symantecesmpolicy manualforthe sarbanes-oxleyact (os400) · 2020. 2. 18. · technicalsupport...
TRANSCRIPT
Symantec ESM Policy
Manual for the
Sarbanes-Oxley Act
(OS400)
Symantec ESM Policy Manual for the Sarbanes-OxleyAct (OS400)
The software described in this book is furnished under a license agreement andmay be used
only in accordance with the terms of the agreement.
Copyright Notice
Copyright © 2005 Symantec Corporation.
All rights reserved.
The product described in this document is distributed under licenses restricting its use,
copying, distribution, and decompilation/reverse engineering. No part of this document
may be reproduced in any form by any means without prior written authorization of
Symantec Corporation and its licensors, if any.
THEDOCUMENTATIONISPROVIDED"AS IS"ANDALLEXPRESSORIMPLIEDCONDITIONS,
REPRESENTATIONS ANDWARRANTIES, INCLUDING ANY IMPLIEDWARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,
ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO
BELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTAL
ORCONSEQUENTIALDAMAGESINCONNECTIONWITHTHEFURNISHINGPERFORMANCE,
OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS
DOCUMENTATION IS SUBJECT TO CHANGEWITHOUT NOTICE.
Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 USA
http://www.symantec.com
Trademarks
Symantec, the Symantec logo are trademarks or registered trademarks of Symantec
Corporation or its affiliates in theU.S. and other countries. Other namesmay be trademarks
of their respective owners.
Other brands andproduct namesmentioned in thismanualmay be trademarks or registered
trademarks of their respective companies and are hereby acknowledged.
Technical Support
Symantec Technical Support maintains support centers globally. Technical
Support’s primary role is to respond to specific queries about product feature and
function, installation, and configuration. TheTechnical Support groupalso authors
content for our online Knowledge Base. The Technical Support group works
collaboratively with the other functional areas within Symantec to answer your
questions in a timely fashion. For example, the Technical Support group works
with Product Engineering and Symantec Security Response to provide alerting
services and virus definition updates.
Symantec’s maintenance offerings include the following:
■ A range of support options that give you the flexibility to select the right
amount of service for any size organization
■ A telephone and web-based support that provides rapid response and
up-to-the-minute information
■ Upgrade insurance that delivers automatic software upgrade protection
■ Global support that is available 24 hours a day, 7 days a week worldwide.
Support is provided in a variety of languages for those customers that are
enrolled in the Platinum Support program
■ Advanced features, including Technical Account Management
For information about Symantec’s Maintenance Programs, you can visit our Web
site at the following URL:
www.symantec.com/techsupp/ent/enterprise.html
Select your country or language under Global Support. The specific features that
are available may vary based on the level of maintenance that was purchased and
the specific product that you are using.
Contacting Technical Support
Customers with a current support agreement may contact the Technical Support
group via phone or online at www.symantec.com/techsupp.
Customers with Platinum support agreements may contact Platinum Technical
Support via the PlatinumWeb site at www-secure.symantec.com/platinum/.
When contacting the Technical Support group, please have the following:
■ Product release level
■ Hardware information
■ Available memory, disk space, NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description
■ Error messages/log files
■ Troubleshooting performed prior to contacting Symantec
■ Recent software configuration changes and/or network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical
support Web page at the following URL:
www.symantec.com/techsupp/ent/enterprise.html
Select your region or language underGlobal Support, and then select the Licensing
and Registration page.
Customer Service
To contact Enterprise Customer Service online, go to www.symantec.com, select
the appropriate Global Site for your country, then choose Service and Support.
Customer Service is available to assist with the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information on product updates and upgrades
■ Information on upgrade insurance and maintenance contracts
■ Information on Symantec Value License Program
■ Advice on Symantec's technical support options
■ Nontechnical presales questions
■ Missing or defective CD-ROMs or manuals
Please visit ourWeb site for current information onSupport Programs. The specific
features available may vary based on the level of support purchased and the
specific product that you are using.
Maintenance agreement resources
If you want to contact Symantec regarding an existing maintenance agreement,
please contact the maintenance agreement administration team for your region
as follows:
■ Asia-Pacific and Japan: [email protected]
■ Europe, Middle-East, and Africa: [email protected]
■ North America and Latin America: [email protected]
Additional Enterprise services
Symantec offers a comprehensive set of services that allow you tomaximize your
investment in Symantec products and to develop your knowledge, expertise, and
global insight, which enable you to manage your business risks proactively.
Enterprise services that are available include the following:
These solutions provide early warning of cyber
attacks, comprehensive threat analysis, and
countermeasures to prevent attacks before they occur.
SymantecEarlyWarningSolutions
These services remove the burden of managing and
monitoring security devices and events, ensuring
rapid response to real threats.
Managed Security Services
Symantec Consulting Services provide on-site
technical expertise from Symantec and its trusted
partners. SymantecConsultingServices offer a variety
of prepackaged and customizable options that include
assessment, design, implementation,monitoring and
management capabilities, each focusedonestablishing
andmaintaining the integrity and availability of your
IT resources.
Consulting Services
Educational Services provide a full array of technical
training, security education, security certification,
and awareness communication programs.
Educational Services
To access more information about Enterprise services, please visit our Web site
at the following URL:
www.symantec.com
Select your country or language from the site index.
