Embed Size (px)
Citation preview
WH
ITE
PA
PE
R: E
NT
ER
PR
ISE
SE
CU
RIT
Y M
AN
AG
EM
EN
T
Basel II Reports
Security and Audit Directors
Live For
Contents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
REPORT #1: Configuration Compliance Report Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
REPORT #2: Configuration Compliance Report for One System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
REPORT #3: Security Assessments for System Permissions Given to Users (Entitlement Report) . . 6
REPORT #4: Policy Acceptance Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
REPORT #5: User Configuration Setting and Database Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
White Paper: Enterprise Security Management
Basel II ReportsSecurity and Audit Directors Live For
5
Basel II ReportsSecurity and Audit Directors Live For
Executive Summary
While complying with regulations is one of the top issues facing businesses today, many IT
security executives are confused about what specifically they must do to achieve compliance.
From an IT security perspective, the key to Basel II compliance is in the documentation,
monitoring and management of a compliance control structure for your specific enterprise
environment.
The first Basel Accord, published in 1988 introduced a conceptually simple risk-based
approach to security controls. The new Accord, known as Basel II, is intended to foster a strong
emphasis on risk management aimed at rewarding the adoption and use of best-practice risk
management as a means of compliance. Basel II evolved from the framework of the 1988 Basel
Accord but is more than an update. Basel II exhibits an underlying philosophical shift toward
more specific controls that reflect trends in the banking industry and the regulatory landscape
brought on by accounting scandals.
The Basel II Framework is based on three "Pillars": Minimum Capital Requirements,
Supervisory Review Process and Market Discipline. To meet Basel II compliance, banks are
adopting the World Bank Technology Risk Checklist as their framework of choice.
Symantec software helps organizations with many of these thirteen ayers, including risk
management, policy management, access controls, vulnerability testing and systems
administration. Symantec's powerful viewing and reporting capabilities enable you to audit and
maintain Basel II compliance to standards in a fraction of the time required by manual methods.
Symantec can help streamline, automate and sustain compliance at reduced cost with easy-to-
produce and understandable console views and reports that include:
1. Configuration Compliance Report Summary
2. Configuration Compliance Report for One System
3. Security Assessments for System Permissions Given to Users (Entitlement Report)
4. Policy Acceptance Report
5. User Configuration Setting and Database Access
The World Bank Technology Risk Checklist
comprises the following thirteen layers:
• Risk Management
• Policy Management
• Cyber-Intelligence
• Access Controls/Authentication
• Firewalls
• Active Content Filtering
• Intrusion Detection System (IDS)
• Virus Scanners
• Encryption
• Vulnerability Testing
• Systems Administration
• Incident Response Plan (IRP)
• Wireless Security
REPORT #1
Configuration Compliance Report Summary
Are your systems properly configured according to your architecture? How often are
configurations reviewed?
These questions come directly from The World Bank Technology Risk Checklist. While they
may seem very basic, in reality they can be very difficult to answer when you consider the
number of different operating systems within your environment. Add to this the complexity of a
different configuration for each specific role that each system plays—an external Web server is
configured differently from an internal file and print server—and you begin to understand why
companies are seeking ways to simplify and streamline compliance management. Symantec
Compliance Center helps by automating key report views that not only save time but also
improve system configuration accuracy and consistency.
This Configuration Compliance Report quickly shows overall compliance to a technical
configuration—in this case, based on the Center for Internet for Security Benchmarks.
6
1] At-A-Glance summary chart: Without
having to wade through detailed data,
you can quickly see an overall
summary of your configuration
compliance in easy-to-understand pie
chart format.
2] List of non-compliant systems: It's fast
and easy to view non-compliant
servers by viewing a list of the non-
compliant systems at the bottom of
the report, ranked from worst to best.
This list can also be filtered to show
only those systems that pass your
configuration standards.
3] Summary Information: Quickly see
what standard was tested, what were
the target systems and what was the
overall compliance percentage.
