Howerton.doc
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Howerton.doc

on

  • 398 views

 

Statistics

Views

Total Views
398
Views on SlideShare
398
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Howerton.doc Document Transcript

  • 1. Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools Reviewed by: Andy Howerton
  • 2. The book Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools, written by Christian B. Lahti is a guide for IT professionals to the ins and outs of IT auditing. The book goes through the practices and procedures that can be undertaken by IT staff to smooth out the audit process and make it easy to interface with the auditors. The book begins by telling what is does and does not do. They begin by telling the reader that they will later explain some of the business aspects of the SOX compliance. The authors will also later explain IT strategies using open sources tools to make the process easier. They then tell the reader what this book does not do for you. They do not show you “how to pass your SOX Audit” (5). There is not a template to be placed on compliance with a SOX Audit as all businesses are different in many ways. The authors also provide a disclaimer that they are not responsible for anything you do with their suggestions as they are suggestions and they bare no responsibility for your actions in your audit. The book then leads into COBIT, which stands for Control Objectives for Information and Related Technology. It describes ITIL, Six Sigma, but states that COBIT is the most widely accepted standard for Sarbanes-Oxley compliance (35). The book goes over general controls of COBIT and the risks involved with each control in this portion of the book. In this section the book also briefly describes each of the four COBIT domains. They are Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring. As I could tell from the table of contents these seem to be the major components of the COBIT standard of compliance because they each have their own chapter in this book. The book then dives into The Cost of Compliance in its third chapter. Here they discuss the adverse affects of non-compliance. One possibility is that a company may have lawsuits brought against it and suffer negative publicity. If an officer in a company unintentionally files an inaccurate certification they can receive a fine up to one million
  • 3. dollars and a ten year prison sentence. If an officer intentionally files an inaccurate certification they are subject to fines up to five million dollars and a jail sentence up to twenty years. One thing the book notes is that with the compliance to Sarbanes-Oxley a company can actually iron out some of its smaller problems and deficiencies. Here they also discuss COBIT Control Objectives and how they fit into four main categories. The four main categories are Security, Change Management, Monitoring, and Logical Access. In the category of Security they discuss tools to manage the security of the company. Shorewall, Astaro Security Linux, and Snort are available to aid a company in their SOX compliance efforts. Shorewall is “An iptables-based firewall for Linux systems” (65). “Key features of Shorewall include:  Customizable using configuration files  Supports status monitoring with an audible alarm when an “interesting” packet is detected  Includes a fallback script that backs out the installation of the most recent version of Shorewall, and an uninstall script for completely uninstalling the firewall  Can be used on a dedicated firewall systems, a multifunction gateway/router/server, or on a stand- alone GNU/Linux system  Static NAT is supported  Proxy ARP is supported  Provides DMZ functionality  Support for IPsec, GRE, and IPIP tunnels  Support for traffic control/shaping” (64-65) Astaro Security Linux is “An all-encompassing network security gateway composed of a firewall, intrusion protection, virus protection, SPAM protection, URL filtering, and a VPN gateway” (65). “Key features include:  Stateful packet inspection
  • 4.  Deep packet filtering  Application-level intrusion detection  Content filtering  Virus detection for e-mail traffic (SMTP and POP3)  Web traffic (HTTP), whitelists and blacklists  IPsec and PPTP VPN tunneling  SPAM blocking, logging and reporting” (65) Smoothwall “is another open source firewall” (65). “Key features include:  Automated modem/advanced ISDN autoprobing  Ethernet ADSL/cable, USB ADSL  Supports multiple Ethernet cards  Web manageable  Has SSH and DHCP capabilities  Full firewall logging and auditing functionality” (65) Snort is “An intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks” (66). The book then continues with a section on Monitoring tools to help with Sarbanes- Oxley compliance. They include Nagios, Big Brother, Tripwire, Sentinel, and Linux-HA Heartbeat. They also discuss three backup tools including AMANDA, Bacula, and the Hydra Backup System. Nagios is a host service monitor designed to detect network and services performance issues, based on user-defined thresholds. Big Brother is similar to Nagios and is designed to monitor system and network-delivered services for availability. Tripwire is a system integrity checker that compares properties of designated files and directories against information stored in a previously generated database. Sentinel is a fast file scanner similar
  • 5. to Tripwire or Viper with built-in authentication using the RIPEMD 160-bit MAC hashing function. Linux-HA Heartbeat provides a heartbeat and IP address takeover functions for a high-availability Linux cluster. The backup tool AMANDA stands for Advanced Maryland Automatic Network Disk Archiver and is a backup system that allows a LAN administrator to set up a single master backup server to back up multiple hosts to a single large capacity tape drive. Bacula is a network-based backup program that is a set of computer programs that allow a system administrator to manage backup, recovery, and verification of computer data across a network of computers of different kinds. Hydra Backup System is a backup system that contains a backup server, a command-line client, and a graphical client. (66 - 68) The book then leads into why use open source tools. This portion of the book is very commendable in its attribution to open source tools. It talks about how the quality of open source tools are better because they can be worked on by the public and have the benefit of constant peer reviews by other developers. Basically, there is not much need to be said or explained because the intended readers, Dr. Lyle and possibly Dr. Pilgrim, know about all the benefits of open source technologies. As briefly mentioned earlier in the book Planning and Organization has its own chapter and is a big part of the COBIT Domain. It starts by reminding the reader that COBIT is a set of strategies to follow for SOX auditing and for that reason COBIT and SOX are two very different things. There are thirty-six sub-points to this section that are somewhat beyond the scope of this paper but basically go into greater depth as to what Planning and Organization means. To sum it up they are a plan to keep the IT department up and running, using up to date technology based on their budget, manage your human resources well, assess your risks, and manage projects and quality.
  • 6. The next chapter is on the Acquisition and Implementation section of the COBIT domains. They further explain what Acquisition and Implementation is in twenty-nine sub- points that can be summed up as the need for automated solutions, acquiring and maintaining application software and technology infrastructure, develop and maintain procedures, install and accredit systems, and change management. Delivery and Support is the next domain that has its own chapter with fifty small sections that describe Delivery and Support. These are summed up as needing to define and manage service level agreements, managing third-party services, managing performance and capacity, ensuring continuous service, ensuring systems security, identifying and allocating costs, educating and training users, assisting and advising customers, managing the configuration, managing problems and incidents, managing data, managing facilities, and managing operations. The last domain is Monitoring and the book goes through examples of monitoring processes using the aforementioned monitoring program Nagios. It also explains what Monitoring means through Plan, Do, Check, Act (PCDA). Plan means to design or reverse business-process components to improve results. Do is to implement the plan and measure its performance. Check means to assess the measurements and report the results to the decision makers. Finally, Act is to decide on the changes that are needed to improve the process. This book did a good job of telling the reader what is a good cookie cutter example of how to prepare a company for a SOX audit. All is needed after reading this book is to fine tune the tools presented in its text into your business atmosphere. On a bit of a side note, it is rather funny but as I was reading this book all I could think about was my CSC 310 class. All of the actions needed to be taken for the Sarbanes- Oxley auditing process are Database Administrator tasks. This means that if you go into a
  • 7. job for any kind of database work or network administration work you will have to directly implement the practices for the auditing process.
  • 8. Works Cited: Lahti, Christian. Sarbanes-Oxley : IT compliance using COBIT and open source tools. Rockland, MA : Syngress Pub. Inc., c2005.