Symantec Software License Agreement
Symantec ESM Policy Manual for the Sarbanes-OxleyAct (OS400)
SYMANTECCORPORATIONAND/ORITSSUBSIDIARIES("SYMANTEC") IS WILLING TO LICENSE THESOFTWARECOMPONENT ("COMPONENT") TOYOUASAN INDIVIDUAL, THE COMPANY, OR THE LEGALENTITY THATWILL BE UTILIZING THE COMPONENT(REFERENCEDBELOWAS "YOU"OR "YOUR") ONLYONTHE CONDITION THAT YOU ACCEPT ALL OF THETERMS OF THIS LICENSE AGREEMENT SUPPLEMENT("SUPPLEMENT") AND THE LICENSE AGREEMENTACOMPANYING THE SYMANTEC PRODUCTWITHWHICH THIS COMPONENT IS UTILIZED ("LICENSEAGREEMENT"). READ THE TERMS AND CONDITIONSOFTHELICENSEAGREEMENTANDTHISSUPPLEMENTCAREFULLY BEFORE USING THE COMPONENT. THISISALEGALANDENFORCEABLECONTRACTBETWEENYOUANDTHELICENSOR.BYOPENINGTHISPACKAGE,BREAKING THE SEAL, CLICKING THE "ACCEPT" OR"YES" BUTTON OR OTHERWISE INDICATING ASSENTELECTRONICALLY,ORLOADINGTHESOFTWARE,YOUAGREE TO THE TERMS AND CONDITIONS OF THISSUPPLEMENT. IF YOU DO NOT AGREE TO THESETERMS AND CONDITIONS, CLICK THE "I DO NOTACCEPT,"OR"NO"BUTTON,OROTHERWISE INDICATEREFUSAL ANDMAKE NO FURTHER USE OF THECOMPONENT.
In addition to the License Agreement, the followingterms and conditions apply to You for use of theComponent.
1. License:
The software and documentation that accompanies thisSupplement (collectively the "Component") is theproprietary property of Symantec or its licensors and isprotected by copyright law. While Symantec continuesto own the Component, you will have certain rights touse theComponent after your acceptance of this license.This license governs any releases, revisions, orenhancements to the Component that the Licensor mayfurnish to you. Except as may be modified by anapplicable Symantec license certificate, license coupon,or license key (each a "License Module") thataccompanies, precedes, or follows this license, yourrights and obligations with respect to the use of thisComponent are as follows:
You may:
A. use the number of copies of the Component asrequired for utilization with the applicable Symantecproducts as have been licensed to youbySymantec undera License Module. Your License Module shall constituteproof of your right to make such copies. If no LicenseModule accompanies, precedes, or follows this license,
you may make one copy of the Component you areauthorized to use on a single machine.
B. use theComponent in combinationwith anySymantecrecognized product that specifies use with theComponent;
C. use the Component in accordance with any writtenagreement between You and Symantec.
2. Limited Warranty:
Symantecwarrants that themedia onwhich theSoftwareis distributed will be free from defects for a period ofsixty (60) days from the date of delivery of the Softwareto You. Your sole remedy in the event of a breach of thiswarrantywill be that Symantecwill, at its option, replaceany defective media returned to Symantec within thewarranty period or refund the money You paid for theSoftware. Symantec does not warrant that the Softwarewill meet Your requirements or that operation of theSoftware will be uninterrupted or that the Software willbe error-free.
TO THE MAXIMUM EXTENT PERMITTED BYAPPLICABLE LAW, THE ABOVEWARRANTY ISEXCLUSIVEANDINLIEUOFALLOTHERWARRANTIES,WHETHER EXPRESS OR IMPLIED, INCLUDING THEIMPLIEDWARRANTIES OF MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE, ANDNONINFRINGEMENT OF INTELLECTUAL PROPERTYRIGHTS.THISWARRANTYGIVESYOUSPECIFICLEGALRIGHTS. YOUMAY HAVE OTHER RIGHTS, WHICHVARY FROM STATE TO STATE AND COUNTRY TOCOUNTRY.
3. Disclaimer of Damages:
SOMESTATESANDCOUNTRIES, INCLUDINGMEMBERCOUNTRIESOFTHEEUROPEANECONOMICAREA,DONOT ALLOW THE LIMITATION OR EXCLUSION OFLIABILITY FOR INCIDENTAL OR CONSEQUENTIALDAMAGES, SO THE BELOW LIMITATION OREXCLUSION MAY NOT APPLY TO YOU.
TO THE MAXIMUM EXTENT PERMITTED BYAPPLICABLE LAW AND REGARDLESS OFWHETHERANY REMEDY SET FORTH HEREIN FAILS OF ITSESSENTIALPURPOSE, INNOEVENTWILL SYMANTECBE LIABLE TO YOU FOR ANY SPECIAL,CONSEQUENTIAL, INDIRECT, OR SIMILARDAMAGES,INCLUDING ANY LOST PROFITS OR LOST DATAARISINGOUTOF THEUSEOR INABILITY TOUSE THESOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISEDOF THE POSSIBILITY OF SUCH DAMAGES.
IN NO CASE SHALL SYMANTEC'S LIABILITY EXCEEDTHE PURCHASE PRICE FOR THE SOFTWARE. Thedisclaimers and limitations set forth above will applyregardless of whether or not You accept the Software.
