• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Vss wht paper sustainable sox c ompliance made easy
 

Vss wht paper sustainable sox c ompliance made easy

on

  • 517 views

Sustainable SOX Compliance with Tango/04's VISUAL Message Center

Sustainable SOX Compliance with Tango/04's VISUAL Message Center

Statistics

Views

Total Views
517
Views on SlideShare
517
Embed Views
0

Actions

Likes
0
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Vss wht paper sustainable sox c ompliance made easy Vss wht paper sustainable sox c ompliance made easy Document Transcript

    • Sustainable SOX Compliance Made EasyWith Tango/04 Multiplatform, Real-time Solutions
    • Contents Contents Contents ................................................................................................................................................ 2 Executive Summary ............................................................................................................................. 4 Introduction........................................................................................................................................... 5 Overview of the Sarbanes-Oxley Act .................................................................................................. 6 Impact on IT ...................................................................................................................................... 7 Affected Companies.......................................................................................................................... 7 Compliance Efforts to Date.................................................................................................................. 9 New Guidance from the SEC and PCAOB ........................................................................................ 10 Benchmarking of Automated Controls ............................................................................................ 11 COBIT .................................................................................................................................................. 12 Achieving Sustainable Compliance .................................................................................................. 14 Working with Business Users ......................................................................................................... 14 Integrating Internal Controls............................................................................................................ 14 Automated Tools............................................................................................................................. 15 Continuous Monitoring and Real-time Alerts................................................................................................. 15 Strive for Continuous Improvement................................................................................................. 15 Tango/04 Solutions for SOX Compliance ......................................................................................... 17 Full Operating System Level Coverage .......................................................................................... 19 Databases, Web 2.0 Enablers and other Middleware ..................................................................... 19 Record-level and Field-level Database Auditing ............................................................................. 20 Third Party Security Products, Network Appliances and Device Integration ................................... 20 Business Application Monitoring ..................................................................................................... 20 VISUAL Security Suite Output ........................................................................................................ 21 Business and Enterprise Views..................................................................................................................... 21 Real-time Alerts ............................................................................................................................................. 23 Automated Actions ........................................................................................................................................ 23 Compliance Reports...................................................................................................................................... 24 Ease of Use .................................................................................................................................... 27 Tango/04 Solutions and the COBIT Objectives .............................................................................. 27 Valid for Cross Compliance ............................................................................................................ 27 Extendability ................................................................................................................................... 28 Maximize Your Return on Investment ........................................................................................................... 28 Tying It All Together........................................................................................................................... 29 Multiplatform Cross Compliance ..................................................................................................... 29 Field Proven in Different Industries ................................................................................................. 29 Unique Extensibility......................................................................................................................... 29 Appendix A – Tango/04 Security Solutions...................................................................................... 31 VISUAL Security Suite: List of Controls .......................................................................................... 31© 2007 Tango/04 Computing Group Page 2
