Sarbanes-Oxley Compliance Using The Hitachi ID Identity Management Suite
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Sarbanes-Oxley Compliance Using The Hitachi ID Identity Management Suite

on

  • 712 views

This Hitachi ID Information Technology, Inc. whitepaper explores the Sarbanes-Oxley Act and how it impacts any company whose shares are publicly traded on a United States stock exchange. ...

This Hitachi ID Information Technology, Inc. whitepaper explores the Sarbanes-Oxley Act and how it impacts any company whose shares are publicly traded on a United States stock exchange.

Read about what the Act entails and how it influences information security in these organizations. Learn about Hitachi ID's comprehensive solutions to meet SOX regulations.

The information provided is garnered from years of experience providing identity management solutions to hundreds of corporations.

Statistics

Views

Total Views
712
Views on SlideShare
712
Embed Views
0

Actions

Likes
1
Downloads
29
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Sarbanes-Oxley Compliance Using The Hitachi ID Identity Management Suite Document Transcript

  • 1. Using The Hitachi ID Management Suite to Comply with The Sarbanes-Oxley Act of 2002 © 2014 Hitachi ID Systems, Inc. All rights reserved.
  • 2. This Hitachi ID Systems, Inc. whitepaper explores the Sarbanes-Oxley Act and how it impacts US-listed publicly traded corporations. Read about what SOX requires in terms of information security. Learn about Hitachi ID Systems’ comprehensive identity management solutions and how they help companies meet SOX requirements. Contents 1 Introduction 1 2 The Sarbanes-Oxley Act of 2002 1 3 Relevant Sections 2 3.1 Section 201 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3.2 Section 302 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3.3 Section 404 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.4 Section 409 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4 Impact of Sarbanes-Oxley on Information Security 4 5 Impact of Sarbanes-Oxley on Identity Management 5 6 Hitachi ID Solutions Meeting Sarbanes-Oxley Requirements 7 6.1 The Hitachi ID Identity Management Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 6.2 Meeting Sarbanes-Oxley Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 7 Summary 11 i
  • 3. Sarbanes-Oxley Compliance Using The Hitachi ID Management Suite 1 Introduction This document includes a brief overview of the Sarbanes-Oxley Act of 2002 (SOX), and describes how it impacts information security in publically traded, US-listed corporations. The Hitachi ID Identity Management Suite is then introduced, and its use to comply with SOX requirements is described. Please note that this document does not constitute legal advice. This document represents the best un- derstanding of Hitachi ID of the relevance of this legislation to information security in general and to identity management in particular. 2 The Sarbanes-Oxley Act of 2002 The Sarbanes-Oxley Act of 2002 is an Act of the United States Congress, To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes. The Sarbanes-Oxley Act of 2002 was enacted in response to public accounting scandals at Enron, World- Com, Tyco and elsewhere. It introduces new measures, and amends existing measures to ensure that financial statements made by publically traded corporations are accurate, reliable and timely. The Sarbanes-Oxley Act of 2002 includes the following broad provisions: • Introduction of a board to oversee registered audit firms. • Requirements for independence of auditors from other services provided to publically traded compa- nies. • Introduction of rules of corporate responsibility, and in particular responsibility for senior officers of public corporations. • Improved financial disclosures. • Prohibition of conflicts of interest affecting financial analysts. • New resources and authority for the securities exchange commission. • Rules and penalties regarding fraud. • Rules and penalties regarding corporate taxes. • Initiation of studies to further improve the corporate governance environment in the United States. The Sarbanes-Oxley Act of 2002 was signed into law on July 30, 2002. Large corporations had to comply as of June 15, 2004. Smaller companies had to comply fully by April 15, 2005. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
  • 4. Sarbanes-Oxley Compliance Using The Hitachi ID Management Suite 3 Relevant Sections While the Sarbanes-Oxley Act of 2002 does not make specific mention of information security, they do make reference to sound internal controls, which in turn depend on information security. Please read some of the relevant highlights from the Act: 3.1 Section 201 Among other things, section 201 prohibits financial auditors from also providing these services: • Financial information systems design and implementation. • Management functions or human resources. Information Security Impact: Since both financial systems and HR may be closely integrated with information security infrastructure, this effectively prevents auditors from becoming closely involved in the design and implementation of information security projects. 3.2 Section 302 Section 302 stipulates that the principal executive officer (CEO) or officers and the principal financial officer (CFO) or officers, or persons performing similar functions, certify in each annual or quarterly report that: • They are responsible for internal controls. • They have designed internal controls to ensure that all material financial information is available to the appropriate persons to support preparation of these annual or quarterly reports. • They have evaluated the effectiveness of the above internal controls in the last 90 days. • They include in the annual or quarterly report information about their assessment of the effectiveness of internal controls. The CEO and CFO (or equivalent) must also disclose to their auditors any significant deficiencies in their internal controls, and any fraud that has been discovered and that involves staff with a key role related to internal controls. Finally, the CEO and CFO must disclose if there were any changes in internal controls, and corrective action taken to address previous problems with internal controls. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