4. U.S. Government Restricted Rights:
RESTRICTED RIGHTS LEGEND. All Symantec productsand documentation are commercial in nature. Thesoftware and software documentation are "CommercialItems," as that term is defined in 48 C.F.R. section 2.101,consisting of "Commercial Computer Software" and"Commercial Computer Software Documentation," assuch terms are defined in 48 C.F.R. section252.227-7014(a)(5) and 48 C.F.R. section252.227-7014(a)(1), and used in 48 C.F.R. section 12.212and 48 C.F.R. section 227.7202, as applicable. Consistentwith 48 C.F.R. section 12.212, 48 C.F.R. section252.227-7015, 48 C.F.R. section 227.7202 through227.7202-4, 48 C.F.R. section 52.227-14, and otherrelevant sections of the Code of Federal Regulations, asapplicable, Symantec's computer software and computersoftware documentation are licensed to United StatesGovernment end userswith only those rights as grantedto all other end users, according to the terms andconditions contained in this license agreement.Manufacturer is Symantec Corporation, 20330 StevensCreek Blvd., Cupertino, CA 95014, United States ofAmerica.
5. Export Regulation:
Certain Symantec products are subject to export controlsby the U.S. Department of Commerce (DOC), under theExport Administration Regulations (EAR) (seewww.bxa.doc.gov). Violation of U.S. law is strictlyprohibited. Licensee agrees to comply with therequirements of theEARandall applicable international,national, state, regional and local laws, and regulations,including any applicable import and use restrictions.Symantec products are currently prohibited for exportor re-export to Cuba,NorthKorea, Iran, Iraq, Libya, Syriaand Sudan or to any country subject to applicable tradesanctions. Licensee agrees not to export, or re-export,directly or indirectly, any product to any countryoutlined in the EAR, nor to any person or entity on theDOC Denied Persons, Entities and Unverified Lists, theU.S. Department of State's Debarred List, or on the U.S.Department of Treasury's lists of Specially DesignatedNationals, Specially Designated Narcotics Traffickers,or Specially Designated Terrorists. Furthermore,Licensee agrees not to export, or re-export, Symantecproducts to any military entity not approved under theEAR, or to any other entity for anymilitary purpose, norwill it sell any Symantec product for use in connectionwith chemical, biological, or nuclearweapons ormissilescapable of delivering such weapons.
6. General:
This Supplement and the Software License Agreementare the entire agreement governing the use and licensing
of this Component. In the event of any conflict betweentheSupplement and theLicenseAgreement,with regardto the Component, the Supplement shall control. Allother terms and conditions of the License Agreementremain in full force and effect.
7. Additional Uses and Restrictions:
Notwithstanding any of the terms and conditionscontained in this Supplement, the following additionalterms apply to the product you have licensed.
A. The SSL certificate accompanying this Componentwill expire within one (1) year of installation of theComponent. You may use a self-signed certificate or aseparately acquired certificate froma third party vendor.
B. The use of Netscape LDAP SDK for Java is governedby the Netscape Public License (NPL), the full text ofwhich can be found atwww.mozilla.org/MPL/NPL-1.1.html<http://www.mozilla.org/MPL/NPL-1.1.html>. You areentitled to a copy of the source code of this third partysoftware, which can be found in the Component.
C. The use of SNIA CIMOM is governed by the SNIAPublic License (SPL), the full text of which can be foundat www.snia.org/English/Resources/Code/OpenSource.html<http://www.snia.org/English/Resources/Code/OpenSource.html>. You are entitled to a copy of the sourcecode of this third party software, which can be found inthe Component.
Technical Support
Chapter 1 Symantec ESMPolicyManual for the Sarbanes-OxleyAct (OS400)
Introducing the policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
About the Sarbanes-Oxley Act ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
SEC Final Rule ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
About COSO and CobiT .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Components of Internal Control for COSO .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Control Objectives for CobiT .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Where to get more information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Installing the policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Before you install the regulatory policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Installing the regulatory policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Chapter 2 Mappings to Policies
Change Notification policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Account Integrity ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Device Integrity ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Network Integrity ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Program Find (Queries) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Resource Review policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Account Integrity ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Login Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Network Integrity ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Password Strength .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Program Find (Queries) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
SysVal - Security ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Controls Compliance policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Account Integrity ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Network Integrity ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
OS Patches ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Password Strength .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Program Find (Queries) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Startup Files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Contents
SysVal - Control ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
SysVal - Security ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Contents10
Symantec ESM
Policy Manual for
the Sarbanes-Oxley
Act (OS400)
This chapter includes the following topics:
■ Introducing the policies
■ About COSO and CobiT
■ Installing the policies
Introducing the policiesEach Symantec ESM policy addresses different aspects of the IT process that
relates to compliance with the Sarbanes-Oxley Act. You should run the policies
at the specified time intervals, which are based on operational efficiencies.
1Chapter
Description and schedulingPolicy name
Run the Change Notification policy daily. This
policy identifies changes to systemresources such
as system files, services, network connections,
registry entries, and other parameters that are
related to the “effectiveness of internal controls”
that are critical to sustaining the integrity of
information that is used for financial reporting:
■ Monitors and detects changes to controls that
could have a material impact on financial
reporting
■ Provides management with sufficient, timely,
and accurate reports about changes to meet
real-time issuer disclosure requirements
Change Notification
Run the Resource Review policy weekly. This
policy provides information about critical system
resources that support the “effectiveness of
internal controls” that are critical to sustaining
the integrity of information that is used for
financial reporting:
■ Continuously monitors and records the state
of critical system resources that require
manual review, which could have an impact
on the integrity of the financial reporting
process
■ Validates and mitigates risks identified in the
manual review
■ Assists your company with periodic
assessment andmonitoring of administrative
and technical controls that are needed for
compliance with the Act
Resource Review
Symantec ESM Policy Manual for the Sarbanes-Oxley Act (OS400)Introducing the policies
12
Description and schedulingPolicy name
Run the Controls Compliance policy at least twice
per month. This policy checks system-wide
configuration settings that are related to the
“effectiveness of internal controls” that are
critical to sustaining the integrity of information
that is used for financial reporting:
■ Determines if the actual environment is in
compliance with the desired state of control
■ Monitors the state of control for compliance
with the desired state of control
■ Records the results of the monitoring
■ Provides management with sufficient, timely,
and accurate reports on which to base the
quarterly and annual certifications
Controls Compliance
About the Sarbanes-Oxley Act
The Sarbanes-Oxley Act of 2002, also known as the Public Company Accounting
Reform and Investor Protection Act, was introduced as House Resolution 3763,
passed by the 107th Congress, and signed into law by President George W. Bush
on July 30th, 2002.
