Sarbanes-Oxley Practice Overview and Methodology

Wednesday, October 27th, 2004

Mark Lachniet, Analysts International

Introductions

• Mark Lachniet (mlachniet@analysts.com)• Technical Director, Security Group• Certified Information Systems Auditor (CISA)• Certified Information Systems Security

Professional (CISSP)• Technical certifications from Novell, Microsoft,

Linux Professional Institute, CheckPoint, etc. • Member of the High Tech Crime Investigation

Association (HTCIA)• Former I.S. Director at a K-12 School district

Analysts International Corporate Profile

• Employees: 3000+• Locations: 35 offices • Clients: More than 1,000 • Exchange (Symbol): Nasdaq (ANLY)• Annual Revenue:Over $425 Million• Headquartered in Minneapolis• Local offices in Auburn Hills, Lansing,

Grand Rapids, Toledo• A diversified IT services company• In business for 37 years

Analysts’ Security Practice

A holistic approach to security consulting– Internal and External Vulnerability Assessments

– Web Application Vulnerability Assessment

– Security Needs Assessment

– Managed Firewall Services

– Sarbanes-Oxley 404 Consulting

– Business Continuity Planning & Disaster Recovery

– Intrusion Detection & Protection

– Incident Response, Admin Termination & Forensics

– Network infrastructure and design

Sarbanes-Oxley: Bane or Boon?

• If you have been in the trenches, you know how overwhelming and tedious SOX efforts can be

• Technical people are especially vulnerable to this, as it involves *documentation*

• However, the end result of SOX legislation should be a massive improvement in:– The visibility of I.T. and auditing as a critical part

of the organization’s success– An increased emphasis on risk management and

mitigation– Better documentation, procedures and policies– Better security of the organization

• If nothing else, SOX is a “big stick” to wield in the name of best practices

Not Everyone Agrees…..

The I.T. Component of SOX

• Section 404 requires internal controls on “material” (financially significant) processes – this includes I.T

• At a recent ISACA conference on SOX, the prevailing opinion was that there are two general categories – general and application controls

• However, there doesn’t seem to be any consensus in the industry as to what level of assessment is appropriate

• The external auditors won’t seem to commit to an opinion, and there is very little guidance from the PCAOB

• When in doubt, go with COSO, CoBIT, and ISO17799

The Need for Sarbanes-Oxley I.T. Help

• Many organizations do not have the internal personnel resources to:– Understand and assess risks and controls on

complex I.T. systems– Manage large compliance efforts– Map business processes and identify key controls

and IT resources– Analyze organizational best practices (I.T.

“common controls”)– Design and perform tests of controls– Document findings and process for external

auditors– Coordinate between external auditors, internal

auditors, internal I.T. and management• I.T. costs may average 20% of all compliance costs!

• In addition to personnel resources, there is a need for:– A mature and documented methodology

– A mature assessment toolkit (control matrices, data collection documents, issue tracking, test templates, etc.)

– Assistance with installation and configuration of compliance-related software (e.g. Microsoft SOX Accelerator, spreadsheet comparison tools, etc.)

– Assistance with remediation efforts

– Flexible, industry-aware consultants

– Independence from the external auditor

The Need for Sarbanes-Oxley I.T. Help

Analysts International’s Approach

• The following is how Analysts International approaches assessing I.T. controls for SOX compliance (it is not the only way)

• Hopefully the methodology might be of value to you

• Preliminary feedback from auditors has been positive

• Break the project into discrete stages:– Requirements Definition– “Model Office” (a single application)– Ongoing compliance testing– Documentation for external auditors

• Requirements Definition Phase– Define Roles & Responsibilities – ID approx Number of Systems– ID approx Number of Business Processes– Define Toolkit– Develop Taxonomy– ID Timeframes

• “Model Office”– Test run on one example business process– Attain “buy-in” from external auditor on

methodology• Ongoing compliance Testing

– General IT controls assessment– Remainder of application, DB and OS assessments