    • Contents Tango/04 Solutions Offer Extensive Coverage for the System i ..................................................... 32 Technology Alliances outside of IBM ............................................................................................................ 32 Professional Services ..................................................................................................................... 32 Appendix B - COBIT 4.1 Control Objectives..................................................................................... 33 Process PO6: Communicate Management Aims and Directions .................................................................. 34 Mapping of Tango04 Solutions to COBIT Objectives...................................................................... 34 About Tango/04 Computing Group................................................................................................... 44 Legal notice......................................................................................................................................... 45© 2007 Tango/04 Computing Group Page 3
    • Executive Summary Executive Summary The SOX Act has been around for five years now and many of you have probably spent numerous hours trying to define and implement a rigorous security plan. Because you need to expose your internal control strategy to an outside auditor on an annual basis, the most successful strategies will be based on the notion of sustainable compliance. The best way to achieve sustainability is to: • work with the business side of the house to identify the most critical processes • integrate internal controls into daily procedures • transition manual controls into automated procedures using technology • strive for continuous improvement in your compliance measures. In this document we examine the most recent guidance from the SEC and the new auditing standard (AS 5) released by the PCAOB in an effort to help companies reduce the cost of compliance. We also take a look at the COBIT internal control framework and how it is used by many auditors as a reference point for measuring compliance. Both AS 5 and the latest version of COBIT, Release 4.1, support the notion of using automated tools to facilitate compliance efforts. This white paper also includes an overview of VISUAL Security Suite, the Tango/04 solution for achieving compliance with SOX as well as any other security regulation or industry standard. We’ll show you how the product can successfully be used in your efforts to meet regulatory obligations and protect your corporate data assets while reducing overall compliance costs. For several years now, the Tango/04 security solution has been used by many companies world-wide to facilitate sustainable compliance "VISUAL Security Suite has allowed us with various regulations including SOX. Our technology is field proven to rapidly implement SOX controls, while VISUAL Message Center helps and has been adopted by 7 of the 18 largest banks in the world. keep our IT infrastructure healthy. I love the product." In fact, Henry Schein Inc. – a Fortune 500 distributor of healthcare Don Keating, IT Manager products with global operations based in Melville, NY – is just one of Henry Schein, Inc. our customers to effectively achieve SOX compliance year after year using Tango/04 software. Other well known companies using Tango/04 products include BankBoston, CocaCola, Pfizer, Shell, Office Depot and Nike. Please visit our website at www.tango04.com to view testimonials from satisfied customers and to learn more about our Security and integrated Business Service Management solutions.© 2007 Tango/04 Computing Group Page 4
    • Introduction Introduction We all know that Sarbanes-Oxley (SOX) is not a new regulation – it’s been around since 2002. Since that time you’ve probably read numerous white papers offering advice on compliance strategies. On top of that, you may even have first hand experience in defining and implementing a security plan at your company. What makes this white paper different is the information it contains on sustainable compliance. After all, SOX is not a one shot deal; compliance must be demonstrated every year. So why not make it easy and integrate compliance measures into your business in a way that’s easy and also provides cost benefits? It’s really not too good to be true. Following some basic material on SOX for those of you that are new to the regulation, or want a refresher, we’ll review compliance efforts to date, recent SOX guidance and the COBIT internal control framework. Next, we explain the methodology of sustainable compliance and examine how the Tango/04 automated solution set can help you easily comply with SOX year after year.© 2007 Tango/04 Computing Group Page 5
    • Overview of the Sarbanes-Oxley Act Overview of the Sarbanes-Oxley Act The Sarbanes-Oxley Act of 2002 was introduced to strengthen corporate governance and improve financial reporting by public companies operating in the United States (US). The motivation for the law was the extensive use of improper accounting practices by officers of public companies during the stock market boom of the late 1990s. Earnings and profits were falsely inflated by companies such as Enron and WorldCom, resulting in a decline of public trust in corporate accounting and financial reporting practices. On a micro-level, these financial distortions meant that many CEOs and CFOs earned large bonuses and stock options that did not properly reflect the value they had generated for their shareholders. When the crash arrived, many shareholders, everyday people, found the value of their investments was a fraction of what it had been only months before. On a macro-level, financial reporting is key to the efficient operation of the global economy. Capital is allocated where it delivers the highest return, and the main source of information used by investors to calculate their expected return is the data contained within company financial reports. If those reports are untruthful or misleading, capital will be misallocated, investors will be deceived and the economy will be negatively impacted. As a consequence of these financial misrepresentations, SOX established new accountability standards for corporate boards and auditors. It established guidelines for auditing procedures, the composition of company boards and the governance of everything related to financial reporting. It is in the areas of data protection and financial reporting that SOX impacts the IT department. $ Accounting Practices ERP CRM Financial Reports 10K 10Q Figure 1 – SOX is about financial reporting. It requires auditing controls to be implemented© 2007 Tango/04 Computing Group Page 6