The Sarbanes-Oxley Act is unlike other recently introduced regulations and
standards that contain explicit security requirements relating to confidentiality,
integrity and availability. The purpose of the law is to ensure accountability and
integrity of the financial reporting process for public companies.
Title IV, section 404 and Title III, section 302 of the Act require annual and
quarterly management reporting and certification of the adequacy of controls.
In addition,material changesmust be reported in accordancewith Title IV, section
409, “Real Time Issuer Disclosures.”
The following fundamental activities comply with the Sarbanes-Oxley Act:
■ Achieving and maintaining compliance as an ongoing process
■ Reporting on the current state of compliance; for example, for an audit or
examination
Symantec ESM policies for the Sarbanes-Oxley Act assess compliance with many
of the components of internal control in COSO and control objectives in CobiT
that may be reviewed by your public auditor during your annual attestation of
compliance required by the Sarbanes-Oxley Act.
13Symantec ESM Policy Manual for the Sarbanes-Oxley Act (OS400)Introducing the policies
There are two regulatory bodies responsible for overseeing compliance with the
Act:
The SEC is the regulatory body responsible for enforcing the
Act.
Securities and Exchange
Commission (SEC)
Title I section 101 of the Act established the Public Company
Accounting Oversight Board (PCAOB) "to oversee the audit of
public companies that are subject to the securities laws.” The
only assigned duties of the Boardwith direct relevance to public
company compliance with Sarbanes-Oxley is to "establish or
adopt, or both, by rule, auditing, quality control, ethics,
independence, and other standards relating to the preparation
of audit reports for issuers, in accordance with section 103.”
Public Company
Accounting Oversight
Board (PCAOB)
SEC Final Rule
The SEC Final Rule is published as:
Management's Reports on Internal Control Over Financial Reporting and
Certification of Disclosure in Exchange Act Periodic Reports (17 CFR PARTS 210,
228, 229, 240, 249, 270 and 274).
As directed by section 404 of the Act, the SEC has adopted a rule (the Final Rule)
requiring companies that are subject to the reporting requirements of the
Securities Exchange Act of 1934, other than registered investment companies, to
include in their annual reports a report from management on the company's
internal control over financial reporting. The internal control reportmust include
the following:
■ A statement ofmanagement's responsibility for establishing andmaintaining
adequate internal control over financial reporting for the company
■ Management's assessment of the effectiveness of the company's internal
control over financial reporting as of the end of the company's most recent
fiscal year
■ Astatement identifying the framework that is used bymanagement to evaluate
the effectiveness of the company's internal control over financial reporting
■ A statement that the registered public accounting firm that audited the
company's financial statements (included in the annual report) has issued an
attestation report on management's assessment of the company's internal
control over financial reporting
■ An evaluation of any change in the company's internal control over financial
reporting:
Symantec ESM Policy Manual for the Sarbanes-Oxley Act (OS400)Introducing the policies
14
■ that occurred during a fiscal quarter
■ that has materially affected the company's internal control over financial
reporting
■ that is reasonably likely tomaterially affect the company's internal control
over financial reporting
■ The following statement:
“The company's certifying officer(s) have disclosed, based on our most recent
evaluation of internal control over financial reporting, to the company's
auditors and the audit committee of the company's board of directors (or
persons performing the equivalent functions):
(a) All significant deficiencies and material weaknesses in the design or
operation of internal control over financial reporting which are reasonably
likely to adversely affect the company's ability to record, process, summarize
and report financial information; and
(b) Any fraud, whether or not material, that involves management or other
employees who have a significant role in the company's internal control over
financial reporting.”
Under the SEC Final Rule, a company is required to file the registered public
accounting firm's attestation report as part of the annual report. The SEC has
adopted amendments to their rules and forms under the Securities Exchange Act
of 1934 and the Investment Company Act of 1940 to revise the section 302
certification requirements and to require issuers to provide the certifications that
are required by section 302 and Title IX section 906 of the Sarbanes-Oxley Act of
2002 as exhibits to certain periodic reports.
The SEC has stated:
“We recognize that our definition of the term ‘internal control over financial
reporting’ reflected in the final rules encompasses the subset of internal controls
addressed in the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) (Internal Control Framework report) that pertains to financial
reporting objectives.”
See “SEC Final Rule” on page 14.
About COSO and CobiTThe SEC requires organizations to select and implement an internal control
framework. COSO has become the most commonly adopted framework.
SEC registrants and others found that additional details regarding IT control
considerations were needed beyond those provided in COSO. The Public Company
Accounting Oversight Board (PCAOB) indicates the importance of IT controls but
15Symantec ESM Policy Manual for the Sarbanes-Oxley Act (OS400)About COSO and CobiT
does not provide further detail. As a result, the Control Objectives for Information
and relatedTechnology (CobiT), which is published by the ITGovernance Institute,
was used as the basis to access expand IT control details to produce and document
these Symantec ESM policies.
