common data security findings of a compliance audit

©2006 Vanguard Integrity Professionals, Inc.1

Common Data Security Findings of a Compliance Audit

©2006 Vanguard Integrity Professionals, Inc.

2

• About Vanguard

• Onset of Regulatory Compliance Audits

• Business Realities of Regulatory Compliance

• Impact on Information Technology

• Critical Findings

– Addressing the Key Implications of Sarbanes-Oxley

– 10 Common IT Assessment Findings

– Vanguard’s Top 10 Audit Findings

• Summary

Agenda


3

About Vanguard

VanguardResearch InstituteOrange, CA, USA

VanguardResearch InstituteOrange, CA, USA

Vanguard IntegrityProfessionals - NevadaLas Vegas, NV, USA

Vanguard IntegrityProfessionals - NevadaLas Vegas, NV, USA

More than 20 distributors/resellers servicing 50+ countries worldwide

Founded: 1986

Ownership: Privately held

Business: Information Security Software, Training, Services, & Solutions

Customers: 600 worldwide, 1,400 software licenses

Employees: 75+ worldwide

Vanguard Integrity Professionals, Ltd.Berkshire, UK

Vanguard Integrity Professionals, Ltd.Berkshire, UK


4

Large Enterprises

1000+ Employees

Medium Businesses

100-999 Employees

Small Businesses

1-99 Employees

IBM zSeries Servers

HP, SUN, UNIX, LINUX

Vanguard’s Market

• iSeries• pSeries• xSeries

Home Users

Vanguard’s Market


5

In the past

Organizations had “self governance” audit programs.

Not mandated by external compliance regulations.

Initially annual audits but turned into “periodic” audits.

Performed by internal and/or external auditors.


6

Martha Stewart

Ken Lay

Darleen Druyun

Luke Duffy

Calisto Tanzi Bernie Ebbers

Liu Jinbao

Roland Dumas

Lack of effective self governance led to


7

• For regulatory compliance, demonstrating that internal controls are implemented and enforced properly will mean the difference between passing or failing a compliance audit.

• Failing a compliance audit will result in unplanned and costly remediation expenses.

• Further; sanctions, fines, or legal action can be taken against corporations and officers for failure to meet regulatory compliance requirements.

And regulatory laws and standards

Over 150 laws and standards

PIPEDA

CSOX (Bill 198)

SOX

GLBA

PCI

HIPAA

FFIEC

FDICIA

Basel II

FISMA

EU Data Directive

California Senate Bill

FDA 21 CFR Part 11

ISO17799 Standard

VISA CISP


8

• More Compliance requirements resulting in extra workload but with the same number of resources.

• Upper Management now has fiduciary responsibility for accurate financial reporting.

• Auditor’s requests generate time consuming discovery efforts.

• New compliance regulations call for continuous IT internal controls monitoring.

Impact on Information Technology


9

Providing a Security Framework Process

• Established Security Policies

• Self Governance Audits

• Regulatory Compliance Audits

• Remediation

• Security Policy Enforcement

– Intrusion Monitoring

– Security Best Practices Monitoring

– Timely Notification

– Auto-correction

But it has provided a valuable result

COBIT

COSO

ISO17799

ITIL

Use of Internal Control

Frameworks


10

10 Common Critical Audit Findings

• From the IBM Compliance Solutions White Paper titled “Addressing the Key Implications of Sarbanes-Oxley”.

• A collaborative work identifying 10 Common IT Audit Findings.

• Based on interviews between IBM and its customers and interviews between IBM and its Business Partners that perform audits.

“IBM has developed a prescriptive approach to the most common findings identified through the internal audits of IBM customers.”


11

Security Management

• Inadequate controls for user IDs and association of privileges for access to sensitive data.

• Implement identity management processes to manage user identity life cycle and maintenance of access privileges.

• Modeling Users.• Obsolete User IDS.• Transferred Users.

Finding

Remediation Strategy

Issues and Comments


12

Security Management

• Inadequate segregation of duties for granting access to sensitive information, records, and data.

• Implement a standard that requires all requests for access to sensitive systems to be approved and documented by a separate individual.

• Fox guarding the hen house.• Data owners not approving access.

Finding


Issues and Comments


13

Security Management

• Lack of controls over sensitive data access and updates through ODBC or other methods outside of a company’s ERP or accounting applications.

• Implement database level controls to monitor and manage all access, updates, inserts and deletions made to the sensitive data from the accounting applications as well as other desktop tools…

• Enterprise data security.• Field level controls versus file level

controls.