  • 5. Sarbanes-Oxley Compliance Using The Hitachi ID Management Suite Information Security Impact: This section requires very strong internal controls, and management assurance that the controls are de- signed and implemented effectively. Internal controls in financial reporting systems require sound security, since these systems cannot be trusted without ensuring: • Protection of data • Authentication of users • Authorization of user actions • A capability to audit user actions and transactions, in order to create accountability 3.3 Section 404 Section 404 requires that management include in their annual report: • A statement of responsibility for internal controls. • An assessment of the current state of internal controls. This section also requires that registered public accounting firms must also attest to and report on the assessment of internal controls. Information Security Impact: This section simply strengthens the requirement for strong internal controls, initially laid out in Section 302. 3.4 Section 409 Section 409 introduces a requirement for public companies to provide “real time” (i.e., very timely) reporting on material changes in the condition and operations of the company. Information Security Impact: This section implies that internal controls be so efficient and reliable as to support real-time publication of important business data from ERP and operational systems. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
  • 6. Sarbanes-Oxley Compliance Using The Hitachi ID Management Suite 4 Impact of Sarbanes-Oxley on Information Security Internal controls in a financial system depend on the following information security capabilities: • Users are reliably authenticated before they can access the system. It should be difficult or impossible for anyone other than a legitimate user to impersonate that user. • Only authorized users have access to the system. This implies control over the introduction of new users into the system, and an efficient, reliable pro- cess to terminate access once it is no longer appropriate. • Once signed in, users can only perform actions for which they have authority. This implies a strong connection between business processes, which determine what privileges are appropriate to each user, and access controls inside the system. • Users are assigned rights in a manner that allows one user to monitor the actions of another. This is where traditional financial controls, such as separation of duties fit into the security structure. • User actions are recorded in an indelible record. It should be possible to trace user actions after the fact, for audit and accountability reasons. • Data is protected. This implies encryption of transmitted and stored data, access controls at the data storage layer (filesystem or database), and sound backups. It is important to note that financial information systems depend on other information systems infrastructure – directories, network operating systems, perimeter defenses, virus protection and more. When consider- ing information security requirements for a financial system, it is essential to protect all of this supporting infrastructure as well. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
  • 7. Sarbanes-Oxley Compliance Using The Hitachi ID Management Suite 5 Impact of Sarbanes-Oxley on Identity Management In the previous section, internal controls were translated into requirements for information security. Next, the information security requirements can be mapped to identity management processes. • It should be difficult or impossible for anyone other than a legitimate user to impersonate that user. User authentication should be reliable and secure: – Passwords must be hard to guess – complex, frequently changing, never reused and never shared. When other forms of authentication – Q&A profiles, frequently used by corporate help desks to authenticate users who forgot or ac- cidentally disabled their passwords, must contain many personal, private question/answer pairs, some standard and some user-defined to insure accurate authentication. – Hardware tokens, must be accompanied by a reasonably long, hard-to-guess and secret pass- word or PIN. – Biometric samples, must be collected and stored in a secure, reliable fashion (e.g., it is not appropriate to e-mail users a PIN asking them to provide a biometric sample, because then that sample would be no more reliable than the e-mail system and PIN). • Control over the introduction of new users into the system. Business processes must be connected to a user provisioning processes: – Automated provisioning may be triggered by users being added to an authoritative system, such as an HR database. – A security workflow may be used, allowing business users to request systems access, but ensuring that all requests are properly validated and authorized by suitable managers before they are fulfilled. • An efficient, reliable process to terminate access once it is no longer appropriate. Business processes must be connected to user deprovisioning processes: – Automated deprovisioning may be triggered by users being removed from an authoritative system, such as an HR database. – Access reviews should be performed periodically, to ensure that unneeded access rights have, indeed, been removed, and to remove them if not. – A security workflow may be used, allowing managers to request access termination for em- ployees or contractors who left the organization. – Consolidated administration may be used, to support urgent access termination, when au- tomation or an approvals workflow would take too long. – A consolidated directory must be available in any case, to track what login accounts each user has. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