Components of Internal Control for COSO
The Institute of Internal Auditors (IIA) identifies the following five relevant
components of internal control within the COSO framework:
The foundation for effective internal control, establishes the
“tone at the top,” and represents the apex of the corporate
governance structure.
Control environment (CE)
The identification and analysis by management of relevant
risks, to achieve predetermined objectives that form the basis
for determining control activities.
Risk assessment (RA)
Activities that make up the policies, procedures and practices
that are adopted to ensure that business objectives are achieved
and risk mitigation strategies are followed.
Control activities (CA)
Information that is needed at all levels of the organization to
run the business and achieve control objectives.
Information and
communication (IC)
The oversight of internal control by management through
continuous and point-in-time assessment processes.
Monitoring (M)
Control Objectives for CobiT
The Information Technology Governance Institute (ITGI) defines the following
four domains within CobiT:
Covers strategy and tactics. PO identifies the way
IT can best achieve the business objectives.
Twelve control objectives from five processes are
addressed by these policies.
Planning and Organization (PO)
Describes identification, development or
acquisition, implementation, and integration of
IT solutions into the business process. Three
control objectives fromoneprocess are addressed
by these policies.
Acquisition and Implementation (AI)
Symantec ESM Policy Manual for the Sarbanes-Oxley Act (OS400)About COSO and CobiT
16
Covers the actual delivery of required services.
Services can range from traditional operations
with security and continuity aspects to training.
Thirteen control objectives from four processes
are addressed by these policies
Delivery and Support ((DS)
Addresses management's oversight of the
organization's control process.Monitoring covers
independent assurance that is provided by either
an internal or external audit or through
alternative resources. Four control objectives
from two processes are addressed by these
policies.
Monitoring (M)
Where to get more information
The Securities and Exchange Commission (SEC) is the regulatory body that is
responsible for enforcing the Act. For more information, go to the following web
sites:
http://www.law.uc.edu/CCL/SOact/soact.pdfSarbanes-Oxley Act (full text)
http://www.sec.govSEC Final Rule
http://www.pcaob.comPCAOB Auditing Standard #2
http://www.erm.coso.org/Coso/coserm.nsf/vwWebResources/
PDF_Manuscript/$file/COSO_Manuscript.pdf
COSO framework
http://www.isaca.org/cobit.htmCobiT control objectives
Installing the policiesTo use these policies, a Symantec Enterprise Security Manager OS/400 Agent
must be registered to a Symantec ESM 6.0 or 6.5 manager.
Before you install the regulatory policies
You must decide which Symantec ESMmanagers require the policy. Policies run
onmanagers anddonot need to be installed on agents. The policies can be installed
on the following operating systems:
■ IBM® AIX® 5.x
■ Hewlett-Packard® HP-UX® 10/11
17Symantec ESM Policy Manual for the Sarbanes-Oxley Act (OS400)Installing the policies
■ Sun™ Solaris™ 2.7 or higher
■ Microsoft® Windows Server™ 2003
■ Microsoft® Windows 2000 Professional/Server/Advanced Server with service
pack 1.0 and higher
Installing the regulatory policies
The standard installationmethod is to use the LiveUpdate feature in the Symantec
ESM console. An alternative method is to use files from a Symantec ESM CD or
the Internet to install the policies manually.
To install the policies by using LiveUpdate
1 Connect the Symantec ESM Enterprise Console to managers that you want
to update.
2 Click the LiveUpdate icon to start the LiveUpdate wizard.
3 In the wizard, ensure that Symantec LiveUpdate (Internet) is selected, and
then click Next.
4 In the Welcome to LiveUpdate dialog box, click Next.
5 Do one of the following:
■ To install all checked products and components, click Next.
■ To exclude a product from the update, uncheck it, and then click Next.
■ To exclude a product component, expand the product node, uncheck the
component that you want to exclude, and then click Next.
6 Click Next.
7 Click Finish.
8 Ensure that all managers that you want to update are checked.
9 Click Next.
10 Click OK.
To obtain files for a manual installation
1 Connect the Symantec ESM Enterprise Console to managers that you want
to update.
2 Go to the Security Response Web site at:
http://securityresponse.symantec.com
3 Download the executable files for Microsoft Windows:
■ OS400_SOA_Change_Notification_20051115.exe
Symantec ESM Policy Manual for the Sarbanes-Oxley Act (OS400)Installing the policies
18
■ OS400_SOA_Controls_Compliance_20051115.exe
■ OS400_SOA_Resource_Review_20051115.exe
To avoid conflicts with updates that are performed by standard LiveUpdate
installations, copy or extract the files into the LiveUpdate folder (usually Program
Files/Symantec/LiveUpdate).
To install the policies manually
1 On a computer that is running Windows NT/2000/XP/Server 2003 that has
network access to theUNIXmanager, run the executable that you downloaded
from the Symantec Security Response Web site.
2 Click Next to close the Welcome dialog box.
3 In the License Agreement dialog box, if you agree to the terms of the
agreement, clickYes.
4 ClickYes to continue installation of the best practice policy.
5 Type the requested manager information.
6 Click Next.
If the manager's modules have not been upgraded to Security Update 18 or
later, the install program returns an errormessage and aborts the installation.
Upgrade the manager to SU 18 or later, and then rerun the install program.
