• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Common Data Security Findings Of A Compliance Audit

Common Data Security Findings Of A Compliance Audit






Total Views
Views on SlideShare
Embed Views



1 Embed 7

http://www.slideshare.net 7



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • We have 3 main agendas items.
  • Information security is what we do – and it is all that we do. Reinforce that we are truly a WORLDWIDE ORGANIZATION.
  • Vanguard’s customer/prospect base includes the largest and most respected organizations in the world. Generally speaking, when a company or organization reaches 500/750 employees that entity will require the computing power of a mainframe Although we do have some customers at the lower end of the scale in terms of numbers of employees, the vast majority of our client base has a minimum of 1,000 employees One of our larger clients has over 300k users Also important to note is that we show this slide as an inverted pyramid to demonstrate that the entire critical infrastructure rests upon the computing power and more important, the security of the larger enterprises Example: every time an ATM is used, an airline reservation is made, a stock is traded online and most other computing events a home user might do, chances are the transaction is being processed on a mainframe computer.
  • Martha – Convicted of Insider Trading Ken Lay – Enron – Convicted of fraud and conspiracy – Died while awaiting sentencing – Verdicts vacated 10/17 because he can not appeal Calisto Tanzi – embezzeled 800 million euros from Parmlat and is now in a Milan prison Bernie Ebbers – WorldCom CEO convicted on securities fraud and conspiracy. His attorney said there is no chance Bernie “cooked the books”. He was sentenced to 25 years and started his sentence on September 26, 2006 Darleen Druyun – Caused an illegal conflict of interest between Boeing and the U.S. Government and was convicted of fraud. She served 9 months in prison in 2004. Luke Duffy – NAB currency options trading desk head was convicted in 2005 and sentenced to 16 months for making unauthorized currency transactions. Liu Jinbao – committed economic crimes including unauthorized distribution for personal reasons in Hong Kong China and was given a suspended death sentence. Roland Dumas – implicated in France but fully exonerated
  • We have 3 main agendas items.
  • We have 3 main agendas items.
  • We have 3 main agendas items. First, we must identify why we need a security “Best Practices” implementation and also clarify why Vanguard’s set of “Best Practices” can be counted on to be effective in implementing a z/OS RACF security framework. Then we will review the Top 10 ranked RACF audit findings in inverse order meaning we will discuss first the 10 th most frequently discovered audit finding we encounter in RACF environments. As part of that discussion we will state the audit finding and using a similar approach found the Vanguard Analyzer and Vanguard INCompliance SmartAssist, we will identify the Risk, give an Explanation of the finding, and specify the high level User Action appropriate to resolve the audit finding. At the end of the webinar we will close by showing Vanguard’s Top Ten Audit Findings on a single slide.

Common Data Security Findings Of A Compliance Audit Common Data Security Findings Of A Compliance Audit Presentation Transcript