This report can be scheduled to be run
daily, weekly or monthly and can alert
you via email when completed. You have
the option of receiving all results via
email notification, or if you prefer, you
can be notified only if there are
configuration exceptions.
Basel II ReportsSecurity and Audit Directors Live For
1
3
2
7
Basel II ReportsSecurity and Audit Directors Live For
REPORT #2
Configuration Compliance Report for One System
Knowing the overall compliance summary percentage is an important first step in demonstrating
compliance. However, you also need to be able to drill down to the specific offending system and
quickly identify what is out of compliance. This configuration compliance report for one system
in Symantec Compliance Center provides the necessary detail.
1] Easy-to-read summary chart: Without
having to go through a lot of
extraneous data, you can quickly view
an overall compliance summary of the
offending system.
2] List of checks and their results: At the
bottom of the report, you can see a list
of checks performed and whether the
system passed or failed each check.
Symantec also provides key
information for failed checks,
including "evidence" for why the check
failed. For example, if the check that
failed was validating that a guest
account had been renamed, the report
will indicate what setting was found
on the failed system
3] Exemption management: There may be
a valid business reason for a particular
configuration that does not conform to
a standard. For example, the system
may support a legacy risk calculator
and won't be upgraded for three
months. This system, therefore, could
have an exception for this setting that
expires in three months. You can
configure your report to "exempt"
these violations from being displayed
in the report so that you don't waste
time researching "known" violations or
temporarily approved settings.
1
2
3
8
REPORT #3
Security Assessments for System Permissions Given to Users (Entitlement RReport)
Is access restricted to the minimum amount of access necessary
for any particular job?
To address this question from the World Bank Technology Risk Checklist, a process to
periodically review and confirm access rights is required. Symantec provides extensive
granularity in implementing IT controls to answer Access Control questions similar to the
question highlighted above. Symantec Access Control reports, for example, take into account not
just explicit rights of users and groups but also account effective privileges through group
memberships and cascading rights. Symantec's ability to perform such analysis accurately and
with minimal intrusiveness is a major benefit in accuracy and time savings when it comes to
demonstrating compliance.
1] Symantec's bv-Control® for Windows®
allows you to gather direct and
inherited permission data for users
and groups with access to the
Accounts directories. This not only
helps you pinpoint problems, but
allows you to find out how the access
control problem occurred in the first
place - enabling you to prevent these
problems from occurring in the future.
2] Access security control should be
based on the individual's
demonstrated need to view, add,
change or delete data. This report
documents the level of access to
Accounts data for each user or group,
clearly identifying end-user exposure
at the operating system level. See
report #5 to identify end- user
exposure at the application level.
3] This report also shows users and
groups in the accounting department
that have access to the accounts
directory with full control of the
information. Management should
review this list periodically to ensure
that users and permission levels are
appropriate.
Basel II ReportsSecurity and Audit Directors Live For
Entitlement – By Directory – Basic Permissions Account Name Effective Permissions Group Members ACCOUNTINGSRV1 C:\Accounts AD-DOMAIN\Administrators [Full Control]
AD-DOMAIN\Administrator AD-DOMAIN\Domain Admins AD-DOMAIN\Enterprise Admins AD-DOMAIN\HSAdmin361971 AD-DOMAIN\HSAdmin482685
AD-DOMAIN\Accounting [Full Control] AD-DOMAIN\MStewart AD-DOMAIN\CSmith AD-DOMAIN\HGray AD-DOMAIN\KCountess AD-DOMAIN\LHuffman
Everyone Read Execute Delete
[N/A]
C:\Loans AD-DOMAIN\Administrators [Full Control] AD-DOMAIN\Administrator
AD-DOMAIN\Domain Admins AD-DOMAIN\Enterprise Admins AD-DOMAIN\HSAdmin361971 AD-DOMAIN\HSAdmin482685
AD-DOMAIN\Accounting Read Execute Delete
AD-DOMAIN\MStewart AD-DOMAIN\CSmith AD-DOMAIN\HGray AD-DOMAIN\KCountess AD-DOMAIN\LHuffman
AD-DOMAIN\Controller Read Execute Delete
AD-DOMAIN\MStewart AD-DOMAIN\CSmith
1
2
3
9
Basel II ReportsSecurity and Audit Directors Live For
REPORT #4
Policy Acceptance Report
Policy management is a key component of the World Bank Technology Risk Checklist. An
effective policy management program must measure and track user awareness and acceptance
of policies. Symantec Policy Operations Center® provides built-in acceptance tracking for policies
that help to simplify and streamline management. When a new policy or updated policy is sent
out to the user community, for example, you can quickly view who has read, accepted, denied or
ignored the policy.