7 Click Finish.
19Symantec ESM Policy Manual for the Sarbanes-Oxley Act (OS400)Installing the policies
Symantec ESM Policy Manual for the Sarbanes-Oxley Act (OS400)Installing the policies
20
Mappings to Policies
This chapter includes the following topics:
■ Change Notification policy
■ Resource Review policy
■ Controls Compliance policy
Change Notification policyThemodules that are included in this policy are described belowwith information
about the checks that are enabled in each module. The following details are
provided for individual security checks:
■ References to the COSO components of internal control
■ References to the CobiT control objectives
■ Brief rationale for enabling the check
■ Associated templates (if applicable)
■ Associated name lists (if applicable)
■ Keyword lists (if applicable)
■ Word lists (if applicable)
This policy is read-only. To meet your company's security policy needs, you must
change thedefault values by copying and renaming thepolicy files. For instructions
and more information about specific checks and messages, see the current
Symantec ESM Security Update User's Guide.
Note: Default values for specific security checks are based on industry best
practices. Control objectives do not identify specific values.
2Chapter
Account Integrity
The Account Integrity module reports profile and privilege information. It also
creates andmaintains user and group snapshot records to detect account changes
between policy runs.
RationaleCOBiTCOSOCheck
Changes should be reviewed
to ensure they are
authorized.
PO4.9, DS5.4,
DS5.5
CE, CA, IC, MChanged user
profile
Changes should be reviewed
to ensure they are
authorized.
PO4.9, DS5.4,
DS5.5
CE, CA, IC, MChanged group
profile
Changes should be reviewed
to ensure they are
authorized.
PO4.9, DS5.4,
DS5.5
CE, CA, IC, MNew user profile
Changes should be reviewed
to ensure they are
authorized.
PO4.9, DS5.4,
DS5.5
CE, CA, IC, MNew group profile
This check must be enabled
for proper operation of ESM.
N/AN/ARetrieve OS/400
profile details
Device Integrity
The Device Integrity module identifies changes in device ownership and ID on an
AS/400 network.
RationaleCOBiTCOSOCheck
Changes should be reviewed
to ensure they are
authorized.
PO4.9, AI3.6CE, IC, CAChanged devices
Changes should be reviewed
to ensure they are
authorized.
PO4.9, AI3.6CE, IC, CADeleted devices
This policy is set to examine
workstation devices by
default.
N/AN/ADevice types to
include
Mappings to PoliciesChange Notification policy
22
RationaleCOBiTCOSOCheck
Changes should be reviewed
to ensure they are
authorized.
PO4.9, AI3.6CE, IC, CANew devices
Network Integrity
The Network Integrity module examines security settings on an AS/400 system.
The Network Integrity module reports the vulnerabilities of domains, including
global security groups and folder and printer shares.
RationaleCOBiTCOSOCheck
This check must be enabled
for proper operation of ESM.
N/AN/ASystem
distribution
directory
Changes should be reviewed
to ensure they are
authorized.
DS5.17CA, MNew entries
Changes should be reviewed
to ensure they are
authorized.
DS5.17CA, MDeleted entries
Program Find (Queries)
The Program Find module reviews specified libraries on your system and looks
for potential security problems based on the selected options.
RationaleCOBiTCOSOCheck
Changes to adopt owner
programs should be
examined to ensure they are
authorized.
PO9.3, M2.4RA, MNew adopt owner
Resource Review policyThemodules that are included in this policy are described below,with information
about the checks that are enabled in each module. The following details are
provided for individual security checks:
23Mappings to PoliciesResource Review policy
■ References to the COSO components of internal control
■ References to the CobiT control objectives
■ Brief rationale for enabling the check
■ Associated templates (if applicable)
■ Associated name lists (if applicable)
■ Keyword lists (if applicable)
■ Word lists (if applicable)
This policy is read-only. To meet your company's security policy needs, you must
change thedefault values by copying and renaming thepolicy files. For instructions
and more information about specific checks and messages, see the current
Symantec ESM Security Update User's Guide.
Note: Default values for specific security checks are based on industry best
practices. Control objectives do not identify specific values.
Account Integrity
The Account Integrity module reports profile and privilege information. It also
creates andmaintains user and group snapshot records to detect account changes
between policy runs.
RationaleCOBiTCOSOCheck
Changes should be reviewed
to ensure they are
authorized.
PO4.9, DS5.4,
DS5.5
CE, CA, IC, MDeleted user
profile
Changes should be reviewed
to ensure they are
authorized.
PO4.9, DS5.4,
DS5.5
CE, CA, IC, MDeleted group
profile
A misconfigured attention
program could be a
vulnerability or indication of
compromise.
DS5.2CA, IC, MAttentionprogram
not default
A misconfigured attention
program could be a
vulnerability or indication of
compromise.
PO9.3, DS5.6CA, IC, RA, MAttentionprogram
adopts authority
Mappings to PoliciesResource Review policy
24
RationaleCOBiTCOSOCheck
System level privileges
should be reviewed
frequently to ensure they are
authorized.
PO4.9, PO4.10,
DS5.5
CE, CA, IC, MProfiles with
specific special
authorities
System level privileges
should be reviewed
frequently to ensure they are
authorized.
PO4.9, PO4.10,
DS5.5
CE, CA, IC, MProfile with user
class
Limited capabilies are
required to help prevent
unauthorized changes to
profiles.
PO4.9, PO4.10,
DS5.5
CE, CA, IC, MProfile without
limited capabilities
System level privileges
should be reviewed
frequently to ensure they are
authorized.
DS11.30CE, CA, IC, MPrivileged users
and groups
This check must be enabled
for proper operation of ESM.
N/AN/ARetrieve OS/400
profile details
This check reports on a
variety of important profile
configuration errors and
risks.