  • Common Data Security Findings of a Compliance Audit
    • About Vanguard
    • Onset of Regulatory Compliance Audits
    • Business Realities of Regulatory Compliance
    • Impact on Information Technology
    • Critical Findings
      • Addressing the Key Implications of Sarbanes-Oxley
      • 10 Common IT Assessment Findings
      • Vanguard’s Top 10 Audit Findings
    • Summary
  • About Vanguard Vanguard Research Institute Orange, CA, USA Vanguard Integrity Professionals - Nevada Las Vegas, NV, USA More than 20 distributors/resellers servicing 50+ countries worldwide Founded: 1986 Ownership: Privately held Business: Information Security Software, Training, Services, & Solutions Customers: 600 worldwide, 1,400 software licenses Employees: 75+ worldwide Vanguard Integrity Professionals, Ltd. Berkshire, UK
  • Vanguard’s Market Large Enterprises 1000+ Employees Medium Businesses 100-999 Employees Small Businesses 1-99 Employees IBM zSeries Servers HP, SUN, UNIX, LINUX Vanguard’s Market
    • iSeries
    • pSeries
    • xSeries
    Home Users
  • In the past
    • Organizations had “self governance” audit programs.
    • Not mandated by external compliance regulations.
    • Initially annual audits but turned into “periodic” audits.
    • Performed by internal and/or external auditors.
  • Martha Stewart Ken Lay Darleen Druyun Luke Duffy Calisto Tanzi Bernie Ebbers Liu Jinbao Roland Dumas Lack of effective self governance led to
    • For regulatory compliance, demonstrating that internal controls are implemented and enforced properly will mean the difference between passing or failing a compliance audit.
    • Failing a compliance audit will result in unplanned and costly remediation expenses.
    • Further; sanctions, fines, or legal action can be taken against corporations and officers for failure to meet regulatory compliance requirements.
    And regulatory laws and standards Over 150 laws and standards PIPEDA CSOX (Bill 198) SOX GLBA PCI HIPAA FFIEC FDICIA Basel II FISMA EU Data Directive California Senate Bill FDA 21 CFR Part 11 ISO17799 Standard VISA CISP
    • More Compliance requirements resulting in extra workload but with the same number of resources.
    • Upper Management now has fiduciary responsibility for accurate financial reporting.
    • Auditor’s requests generate time consuming discovery efforts.
    • New compliance regulations call for continuous IT internal controls monitoring.
    Impact on Information Technology
    • Providing a Security Framework Process
    • Established Security Policies
    • Self Governance Audits
    • Regulatory Compliance Audits
    • Remediation
    • Security Policy Enforcement
      • Intrusion Monitoring
      • Security Best Practices Monitoring
      • Timely Notification
      • Auto-correction
    But it has provided a valuable result COBIT COSO ISO17799 ITIL Use of Internal Control Frameworks
  • 10 Common Critical Audit Findings
    • From the IBM Compliance Solutions White Paper titled “Addressing the Key Implications of Sarbanes-Oxley”.
    • A collaborative work identifying 10 Common IT Audit Findings.
    • Based on interviews between IBM and its customers and interviews between IBM and its Business Partners that perform audits.
    “ IBM has developed a prescriptive approach to the most common findings identified through the internal audits of IBM customers.”
  • Security Management
    • Inadequate controls for user IDs and association of privileges for access to sensitive data.
    • Implement identity management processes to manage user identity life cycle and maintenance of access privileges.
    • Modeling Users.
    • Obsolete User IDS.
    • Transferred Users.
    Finding Remediation Strategy Issues and Comments
  • Security Management
    • Inadequate segregation of duties for granting access to sensitive information, records, and data.
    • Implement a standard that requires all requests for access to sensitive systems to be approved and documented by a separate individual.
    • Fox guarding the hen house.
    • Data owners not approving access.
    Finding Remediation Strategy Issues and Comments
  • Security Management
    • Lack of controls over sensitive data access and updates through ODBC or other methods outside of a company’s ERP or accounting applications.
    • Implement database level controls to monitor and manage all access, updates, inserts and deletions made to the sensitive data from the accounting applications as well as other desktop tools…
    • Enterprise data security.
    • Field level controls versus file level controls.
    Finding Remediation Strategy Issues and Comments
  • System Management
    • Inadequate IT system change management controls for operating systems and applications.
    • Implement an automated system change management system.
    • Rather unheard of in these times.
    • Perhaps it exists but is not always followed.
    Finding Remediation Strategy Issues and Comments
  • Standards and Practices
    • Inadequate data retention controls for access logs and sensitive data.
    • Implement an automated system to backup and archieve the audit logs and sensitive data.
    • How often and how much is mandated by law.
    • Implemented through internal policies.
    Finding Remediation Strategy Issues and Comments
  • System Resources Management
    • Inadequate documentation of system configurations, policies and standards.
    • Implement an automated tool to collect and compare all system configurations to the organization’s defined baseline for computer systems in specific security “zones” of control.
    • But configurations are so complex and change so frequently.
    • Documentation is just no fun.
    Finding Remediation Strategy Issues and Comments
  • Monitoring
    • Inadequate audit logs for data access, update, delete and insert operations.
    • Implement an enterprise audit logging solutions that captures all activity from users accessing and updating sensitive data.
    • Lack of logging knowledge.
    • It’s too much data!
    Finding Remediation Strategy Issues and Comments
  • Monitoring
    • Inadequate audit logs for privilege changes to user IDS.
    • Implement a role-based access control system and processes for assigning data access and use privilege.
    • Lack of logging knowledge.
    • I’m not sure of this remediation strategy .
    Finding Remediation Strategy Issues and Comments
  • Monitoring
    • Inadequate monitoring of sensitive systems for availability and support for timely reporting of sensitive data activity.
    • Implement an automated monitoring system for uptime and availability for sensitive systems.
    • Does monitoring uptime require an automated system?
    • Timely reporting is an issue.
    Finding Remediation Strategy Issues and Comments
  • Security Framework
    • Inadequate controls and processes for risk management and security threat monitoring under the COSO and ITIL frameworks.
    • Implement an automated system for collecting and correlating all security events from systems across the enterprise.
    • Sounds more like a goal than a process.
    • If feasible, a huge and extremely costly undertaking.
    • Home, mother, apple pie.
    Finding Remediation Strategy Issues and Comments
  • Vanguard’s 10 Common Audit Findings
    • Data Sets allowed to be unprotected. (Critical)
    • Excessive use of extraordinary user ID privileges. (High)
    • Inadequate protection for Infrastructure Data. (Critical)
    • Excessive number of Data Set Rules in WARNING Mode. (Critical)
    • User defined programs allowed to bypass Data Set authorization checking. (Critical)
    • Sensitive and Critical Data with broad public access. (Critical)
    • Inappropriate System Tasks with “super user” privileges. (Critical)
    • Inadequate Security Event Monitoring and Reporting. (Critical)
    • Application Production Task User IDs with inappropriate access to all Data Sets. (Critical)
    • Excessive number of Inactive User IDs. (Moderate)
    Levels of Risk Critical High Moderate
  • Vanguard’s 10 Common Audit Findings
    • Excessive use of RACF extraordinary attributes. (High)
    • Inadequate protection for Authorized Program Facility (APF) Libraries. (Critical)
    • Excessive number of Dataset Profiles in WARNING Mode. (Critical)
    • User entries in the Program Properties Table (PPT) with the Bypass Password Protection attribute. (Critical)
    • Sensitive and Critical Dataset Profiles with Universal Access (UACC) greater than READ. (Critical)
    • Inappropriate Started Tasks with the Privileged or Trusted attribute. (Critical)
    • Inadequate Security Event Reporting. (Critical)
    • Production Job Userid(s) with inappropriate access to all datasets in the z/OS environment. (Critical)
    • Excessive number of Inactive Userids. (Moderate)
    Levels of Risk Critical High Moderate
  • Summary – Some Final Thoughts To a large degree regulatory compliance requirements are vague and difficult to quantify. Compliance audits are for many organizations among other things a security database remediation exercise. There is a huge overlap creating redundant efforts between internal and external compliance audits. Auditor compliance requirements are not consistent. Even the presence of an IT Security Framework is many times not enough to prevent an audit failure. Regulatory compliance has rejuvenated the audit industry and has created a whole new industry – REMEDIATION
  • Grazie Japanese Italian Arabic Tamil Thank you for your time and attention Merci French Russian Danke German Gracias Spanish Obrigado Brazilian Portuguese Simplified Chinese Traditional Chinese Hindi Thai Korean