A Typical SOX Engagement

Where An External Consultant Fits

Customer CFO / CEO(Overall Responsibility)

Project ManagerAIC

GeneralFinancialControls

Cust FinanceDirector

I.T. ApplicationControls

AIC

I.T. CommonControls

AIC

SupplementalProject Work

AIC

AnalystsInternational

Sarbanes-Oxley404 Consulting

Roles andResponsibilities

AIC Responsibility

Customer Responsibility

Legend

Project Management

• Provide oversight and guidance for the overall compliance effort

• Act as primary customer liaison for scheduling, communication, status updates, meeting facilitation

• Perform training and awareness seminars as needed for customer staff and executives

• Work as “document master” to establish document management standards and hierarchies, track documents and maintain order

• Maintain project task lists and schedules, open issues, status hours used and remaining

• Oversee and track remediation efforts

SOX Tools – Issue Tracking

• Must have some way to codify results and track them over time (not all results may be SOX material)

Analyzing Financial Controls

AnalystsInternational

Sarbanes-Oxley404 Consulting

Roles andResponsibilities

AIC Responsibility

Partial Responsibility

Customer Responsibility

Legend

GeneralFinancialControls

Cust FinanceDirector

Business ProcessMapping

Identify FinancialControls

Attestation andReporting

Coordinate withExternal Auditors

Test FinancialControls

• Perform business process mapping– Use existing business continuity documents?– With customer-specified tool (e.g. ProVision)– With Visio (if not specified)

• Help establish and populate a controls matrix• Help Identify and test key controls (esp. I.T.)• Prepare documentation

– About the process used– About the findings of the compliance effort

• Interface with the external auditor to answer any questions, discuss issues, etc.

Analyzing Financial Controls

SOX Tools - Process Maps

SOX Tools - Control Matrices

• Base matrix on COSO at a minimum

Analyzing I.T. Common Controls

AnalystsInternational

Sarbanes-Oxley404 Consulting

Roles andResponsibilities

AIC Responsibility

Partial Responsibility

Customer Responsibility

Legend

I.T. CommonControls

AIC

Security NeedsAssessment

based onISO17799, CobiT,

COSO

DocumentGeneral Controls

Identify ControlWeaknesses

RecommendRemediationStrategies for

ControlWeaknesses

Analyzing I.T. Common Controls

• A comprehensive analysis of Common I.T. controls based on the Analysts International “Security Needs Assessment Service” (SNAS)

• Assessment criteria is based on industry standards – ISC^2 CBK, CoBIT, COSO, ISO17799/BS7799

• Topics range from administrative (e.g. policies and procedures) to specific and very technical (e.g. firewall configurations)

• Document existing environment• Identify shortcomings and material weaknesses• Recommend remediation strategies (with estimated

costs and security gains)• Many organizations are now requiring similar

assessments of their partners (e.g. Visa’s CISP program, local automotive companies)

I.T. Common Control Scope

• Physical Security– Facilities and grounds– Server room and wiring closets– Secure storage and handling of electronic and printed data

• Network Security– Network and Wireless security– Internet border / IDS / Firewall security– Partner / vendor data security

• Logical Security– System build and hardening– Password security– Directory design and authentication systems– Malware / anti-virus protection:– System Logging– Application development practices

I.T. Common Control Scope

• Administrative Practices– Remote access / remote user administrative practices– Information systems support staff administrative

procedures– End user administrative policies– Information classification– Information systems coordination with human resources– Separation of duties– Vendor / external organization management– Incident response procedures– Change control systems– System documentation– Service Level Agreement (SLA) management– Risk assessment practices and procedures– Disaster recovery – Backup practices and storage