PO6.8,DS5.7,M2.4CE, CA, IC, MSign on details
By default, ESMexamines all
profiles.
N/AN/AProfiles to check
The security officer role is
highly privileged and should
be reviewed to ensure all
users with this role are
authorized.
PO4.9, DS5.7CE, CA, IC, MUser profiles by
group
Login Parameters
The Login Parameters module examines profile sign-on parameters.
25Mappings to PoliciesResource Review policy
RationaleCOBiTCOSOCheck
Users must be able to see
their sign-on information in
order to monitor their own
account for misuse.
DS5.6CA, IC, MDisplay signon
information
Expired passwords are
usually an indicator of
unused accounts that should
be deleted.
PO7.8, DS5.17CE, CA, IC, MExpired password
Group profiles should not
have sign-on passwords.
DS5.15CA, IC, MGroups with
password
Unused accounts should be
deleted.
PO7.8, DS5.4,
DS5.17
CE, CA, IC, MInactive profiles
Profiles without passwords
are probably configuration
errors.
PO9.7, DS5.2,
DS5.17
RA, CA, MNo password
This check must be enabled
for proper operation of ESM.
N/AN/ARetrieve OS/400
profile details
By default, ESMexamines all
profiles.
N/AN/AProfiles to check
Network Integrity
The Network Integrity module examines security settings on an AS/400 system.
The Network Integrity module reports the vulnerabilities of domains, including
global security groups and folder and printer shares.
RationaleCOBiTCOSOCheck
This check must be enabled
for proper operation of ESM.
N/AN/ASystem
distribution
directory
Remote access should be
controlled with an explicit
logon process.
PO9.7, DS13.8RA, CA, ICRemote sign on
Mappings to PoliciesResource Review policy
26
Password Strength
The Password Strength module reports passwords that do not conform to this
policy.
RationaleCOBiTCOSOCheck
Controls to authenticate and
permit access only to
authorized individuals
require effective password
management. Passwords that
match the user name are
easy to guess and could
compromise the integrity of
information that is used for
financial reporting.
PO9.7, DS5.2,
DS5.17
CA, RA, MPassword =
username
Profiles without passwords
are probably configuration
errors.
PO9.7, DS5.2,
DS5.17
CA, RA, MProfiles without
password
This check must be enabled
for proper operation of ESM.
N/AN/ARetrieve OS/400
profile details
Program Find (Queries)
The Program Find module reviews specified libraries on your system and looks
for potential security problems based on the selected options.
RationaleCOBiTCOSOCheck
Bydefault, ESMexamines the
QGPL library.
N/AN/ALibraries
These programs should be
carefully examined to ensure
they are not a vehicle for
unauthorized access.
PO9.3, M2.4RA, MProgram adopts
owner
SysVal - Security
The SysVal - Security module reports a problem if the agent is not using specified
system security system values.
27Mappings to PoliciesResource Review policy
RationaleCOBiTCOSOCheck
Excessive login failures could
indicate attempts to gain
unauthorized access.
PO6.8, DS5.7CE, CA, IC, MMax sign on
attempts
Controls Compliance policyThe Sarbanes-Oxley Controls Compliance policy monitors the configuration of
an operating system or database for compliance with the recommended state of
control.
The modules that are included in this policy are described below with the checks
that are enabled in the module. The following details are provided for individual
security checks:
■ References to the COSO components of internal control
■ References to the CobiT control objectives
■ Brief rationale for enabling the check
■ Associated templates (if applicable)
■ Associated name lists (if applicable)
■ Keyword lists (if applicable)
This policy is read-only. To meet your company's security policy needs, you must
change thedefault values by copying and renaming thepolicy files. For instructions
and more information about specific checks and messages, see the current
Symantec ESM Security Update User's Guide.
Note: Default values for specific security checks are based on industry best
practices. Control objectives do not identify specific values.
Account Integrity
The Account Integrity module reports profile and privilege information. It also
creates andmaintains user and group snapshot records to detect account changes
between policy runs.
RationaleCOBiTCOSOCheck
This check must be enabled
for proper operation of ESM.
N/AN/ARetrieve OS/400
profile details
Mappings to PoliciesControls Compliance policy
28
Network Integrity
The Network Integrity module examines security settings on an AS/400 system.
The Network Integrity module reports the vulnerabilities of domains, including
global security groups and folder and printer shares.
RationaleCOBiTCOSOCheck
Agent requests can be used
to overwrite data without
explicit authorization.
DS5.2CA, IC, MClient request
access
Agent requests can be used
to overwrite data without
explicit authorization.
DS5.2CA, IC, MDDM request
access
This check must be enabled
for proper operation of ESM.
N/AN/ASystem
distribution
directory
OS Patches
This module reports the status of OS patches (PTFs) that effect system security.
RationaleCOBiTCOSOCheck
The template file contains
information on OS/400
patches.
PO9.3, DS5.19,
M2.4
CA, RA, MTemplate file list
OS Patches (Patch) template file
Symantec uses LiveUpdate every two weeks to update the template files loaded
on your system.
Note: Do not edit, move, or change your patch template files.
The Patch module uses the following template files:
Template nameFile nameOS
OS Patchespatch.po4OS/400
29Mappings to PoliciesControls Compliance policy
Password Strength
The Password Strength module reports passwords that do not conform to this
policy.
RationaleCOBiTCOSOCheck
Controls to authenticate and
permit access only to
authorized individuals
require effective password
management. This policy
ships with a default setting
of 60 days.
