www.skyviewpartners.com

World Class Security ExpertsWorld Class Security Experts

© Copyright 2004 SkyView Partners LLC. All rights reserved.

How IT is affected by Sarbanes-Oxley Act – or is it?

Carol Woodbury

carol.woodbury@skyviewpartners.com

www.skyviewpartners.com2© Copyright 2004 SkyView Partners LLC. All rights reserved.

WEBCAST SCHEDULE

Today’s event will run one-hour long. Here are the expected times for each segment of the webcast:

:00 – :05: Moderator introduces the speaker and discusses the details of the Webcast.

:05- :35: Speaker delivers a PowerPoint presentation on the webcast topic.

:35- :60: Moderator and speaker engage in a Q&A on the topic.

You can submit questions to the speaker at any time during the event. Just click on the “Ask a Question” button in the lower left corner of your screen.

www.skyviewpartners.com3© Copyright 2004 SkyView Partners LLC. All rights reserved.

TECHNICAL FAQs

Here are answers to the most common technical problems users encounter during a webcast:

Q: Why can’t I hear the audio part of the webcast?

A: Try increasing the volume on your computer.

Q: I just entered the webcast and do not see the slide that the speaker is referring to. What should I do?

A: The slides are constantly be pushed to your screen. You’ll should refresh (hit F5) to view the latest slide.

 

If your question is still not answered, please click the “Ask a Question” button in the lower left corner of your screen and submit your problem. A technical support person will respond immediately.

You can also visit the Broadcast Help page for more information or to test your browser compatibility. Click here: http://help.yahoo.com/help/bcst/

 

www.skyviewpartners.com

World Class Security ExpertsWorld Class Security Experts

© Copyright 2004 SkyView Partners LLC. All rights reserved.

How IT is affected by Sarbanes-Oxley Act – or is it?

Carol Woodbury

carol.woodbury@skyviewpartners.com

www.skyviewpartners.com5© Copyright 2004 SkyView Partners LLC. All rights reserved.

Disclaimer

This presentation is for educational purposes only and is not intended an endorsement of any vendor or vendor product mentioned during this webcast.

www.skyviewpartners.com6© Copyright 2004 SkyView Partners LLC. All rights reserved.

Agenda

Description of Sarbanes-Oxley Act

What we’re seeing

What this means

Tips

www.skyviewpartners.com7© Copyright 2004 SkyView Partners LLC. All rights reserved.

Sarbanes-Oxley Act

Legislation passed in 2002 to prevent another Enron/Arthur Andersen fiasco.

Section 302 – Corporate accountability

Section 404 – Internal controls over financial reporting Internal controls over financial reporting Requires supporting documentation

www.skyviewpartners.com8© Copyright 2004 SkyView Partners LLC. All rights reserved.

Security statements in SOX

www.skyviewpartners.com9© Copyright 2004 SkyView Partners LLC. All rights reserved.

Accounting firms

SOX auditing firms Must meet certain criteria and be registered as a SOX audit firm Cannot be the same firm that remediates issues discovered Requiring sound data security practices before signing audit

www.skyviewpartners.com10© Copyright 2004 SkyView Partners LLC. All rights reserved.

COBIT – process for managing risk

Provides a process to assess and manage risk and balance that risk against benefits to the business.

Centered around IT processes

Four domains Each domain is divided into IT processes (34) Each IT process is divided into control objectives (318)

www.skyviewpartners.com11© Copyright 2004 SkyView Partners LLC. All rights reserved.

ISO17799

Implementation Guidelines for IT Security

Sections include Security policy Organization security Asset classification and control Personnel security Physical and environmental security Communications and operations management Access control System development and maintenance Business continuity management Compliance with legal requirements

www.skyviewpartners.com12© Copyright 2004 SkyView Partners LLC. All rights reserved.

What does this mean?

Need to Assess your risks Come up with a plan to mitigate risks Implement sound a security scheme

www.skyviewpartners.com13© Copyright 2004 SkyView Partners LLC. All rights reserved.

Audit checklist

System values set to best practices

Users Get rid of default passwords Get rid of old profiles or accounts Examine users that have been given privileges (special authorities).

Remove if not part of user’s job function. *ALLOBJ *AUDIT *SECADM *IOSYSCFG

Object authorities *PUBLIC(*ALL) Authority of libraries and directories containing sensitive applications Authority of files containing confidential or private data

TCP/IP configurations

www.skyviewpartners.com14© Copyright 2004 SkyView Partners LLC. All rights reserved.

What systems need to be examined?

All production systems Production Development when connected to the network and can access

production

www.skyviewpartners.com15© Copyright 2004 SkyView Partners LLC. All rights reserved.

Missing documentation

Security policy Standards Processes

Disaster recovery plan

Steps toward remediation Initial reports Periodic reports Plans and sign-offs of major changes

www.skyviewpartners.com16© Copyright 2004 SkyView Partners LLC. All rights reserved.

Policy

Corporate Security Policy

Standards Mandatory requirements employed and enforced to prescribe a disciplined uniform approach to achieve an objective, that is, mandatory conventions and practices are is fact standards.

Procedures A series of defined activities carried out to accomplish a task or operation

A guiding principal, typically established by senior management, that is adopted by an organization or project to influence and determine decisions

Best practicesSuperior performance within a function independent of industry, leadership, management, or operational method or approach that lead to exceptional performance

www.skyviewpartners.com17© Copyright 2004 SkyView Partners LLC. All rights reserved.

Policy vs. Standard vs. Procedure

Policy User will have a unique account Privileges will be granted based on job classification Access to private data will be based on business justification

Standard User’s manager is responsible for requesting an OS/400 user profile for each

employee Default access

No special authorities Access to Basic menu

Additional access Approved by employee’s manager Approved by application owner

User’s manager and HR is responsible for notifying IT that user has left the company

ProcedureProcedure Create user profile by taking Option 1 from the Administration Menu Naming convention is first 7 characters of last name plus first letter of first name For end users and programmers the special authorities granted are *NONE For operators the special authorities granted are *SAVSYS and *JOBCTL

www.skyviewpartners.com18© Copyright 2004 SkyView Partners LLC. All rights reserved.

Security awareness training

Security tip (once a month e-mail)

Posters

Social engineering training

“Appropriate Use Statement” on all computer systems

Periodic review of security policy, especially after updates Random re-training and acknowledgement of re-read

www.skyviewpartners.com19© Copyright 2004 SkyView Partners LLC. All rights reserved.

For more information

Contact SkyView Partners

www.skyviewpartners.com

1-425-457-4975

www.skyviewpartners.com20© Copyright 2004 SkyView Partners LLC. All rights reserved.

Questions?

Submit your questions now by clicking on the “Ask A Question” button in the left corner

of your presentation screen.

Carol will answer your questions shortly after the broadcast.