Common Controls Example

• Start with a survey, then get supporting documentation

Analyzing I.T. Applications

AnalystsInternational

Sarbanes-Oxley404 Consulting

Roles andResponsibilities

AIC Responsibility

Partial Responsibility

Customer Responsibility

Legend

I.T. ApplicationControls

AIC

Map B.P’s toservers and Apps

Analyze AppSoftware Controls

Test AppSoftware Controls

Document AppSoftware Controls

Analyze ServerControls

Document ServerControls

• Map business processes to technological systems• Identify underlying technology that must be

functional and properly configured in order to have effective application controls:– Application software package– Database platform– Operating system– Dependant systems (authentication systems, logging

systems, etc.)• Perform data collection to understand the application

and identify controls that need testing• Perform testing of application controls• Perform security analysis of supporting system

Analyzing I.T. Applications

Application Controls Example

• Focus on control features within the application, and on the development of the application

Analyzing Operating Systems

• The security of the underlying operating system is a critical control

• Without a secure OS, the applications access control and auditing capabilities can be circumvented

• Requires specific, technical, low level analysis of OS options, settings, patch level and configuration

• Review server “hardening” procedures• Review server access control systems• Analyze best practices for OS platform and perform

a gap analysis through interview, substantive testing• Perform vulnerability assessments (security scans)

of network-connected devices

Operating System Controls Example

Analyzing Databases

• Most SOX-material applications also have a back-end database component

• Common examples are Oracle, Microsoft SQL server, DB2, etc.

• In many cases, end users can connect directly to the database using ODBC query tools like Crystal Reports or Excel for reporting purposes (!)

• Access control and logging at the database level may be weak (e.g. users granted too many rights)

• The controls on each of these databases needs to be evaluated and documented

• In addition, the practices of database administrators (DBA’s) should be assessed

• Some implications for “data recoverability” (e.g. rollback capability, backup procedures)

Database Control Example

• In this case, we did a hands-on and web application test of Oracle security

A defined testing process is essential…

Basic datacollection forApp(s) andServer(s)

External audit?(e.g. SAS-70)

Analyze auditreport

Gap analysisEvaluate controls

& assess risks

Analyze workflowand/or narrative w/

SME

Workflow /narrativeaccurate?

Need to perform Level 2Control Test(s)?

Design Level 2Control test(s)

Use automatedtools?

Perform gapanalysis

Conduct manualtest(s) per design

Test(s)conclusive?

BP passed alltests?

Begin remediationprocess

Identify next BP toevaluate

No

Yes

No

Yes

Yes

No

Yes

NoDocument BPcontrol testing

statusYes

Start

No

No

404 App Control Testing Flow (draft)

Determine additionalareas to be tested

Implies web app

Determine areasnot tested byautomated tool

The test is somewhowinadequate; enhance or modifytest

Control test failurereport should befast-tracked tomotivated “controlfixer”

App may haveSAS-70 or may bestraight-forwardenough to certifyw/o additionalLevel 2 ControlTesting

This processpotentiallycomplicatedhands-on testdesign(e.g. button-pushing)

rev: 17 May 2004

Physical docs involved:- BP ProVision Workflow andnarrative- Word App and Server Survey- Excel Risks & Controls- Test Plan & Results- External test results

Cust SME fixesworkflow /narrative

Yes

Extauditreport

Test script

Test script –updated toreflect testresults

General IT App andServer evaluationdocs

Risks & Controlsspreadsheet (filledout for current BP)

Risks & Controlsupdated to reflecttest status

Risks & Controlsupdated to reflecttest status

ProVisionworkflow and/ornarrative

General IT,Server, and Appeval docs

(Updated) Risks &Controlsspreadsheet

Control classindicated

Remediation

Performautomated Level 2

Control Test

Test script –updated toreflect testresults

Level 2 Testing

Level 1 Testing

Control Testing Level Legend

Business Review& Sign-off

IT review app andserver issues list;finalize interview

docs

External audit?(e.g. SAS-70)

Analyze auditreport

Gap analysisEvaluate controls

& assess risks

Need to perform Level 2Control Test(s)?