1] Summary Graphs of User Acceptance:
With Symantec you can quickly see the
user acceptance status for all your
policies. Clear, color-coded graphs
indicate which users have read,
accepted, denied or ignored a
particular policy.
2] Detailed User Acceptance Report:
In addition to high-level summary
graphs, Symantec enables you to drill
down to the specifics of a particular
policy. Detailed lists of the users by
category can be created, including
comments from end users when they
responded. Conveniently reviewing
user comments helps you to identify
policy problems or issues quickly. In
this example, the user named Chan
Yoon has not yet acknowledged
acceptance of two policies
1
2
10
REPORT #5
User Configuration Setting and Database Access
Access Control/Authentication is the first line of defense for effective IT security controls. With
significant amounts of critical information residing in large relational databases, maintaining
good security practices on these systems is critical to IT security and audit directors. Using bv-
Control® for Oracle®, you can validate the configuration of Oracle databases against internal
security standards to identify common misconfigurations such as users with default passwords.
You can also assess separation of duties in the database and report on the level and extent of
access to sensitive corporate data.
1] Excessive rights to database
applications can provide a back door
into an ERP application, even though
access controls are already
established by the application. This
report shows a list of users with
access to the outstanding loans
database and the level of privilege for
each user.
2] Management should review access
levels on a regular basis to ensure the
integrity of data and confirm that
permissions are appropriate.
3] Good security requires strong
passwords. In this example report you
can see that several users are still
using default passwords to access
critical data. This opens the door to
unauthorized users, creating a
significant risk that an unauthorized
person might gain access and take
action on confidential information.
Basel II ReportsSecurity and Audit Directors Live For
Privileges on the Accounts Payable Database Table 3 Server Name Database
Name Object Name
Privilege Grantee Privilege Name
Accounting _Server BVCO9U Vendor AP_ADMINISTRATOR SELECT
Accounting _Server BVCO9U Vendor MANAGER DELETE Accounting _Server BVCO9U Vendor MANAGER INSERT Accounting _Server BVCO9U Vendor MANAGER SELECT Accounting _Server BVCO9U Vendor MANAGER UPDATE
1
2
3
For specific country offices and
contact numbers, please visit
our Web site. For product
information in the U.S., call
toll-free 1 (800) 745-6054.
Symantec Corporation
World Headquarters
20330 Stevens Creek Boulevard
Cupertino, CA 95014 USA
+1 (408) 517-8000
1 (800) 721-3934
www.symantec.com
Copyright © 2006 Symantec Corporation. All rightsreserved.Symantec, the Symantec Logo are trademarksor registered trademarks of Symantec Corporation or itsaffiliates in the U.S. and other countries. Other namesmay be trademarks of their respective owners. 01/06
10527721
About Symantec
Symantec is the world leader
in information security providing
a broad range of software,
appliances and services designed
to help individuals, small and
mid-sized businesses, and large
enterprises secure and manage
their IT infrastructure.
Symantec’s Norton™ brand of
products is the worldwide
leader in consumer security and
problem-solving solutions
providing solutions to help
individuals and enterprises
assure the security, availability,
and integrity of their information.
Headquartered in Cupertino,
California, Symantec has
operations in 40 countries.
More information is available
at www.symantec.com.