Finding


Issues and Comments


14

System Management

• Inadequate IT system change management controls for operating systems and applications.

• Implement an automated system change management system.

• Rather unheard of in these times.• Perhaps it exists but is not always

followed.

Finding


Issues and Comments


15

Standards and Practices

• Inadequate data retention controls for access logs and sensitive data.

• Implement an automated system to backup and archieve the audit logs and sensitive data.

• How often and how much is mandated by law.

• Implemented through internal policies.

Finding


Issues and Comments


16

System Resources Management

• Inadequate documentation of system configurations, policies and standards.

• Implement an automated tool to collect and compare all system configurations to the organization’s defined baseline for computer systems in specific security “zones” of control.

• But configurations are so complex and change so frequently.

• Documentation is just no fun.

Finding


Issues and Comments


17

Monitoring

• Inadequate audit logs for data access, update, delete and insert operations.

• Implement an enterprise audit logging solutions that captures all activity from users accessing and updating sensitive data.

• Lack of logging knowledge.• It’s too much data!

Finding


Issues and Comments


18

Monitoring

• Inadequate audit logs for privilege changes to user IDS.

• Implement a role-based access control system and processes for assigning data access and use privilege.

• Lack of logging knowledge.• I’m not sure of this remediation

strategy .

Finding


Issues and Comments


19

Monitoring

• Inadequate monitoring of sensitive systems for availability and support for timely reporting of sensitive data activity.

• Implement an automated monitoring system for uptime and availability for sensitive systems.

• Does monitoring uptime require an automated system?

• Timely reporting is an issue.

Finding


Issues and Comments


20

Security Framework

• Inadequate controls and processes for risk management and security threat monitoring under the COSO and ITIL frameworks.

• Implement an automated system for collecting and correlating all security events from systems across the enterprise.

• Sounds more like a goal than a process.

• If feasible, a huge and extremely costly undertaking.

• Home, mother, apple pie.

Finding


Issues and Comments


21

Vanguard’s 10 Common Audit Findings

1. Data Sets allowed to be unprotected. (Critical)2. Excessive use of extraordinary user ID privileges.

(High) 3. Inadequate protection for Infrastructure Data.

(Critical)4. Excessive number of Data Set Rules in WARNING

Mode. (Critical)5. User defined programs allowed to bypass Data Set

authorization checking. (Critical)6. Sensitive and Critical Data with broad public access.

(Critical)7. Inappropriate System Tasks with “super user”

privileges. (Critical)8. Inadequate Security Event Monitoring and Reporting.

(Critical)9. Application Production Task User IDs with

inappropriate access to all Data Sets. (Critical)10. Excessive number of Inactive User IDs. (Moderate)

Levels of Risk

Critical

High

Moderate


22

Vanguard’s 10 Common Audit Findings

1. NOPROTECTALL or PROTECTALL(WARNING) Mode. (Critical)

2. Excessive use of RACF extraordinary attributes. (High)

3. Inadequate protection for Authorized Program Facility (APF) Libraries. (Critical)

4. Excessive number of Dataset Profiles in WARNING Mode. (Critical)

5. User entries in the Program Properties Table (PPT) with the Bypass Password Protection attribute. (Critical)

6. Sensitive and Critical Dataset Profiles with Universal Access (UACC) greater than READ. (Critical)

7. Inappropriate Started Tasks with the Privileged or Trusted attribute. (Critical)

8. Inadequate Security Event Reporting. (Critical)9. Production Job Userid(s) with inappropriate access to

all datasets in the z/OS environment. (Critical)10. Excessive number of Inactive Userids. (Moderate)

Levels of Risk

Critical

High

Moderate


23

Summary – Some Final Thoughts

To a large degree regulatory compliance requirements are vague and difficult to quantify.

Compliance audits are for many organizations among other things a security database remediation exercise.

There is a huge overlap creating redundant efforts between internal and external compliance audits.

Auditor compliance requirements are not consistent.

Even the presence of an IT Security Framework is many times not enough to prevent an audit failure.

Regulatory compliance has rejuvenated the audit industry and has created a whole new industry –

REMEDIATION


24

Grazie

Japanese

Thank you for your time and attention

MerciFrench

Russian

DankeGerman

Italian

Gracias

Spanish

ObrigadoBrazilian Portuguese

Arabic

Simplified Chinese

Traditional ChineseHindi

Tamil

Thai

Korean

common data security findings of a compliance audit

Technology

management controls

sensitive data access

management system

common data security

system management inadequate

compliance auditwillresult

common findings

data owners