Design Level 2Control test(s)

No

Yes

Yes

Determine additionalareas to be tested

Implies web app

App may haveSAS-70 or may bestraight-forwardenough to certifyw/o additionalLevel 2 ControlTesting

Extauditreport

General IT App andServer evaluationdocs

Risks & Controlsspreadsheet (filledout for current BP)

(Updated) Risks &Controlsspreadsheet

Control classindicated

External audit?(e.g. SAS-70)

Analyze auditreport

Gap analysisEvaluate controls

& assess risks

Need to perform Level 2Control Test(s)?

Design Level 2Control test(s)

No

Yes

Yes

Determine additionalareas to be tested

Implies web app

App may haveSAS-70 or may bestraight-forwardenough to certifyw/o additionalLevel 2 ControlTesting

Extauditreport

General IT App andServer evaluationdocs

Risks & Controlsspreadsheet (filledout for current BP)

(Updated) Risks &Controlsspreadsheet

Control classindicated

A defined testing process is essential…

Supplemental Project Work

AnalystsInternational

Sarbanes-Oxley404 Consulting

Roles andResponsibilities

AIC Responsibility

Partial Responsibility

Customer Responsibility

Legend

SupplementalProject Work

AIC

Configureinformation

managementsystem (MicrosoftSOX accelerator)

Technical testingand remediation

of securityshortcomings

DevelopCorporateStandards

Manual, policies,procedures

• Assist with management of customer-specific and/or data management systems

• Develop customer policies and practices– Corporate Standards Manuals– Forms and processes (e.g. ID maintenance)– Job Descriptions, reporting hierarchies– Technical security policies (VPN, Firewall, Anti-

Virus, server hardening, etc.)– Change management systems– Application development practices (SDLC)

• Technical remediation of SOX-material control weaknesses

Supplemental Project Work

In-House Technical Expertise

• All SOX efforts managed through the Analysts International Security group full-time staff– Staffed by experienced and qualified individuals

(CISA, CISSP, MBA, etc.)– Ensures consistency and quality– Ensures effective project management

• Supplemental help from other practice groups– App. Dev., Microsoft, Novell, UNIX, Cisco,

AS/400• Additional resources through sub-contractors and

Analysts Staffing practice– Large projects– Remote locations– Specialized subject-matter experts

Recurring Issues

• Based on experience so far, the following issues almost always seem to show up:– Logging and audit systems are almost always

weak (improve settings, and use automated tools)– Policies and procedures are usually inadequate to

meet auditors’ standards– Access control, authentication and password

security is weak (poor passwords, poor coordination with H.R., management overhead)

– Change control systems are informal or absent– Control of spreadsheets, desktop databases– Outsourced and partnered functions must also be

assessed

Outsourcing and Partners

• It is the organization’s responsibility to ensure that the products and services used have adequate controls

• For service providers, obtain a SAS-70• For products, may require testing• Many organizations have put a special emphasis on

the security of partner organizations (rightly so!)• Case in point – a local automotive manufacturer we

work with now requires a formal assessment for all web applications bearing their domain name or logo:– Documentation of SOX materiality– Comprehensive site audits– “Ethical hack” testing of all web servers and apps– Extensive documentation of application logic

Next Steps?

• Hopefully, more guidance from the PCAOB on the minimum that is required for compliance (especially in I.T. so organizations can “hit the mark”)

• More implementation of targeted software solutions to minimize labor overhead and manage risk mitigation efforts

• More and better products to manage general IT controls (log analysis, user provisioning, enterprise network management tools, technical tools to enforce organizational policy, patch management, etc.)

• Standardized (free?) assessment methodologies and toolkits that pass muster

• Tax breaks to recoup compliance costs???

Discussion

Mark LachnietCISSP, CISA, MCSE, MCNE, CCSE, LPIC-1, SCSPTechnical Director, Security GroupAnalysts International(517) 336-1004 (voice)(517) 336-1100 (fax)mailto: mlachniet@analysts.com

Jack BrahceDirector, Security GroupAnalysts International(517) 336-1025 (voice)(517) 336-1100 (fax)mailto: jbrahce@analysts.com