  • 8. Sarbanes-Oxley Compliance Using The Management Suite • A strong connection between business processes, which determine what privileges are appro- priate to each user, and access controls inside the system. This means that business processes must drive granular user access controls, using: – A security workflow allowing business users to request and approve appropriate changes to the rights assigned to users. – Policy enforcement to ensure that access rights are created and maintained in compliance with policies and standards. – Access reviews should be performed periodically, to ensure that unneeded access rights have, indeed, been removed, and to remove them if not. – An enterprise-wide reporting system to enable business users and auditors to review user access rights that span multiple systems. Note that not all of the information security requirements in the previous section relate directly to identity management. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 6
  • 9. Sarbanes-Oxley Compliance Using The Hitachi ID Management Suite 6 Hitachi ID Solutions Meeting Sarbanes-Oxley Requirements 6.1 The Hitachi ID Identity Management Suite The Hitachi ID Identity Management Suite is a complete, enterprise class solution that includes: • Hitachi ID Password Manager: Self service management of passwords, PINs and encryption keys Password Manager is an integrated solution for managing user credentials, across multiple systems and applications. Organizations depend on Password Manager to simplify the management of those credentials for users, to reduce IT support cost and to improve the security of login processes. Password Manager includes password synchronization, self-service password reset, enterprise single sign-on, PIN resets for tokens and smart cards, enrollment of security questions and biometrics and emergency recovery of full disk encryption keys. Password Manager reduces the cost of password management using: – Password synchronization, which reduces the incidence of password problems for users – Self-service password reset, which empowers users to resolve their own problems rather than calling the help desk – Streamlined help desk password reset, to expedite resolution of password problem calls Password Manager strengthens security by providing: – A powerful password policy engine. – Effective user authentication, especially prior to password resets. – Password synchronization, to help eliminate written-down passwords. – Delegated password reset privileges for help desk staff. – Accountability for all password changes. – Encryption of all transmitted passwords. To find out more about Password Manager, visit http://Hitachi-ID.com/Password-Manager. • Hitachi ID Identity Manager: User provisioning, RBAC, SoD and access certification Identity Manager is an integrated solution for managing identities and security entitlements across multiple systems and applications. Organizations depend on Identity Manager to ensure that users get security entitlements quickly, are always assigned entitlements appropriate to their needs and in compliance with policy and are deactivated reliably and completely when they leave the organization. Identity Manager implements the following business processes to drive changes to users and entitle- ments on systems and applications: – Automation: grant or revoke access based on data feeds. – Synchronization: keep identity attributes consistent across applications. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 7
  • 10. Sarbanes-Oxley Compliance Using The Hitachi ID Management Suite – Self-service: empower users to update their own profiles. – Delegated administration: allow business stake-holders to request changes directly. – Certification: invite managers and application owners to review and correct entitlements. – Workflow: invite business stake-holders to approve or reject requested changes. Identity Manager strengthens security by: – Quickly and reliably removing access to all systems and applications when users leave an orga- nization. – Finding and helping to clean up orphan and dormant accounts. – Assigning standardized access rights, using roles and rules, to new and transitioned users. – Enforcing policy regarding segregation of duties and identifying users who are already in viola- tion. – Ensuring that changes to user entitlements are always authorized before they are completed. – Asking business stake-holders to periodically review user entitlements and either certify or re- move them, as appropriate. – Reducing the number and scope of administrator-level accounts needed to manage user access to systems and applications. – Providing readily accessible audit data regarding current and historical security entitlements, including who requested and approved every change. Identity Manager reduces the cost of managing users and security entitlements: – Auto-provisioning and auto-deactivation leverage data feeds from HR systems to eliminate rou- tine, manual user setup and tear-down. – Self-service eliminates IT involvement in simple updates to user