increased administration time. The fact that complete logs are rarely available on data servers, and that there are no standards for information breaches, makes this problem even harder for SIMs to tackle.
As the clock rapidly ticks down on SarbOx deadlines, it is becoming clear that a new type of solution is needed. That solution is Data Server Auditing.
Data Server Auditing for Compliance
Data Server Auditing (DSA) is a data and user aware auditing capability that provides detailed, non-intrusive and data center-wide records of each access to regulated data and systems. It fills a gap in the compliance world that wasn?t considered when earlier generations of security and auditing tools were developed (Diagram 1).
Rather than fitting into a neatly pre-defined world, DSA systems are designed as lifecycle instruments that can help satisfy initial regulatory demands and adjust to inevitably changing realities.
SarbOx IT compliance is a continual process of discovery, policy definition, monitoring, auditing, reporting, analytics and archiving, as illustrated in Diagram 2.
To support and mirror this process, the basic requirements for a DSA system for SarbOx include:
1. Monitoring a wide set of internal data sources (such as databases, file servers and application servers), providing comprehensive coverage of the enterprise for information sensitive to risk and compliance.
2. Understanding information access at the contextual level and granularity necessary to satisfy regulatory mandates ? including information about users/identity, data, actions.
3. Specifying and defining critical auditable information assets using a flexible and understandable language to create policies that can express business-level requirements and can also evolve iteratively as regulations and business needs change.
4. Providing automated and understandable detail and summary reporting capabilities that can both help to refine the detection of system changes and vulnerabilities and provide the necessary periodic documentation required by auditors.
5. Minimizing management requirements by being non-intrusive, utilizing no additional system resources, and being easy to install and maintain.
An example of a DSA system that would meet these requirements would be a scalable, highly available, secure non-intrusive network appliance. It would sit on the network and monitor all accesses to a variety of data servers. The platform should also include a number of capabilities that collectively provide Data Server Auditing for SarbOx: scalable and highly targeted information access auditing across multiple core data systems, easy to define and maintain business level policies, the ability to detect non-compliance in real time, operating non-disruptively, seamless multi-level reporting, and integration with other security and compliance technologies.
Beyond SarbOx Compliance
A DSA system has the ability to serve both as the basis for SarbOx IT compliance and as a key resource for ongoing business intelligence that contributes to enhanced business practices.
In the flurry of activity to meet deadlines and highly specific requirements, the underlying goal of SarbOx is often forgotten or ignored: To assure that companies know enough about their business to be able to report faithfully. In reality, this is a positive.
SarbOx represents an opportunity for companies to create a culture of rigor that can help them hone their talents and resources. It demands a precision in systems and processes that will be increasingly important as global competition accelerates. It serves as a platform for confidently extending business practices into new arenas and new geographies. In short, SarbOx, viewed correctly, can serve as a springboard to competitive advantage.
And this is not just true of SarbOx, it?s true when it comes to the growing roster of other privacy and anti-theft regulations, including HIPAA, CA SB 1386, GLBA and the Visa/Mastercard CISP/PCI. These regulations, while differing in origin, are almost identical in their goals, challenges and opportunities. They require companies to be good fiduciaries of a new currency: information. They ask companies to examine themselves and be accountable for their actions.
From a purely technical perspective, a DSA system can be a single logical solution for all of these regulations. In many cases, the data is the same for many regulations, as is the responsible internal organization. So, in and of itself, a well deployed DSA system can be an efficient way to solve many daunting external pressures.
But a DSA system doesn?t only provide an elastic environment for a level of compliance necessary to satisfy current and future regulations. It provides the foundation for companies to better understand their businesses and, ultimately, to be more successful business.
Summary
IT departments are being heavily impacted by the requirements imposed by the Sarbanes-Oxley Act (SarbOx). Charged with protecting and guaranteeing the integrity of critical corporate financial information, IT managers are finding that current auditing and security technologies are inappropriate, incomplete and unsatisfactory for the task of detailing who does what to which sensitive information when and from where.
A new type of auditing capability, Data Server Auditing (DSA), is being deployed to solve this problem. DSA is an enterprise level solution providing transparent, cost-effective and highly precise chronological audit trails, analyses and reports on the complete lifecycle of data housed in such centralized corporate applications as databases, file servers and application servers.
SarbOx mandates that company management attest to the exact quality of the information reported to the SEC and the public. Companies that are successful in developing a high level of visibility and accuracy into their systems are in a position to also apply that knowledge to their overall business and, therefore, gain competitive market advantage over US and foreign companies without similar information.
A well deployed DSA system is a key component in a comprehensive business intelligence environment.
|
|
|
|