PO9.7, DS5.2,
DS5.17
CA, RA, MDays until
expiration
Limiting reuse of previously
used passwords reduces the
risk of discovery. This policy
ships with a default setting
of 4 prior passwords.
PO9.7, DS5.2,
DS5.17
CA, RA, MPassword reuse
count
Easily guessed passwords do
not meet the CobiT/COSO
requirement for adequate
authentication and access
controls. Repeated
characters make passwords
easy to guess. This policy
ships with a default setting
of 2 characters.
PO9.7, DS5.2,
DS5.17
CA, RA, MRestrict repeated
characters
Forcing users to select
passwords that conform to
theminimumcharacter class
requirements helps to ensure
passwords cannot be easily
guessed. This policy ships
with a default setting of 1.
PO9.7, DS5.2,
DS5.17
CA, RA, MNumeric character
required
Easily guessed passwords do
not meet the CobiT/COSO
requirement for adequate
authentication and access
controls. Short passwords
are easily guessed. This
policy ships with a default
setting of 8 characters.
PO9.7, DS5.2,
DS5.17
CA, RA, MCheck password
length restrictions
Mappings to PoliciesControls Compliance policy
30
RationaleCOBiTCOSOCheck
This check must be enabled
for proper operation of ESM.
N/AN/ARetrieve OS/400
profile details
By default, ESMexamines all
profiles.
PO9.7, DS5.2,
DS5.17
CA, RA, MProfiles to check
Program Find (Queries)
The Program Find module reviews specified libraries on your system and looks
for potential security problems based on the selected options.
RationaleCOBiTCOSOCheck
These programs should be
carefully examined to ensure
they are not a vehicle for
unauthorized access.
PO9.3, M2.4RA, MAdopt owner
profile
These commands are risky
and should be examined to
ensure they are needed and
authorized.
PO9.3, M2.4RA, MSensitive
commands
Startup Files
The Startup Files module examines jobs (services) that automatically start when
the computer is turned on.
RationaleCOBiTCOSOCheck
Anonymous FTP is a
frequently exploited
vulnerability. The
mechanismdoesnotproperly
authenticate users.
DS5.2, DS13.8CA, IC, MCheck if
AnonymousFTP is
allowed
This check reports a possible
system compromise.
PO9.3, DS5.17,
DS5.19
CA, RA, MUsers can change
library content
The template file contains a
list of mandatory and
forbidden services.
AI3.7, DS5.17CA, IC, MServices
31Mappings to PoliciesControls Compliance policy
Services template files
Mandatory, prohibited, and optional services for OS/400 are defined in Services
templates.
Symantec uses LiveUpdate every two weeks to overwrite the default template
files that are loaded on your system.
The Startup Files module uses the following default template files.
Template nameFile nameOS
Servicesbasic.so4OS/400
SysVal - Control
The SysVal - Control module reports a problem if the agent is not using specified
system values.
RationaleCOBiTCOSOCheck
Setting autoconfiguration of
remote devices to OFF is
prudent.
AI5.12, DS5.2CA, IC, MAutoconfigure
devices
Setting autoconfiguration of
remote controllers to OFF is
prudent.
AI5.12, DS5.2CA, IC, MAutoconfigure
remote controllers
Virtual devices should be
configured deliberately, not
automatically.
AI5.12, DS5.2CA, IC, MAutoconfigure
virtual devices
Forced conversion is not
recommended by Symantec
and IBM.
DS5.19CA, IC, MForce conversion
on restore
Symantec recommends5000
for this setting. Your
business context may
demand a different setting.
DS5.17CA, MMaximum history
log size
Remote IPL should not be
permitted.
DS13.8CA, ICRemote power on
and IPL
Remote analysis should not
be permitted.
DS13.8CA, ICRemote service
attribute
Mappings to PoliciesControls Compliance policy
32
RationaleCOBiTCOSOCheck
Unauthorized libraries can
be an indication of system
compromise.
DS5.7, DS5.19,
DS9.5
CA, IC, MSystem part of
library list
Unauthorized libraries can
be an indication of system
compromise.
DS5.7, DS5.19,
DS9.5
CA, IC, MUser part of
library list
SysVal - Security
The SysVal - Security module reports a problem if the agent is not using specified
system security system values.
RationaleCOBiTCOSOCheck
While *NONE is the safest
setting, some environments
may need to use
*ALWPGMADP.
AI3.6CAAllow object
restore
This check ensures that
auditing is properly enabled.
DS5.7, DS5.10CA, MAuditing Control
This check determineswhich
events are to be audited.
DS5.7, DS5.10CA, MSecurity auditing
level
If audit logging fails for any
reason the SYSOP should be
notified rather than shutting
down the system.
DS5.7, DS5.10CA, MAuditing end
action
Audit journal entries must
not be lost on abnormal
termination.
PO4.10, AI3.7,
DS5.10
CE, CA, IC, MAudit journal
cache size
Public users should not be
able to change newly created
objects.
DS5.7, DS5.10CA, MCreate default
public authority
Changes to objects should be
audited by default.
DS5.7, DS5.10CA, MCreate object
auditing
Permissions, especially high
privilege permissions, must
be assigned explicitly.
PO9.3, PO9.7,
AI3.3
RA, CAPrivileged user
access
33Mappings to PoliciesControls Compliance policy
RationaleCOBiTCOSOCheck
Excessive login failures could
indicate attempts to gain
unauthorized access.
PO6.8, DS5.7CE, CA, IC, MFailed sign-on
action
This setting establishes
requirements for
authentication.
DS5.2CA, MSystem security
level
Mappings to PoliciesControls Compliance policy
34