names, phone numbers and addresses. – Delegated administration moves the responsibility for requesting and approving common changes, such as for new application or folder access, to business users. – Identity synchronization means that corrections to user information can be made just once, on an authoritative system and are then automatically copied to other applications. – Built-in reports make it easier to answer audit questions, such as “who had access to this system on this date?” or “who authorized this user to have this entitlement?” • Hitachi ID Access Certifier: Periodic review and cleanup of security entitlements Access Certifier is a solution for distributed review and cleanup of users and entitlements. It works by asking managers, application owners and data owners to review lists of users and entitlements. These stake-holders must choose to either certify or revoke every user and entitlement. Access Certifier is included with Identity Manager at no extra cost. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 8
  • 11. Sarbanes-Oxley Compliance Using The Management Suite 6.2 Meeting Sarbanes-Oxley Requirements As described in Section 4 on Page 4 and Section 5 on Page 5, the Sarbanes-Oxley Act of 2002 implies internal controls over financial and related systems, and these controls include effective management of user identity information and user access to systems. The following list captures the identity management capabilities required to implement effective internal controls: Requirement Supporting Hitachi ID products Details Password management Password Manager Password policy enforcement, global password expiration, open-ended password history, password synchronization to discourage written passwords. Automated deprovisioning Identity Manager A data feed from a system of record, such as HR, or from managed systems, to identify inactive IDs, is periodically read by Identity Manager. Identity Manager responds by first deactivating and later deleting access. Access Reviews and Certification Access Certifier Managers, application owners and group owners can be required to periodically review a list of users, login accounts and security group membership within their scope of authority. They identify anomalies, which are routed through the Identity Manager workflow engine for authorization prior to revocation. Q-A profile administration Password Manager Registration of complex, secure Q-A authentication profiles. Use of this data in both self-service and assisted password reset processes. Hardware token management Password Manager Secure, authenticated administration of tokens, including PIN management, clock synchronization, etc. Use of two-factor authentication (hardware token + PIN) as an authentication method when providing password resets. Biometric registration Password Manager Automated, authenticated, unattended processes to manage the registration of biometric samples. Use of biometrics as an authentication method when providing password resets. Automated provisioning Identity Manager Automated polling of user profile data from authoritative systems such as HR or corporate directories, is connected to filtering and transformatino rules, and trigers automatic setup of appropriate privileges for new or changed users. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 9
  • 12. Sarbanes-Oxley Compliance Using The Management Suite Requirement Supporting Hitachi ID products Details Security requests workflow Identity Manager Business users can request the privileges they require for themselves, peers or subordinates. Requests are validated by automation and authorized by appropriate stake-holders before being automatically applied to target systems. Consolidated user administration Identity Manager Web-based management of users across every system in the enterprise, supporting central security administrators to promptly create, modify or terminate access rights when time is short. A consolidated directory Password Manager, Identity Manager An auto-discovery process to collect login ID, group membership and attribute data from managed systems, nightly. A reconciliation process to connect login IDs across systems to individual users, to support global management of passwords, access rights and reporting. An enterprise-wide reporting system Identity Manager User access rights and access change history are collected into an open database. Pre-built reports support common reporting requirements, while an open, documented schema and ODBC access allow organizations to implement their own enterprise-wide access reports. Policy enforcement Identity Manager, Password Manager Enforcement of password quality, authentication, access rights, authorization and other policies across the entire enterprise. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 10
  • 13. Sarbanes-Oxley Compliance Using The Hitachi ID Management Suite 7 Summary As described in this document, the Sarbanes-Oxley Act of 2002 introduces formal requirements for publi- cally traded companies to implement strong internal controls, and for corporate officers to design, review and sign off on those controls. Internal controls imply information security, which in turn requires sound identity management practices. The Hitachi ID identity management suite includes robust, secure, scalable and deployable technology to implement these identity management processes. It secures processes including: • User authentication. • Definition of user authorizations. • Periodic access certification, leading to executive assurance of current controls. www.Hitachi-ID.com 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com File: /pub/wp/documents/sox/mtech-sox-6.tex Date: Nov 7, 2006