On October 23rd, 2014, we updated our
By continuing to use LinkedIn’s SlideShare service, you agree to the revised terms, so please take a few minutes to review them.
Sarbanes-Oxley IT Compliance Using
COBIT and Open Source Tools
The book Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools,
written by Christian B. Lahti is a guide for IT professionals to the ins and outs of IT auditing.
The book goes through the practices and procedures that can be undertaken by IT staff to
smooth out the audit process and make it easy to interface with the auditors.
The book begins by telling what is does and does not do. They begin by telling the
reader that they will later explain some of the business aspects of the SOX compliance. The
authors will also later explain IT strategies using open sources tools to make the process
easier. They then tell the reader what this book does not do for you. They do not show you
“how to pass your SOX Audit” (5). There is not a template to be placed on compliance with
a SOX Audit as all businesses are different in many ways. The authors also provide a
disclaimer that they are not responsible for anything you do with their suggestions as they are
suggestions and they bare no responsibility for your actions in your audit.
The book then leads into COBIT, which stands for Control Objectives for
Information and Related Technology. It describes ITIL, Six Sigma, but states that COBIT is
the most widely accepted standard for Sarbanes-Oxley compliance (35). The book goes over
general controls of COBIT and the risks involved with each control in this portion of the
book. In this section the book also briefly describes each of the four COBIT domains. They
are Planning and Organization, Acquisition and Implementation, Delivery and Support, and
Monitoring. As I could tell from the table of contents these seem to be the major components
of the COBIT standard of compliance because they each have their own chapter in this book.
The book then dives into The Cost of Compliance in its third chapter. Here they
discuss the adverse affects of non-compliance. One possibility is that a company may have
lawsuits brought against it and suffer negative publicity. If an officer in a company
unintentionally files an inaccurate certification they can receive a fine up to one million
dollars and a ten year prison sentence. If an officer intentionally files an inaccurate
certification they are subject to fines up to five million dollars and a jail sentence up to
twenty years. One thing the book notes is that with the compliance to Sarbanes-Oxley a
company can actually iron out some of its smaller problems and deficiencies. Here they also
discuss COBIT Control Objectives and how they fit into four main categories. The four main
categories are Security, Change Management, Monitoring, and Logical Access.
In the category of Security they discuss tools to manage the security of the company.
Shorewall, Astaro Security Linux, and Snort are available to aid a company in their SOX
compliance efforts. Shorewall is “An iptables-based firewall for Linux systems” (65).
“Key features of Shorewall include:
Customizable using configuration files
Supports status monitoring with an audible alarm when an “interesting” packet is detected
Includes a fallback script that backs out the installation of the most recent version of Shorewall, and an
uninstall script for completely uninstalling the firewall
Can be used on a dedicated firewall systems, a multifunction gateway/router/server, or on a stand-
alone GNU/Linux system
Static NAT is supported
Proxy ARP is supported
Provides DMZ functionality
Support for IPsec, GRE, and IPIP tunnels
Support for traffic control/shaping”
Astaro Security Linux is “An all-encompassing network security gateway composed
of a firewall, intrusion protection, virus protection, SPAM protection, URL filtering, and a
VPN gateway” (65).
“Key features include:
Stateful packet inspection
Deep packet filtering
Application-level intrusion detection
Virus detection for e-mail traffic (SMTP and POP3)
Web traffic (HTTP), whitelists and blacklists
IPsec and PPTP VPN tunneling
SPAM blocking, logging and reporting”
Smoothwall “is another open source firewall” (65).
“Key features include:
Automated modem/advanced ISDN autoprobing
Ethernet ADSL/cable, USB ADSL
Supports multiple Ethernet cards
Has SSH and DHCP capabilities
Full firewall logging and auditing functionality”
Snort is “An intrusion detection system capable of performing real-time traffic
analysis and packet logging on IP networks” (66).
The book then continues with a section on Monitoring tools to help with Sarbanes-
Oxley compliance. They include Nagios, Big Brother, Tripwire, Sentinel, and Linux-HA
Heartbeat. They also discuss three backup tools including AMANDA, Bacula, and the Hydra
Backup System. Nagios is a host service monitor designed to detect network and services
performance issues, based on user-defined thresholds. Big Brother is similar to Nagios and is
designed to monitor system and network-delivered services for availability. Tripwire is a
system integrity checker that compares properties of designated files and directories against
information stored in a previously generated database. Sentinel is a fast file scanner similar
to Tripwire or Viper with built-in authentication using the RIPEMD 160-bit MAC hashing
function. Linux-HA Heartbeat provides a heartbeat and IP address takeover functions for a
high-availability Linux cluster. The backup tool AMANDA stands for Advanced Maryland
Automatic Network Disk Archiver and is a backup system that allows a LAN administrator
to set up a single master backup server to back up multiple hosts to a single large capacity
tape drive. Bacula is a network-based backup program that is a set of computer programs
that allow a system administrator to manage backup, recovery, and verification of computer
data across a network of computers of different kinds. Hydra Backup System is a backup
system that contains a backup server, a command-line client, and a graphical client. (66 - 68)
The book then leads into why use open source tools. This portion of the book is very
commendable in its attribution to open source tools. It talks about how the quality of open
source tools are better because they can be worked on by the public and have the benefit of
constant peer reviews by other developers. Basically, there is not much need to be said or
explained because the intended readers, Dr. Lyle and possibly Dr. Pilgrim, know about all the
benefits of open source technologies.
As briefly mentioned earlier in the book Planning and Organization has its own
chapter and is a big part of the COBIT Domain. It starts by reminding the reader that COBIT
is a set of strategies to follow for SOX auditing and for that reason COBIT and SOX are two
very different things. There are thirty-six sub-points to this section that are somewhat beyond
the scope of this paper but basically go into greater depth as to what Planning and
Organization means. To sum it up they are a plan to keep the IT department up and running,
using up to date technology based on their budget, manage your human resources well, assess
your risks, and manage projects and quality.
The next chapter is on the Acquisition and Implementation section of the COBIT
domains. They further explain what Acquisition and Implementation is in twenty-nine sub-
points that can be summed up as the need for automated solutions, acquiring and maintaining
application software and technology infrastructure, develop and maintain procedures, install
and accredit systems, and change management.
Delivery and Support is the next domain that has its own chapter with fifty small
sections that describe Delivery and Support. These are summed up as needing to define and
manage service level agreements, managing third-party services, managing performance and
capacity, ensuring continuous service, ensuring systems security, identifying and allocating
costs, educating and training users, assisting and advising customers, managing the
configuration, managing problems and incidents, managing data, managing facilities, and
The last domain is Monitoring and the book goes through examples of monitoring
processes using the aforementioned monitoring program Nagios. It also explains what
Monitoring means through Plan, Do, Check, Act (PCDA). Plan means to design or reverse
business-process components to improve results. Do is to implement the plan and measure its
performance. Check means to assess the measurements and report the results to the decision
makers. Finally, Act is to decide on the changes that are needed to improve the process.
This book did a good job of telling the reader what is a good cookie cutter example of
how to prepare a company for a SOX audit. All is needed after reading this book is to fine
tune the tools presented in its text into your business atmosphere.
On a bit of a side note, it is rather funny but as I was reading this book all I could
think about was my CSC 310 class. All of the actions needed to be taken for the Sarbanes-
Oxley auditing process are Database Administrator tasks. This means that if you go into a
job for any kind of database work or network administration work you will have to directly
implement the practices for the auditing process.
Lahti, Christian. Sarbanes-Oxley : IT compliance using COBIT and open source tools.
Rockland, MA : Syngress Pub. Inc., c2005.