    • Overview of the Sarbanes-Oxley Act Impact on IT Although the SOX Act consists of 11 major Titles and numerous sections, four of them directly impact IT: Sections 302, 404, 409 and 1102. Sections 302 and 404 are particularly compelling for top level management as described below. • Section 302 requires that CEOs/CFO’s assure the accuracy of financial reports and guarantee the data used to compile these reports is correct and has not been manipulated in any way. Because those financial reports are produced using a company’s IT systems, the security and integrity of those systems is a fundamental requirement. • Section 404 is divided into 2 parts and has the greatest impact on the IT department. In fact, the majority of money company’s spend on compliance is linked to meeting Section 404 objectives. − Part (a) requires that each annual report include an "internal control report" indicating that management is responsible for an adequate internal control structure and an assessment of its effectiveness. Any shortcomings or material weaknesses in these controls must be reported. − Part (b) requires that an external auditor attest to, and report on, managements assertions regarding its assessment of the effectiveness of the companys internal controls. • Section 409 requires companies to disclose, on a rapid and current basis (48 hours), information concerning material changes in its financial condition or operations. • Section 1102 imparts penalties for anyone who tampers with a record, document, or other object with the intent to impair the objects integrity or availability for use in an official proceeding. Affected Companies In simple terms, SOX applies to all publicly traded companies in the US, each of their divisions and wholly owned subsidiaries. It also applies to publicly traded, foreign companies doing business in the US. Affected companies are essentially broken up into 2 major categories: accelerated and non-accelerated filers. Accelerated filers, those companies with a capital valuation of more than $75M, were expected to comply with Section 404 of SOX for fiscal years ending on or after November 15, 2004. As a result, these larger corporations are currently in their third year of compliance. Non-accelerated filers, those companies with a capital valuation of less than $75M have been given a reprieve in terms of compliance deadlines. Although the US Securities and Exchange Commission (SEC) feels that SOX is good for investors overall, they have been making attempts to minimize the financial burden that Section 404 imposes, particularly on smaller companies. As a result, the deadline for 404 compliance for non-accelerated filers has been extended several times and the latest ruling states that management must provide the certification required by Section 404 for fiscal years ending after December 15, 2007. However, auditor attestation is not required until fiscal years ending after December 15, 2008.© 2007 Tango/04 Computing Group Page 7
    • Overview of the Sarbanes-Oxley Act Despite this extension, we caution small companies not to delay their compliance efforts. Compliance is good for your business and, if approached properly, it can help you to achieve operational efficiencies and cost reductions. We also recommend that smaller companies take advantage of the opportunity to learn from the experiences of their larger counterparts. So, let’s take a look at compliance efforts to date to see how larger companies have been coping with regulatory mandates over the past several years.© 2007 Tango/04 Computing Group Page 8
    • Compliance Efforts to Date Compliance Efforts to Date It’s important to recognize that although SOX mandates internal control over financial reporting, it does not provide guidance in terms of how to comply. The devil is always in the details and specifics about compliance measures have been left up to individual companies and their auditors. Consequently, in the first year of compliance, many companies identified far too many key control objectives supported primarily by manual processes. Consideration was not given to the extent of risk associated with a process for which an internal control measure was defined, resulting in a substantial effort that concentrated on a number of insignificant business procedures. As companies rushed to meet their deadline, enterprise wide controls were lacking, documentation was developed in silos and duplicate controls were defined. The expense of compliance was high as internal staff and outside consultants worked on defining and documenting controls. At that point in time, passing the Year One audit at all costs outweighed any thoughts of sustainability. In Year Two of compliance, companies focused on correcting the IT deficiencies that were identified in their first SOX audit. Although manual processes were still a large part of compliance efforts, companies were beginning to realize that this approach was costly, not repeatable and simply not sustainable. In Year Three and beyond, with several years of SOX audits under their belts, companies are beginning to recognize the importance of consolidating efforts from an enterprise level and replacing manual processes with automated tools. Clearly understanding that SOX is here to stay, companies are also looking for opportunities to better integrate compliance measures into their daily processes, as opposed to bolting them on to existing procedures. Their goal is to make compliance sustainable, efficient and cost effective for the long run. In the meantime, the SEC has been working in earnest to develop guidelines and better auditing standards for companies to follow. The details of their efforts are described in the next section.© 2007 Tango/04 Computing Group Page 9
    • New Guidance from the SEC and PCAOB New Guidance from the SEC and PCAOB Over the past several years there has been a backlash of complaints from companies trying to comply with SOX. Their main issue is that the SEC has not provided direction in terms of how to comply with SOX, leading to excessive costs as organizations tried to test every possible control without regard to risk. 1 In response, the SEC has been working closely with the Public Company Accounting Oversight Board (PCAOB) to provide direction in order to help companies reduce excessive testing of controls and resultant costs. In June 2007, the SEC published interpretive guidance regarding SOX compliance and in the prior 2 month the PCAOB released a new Auditing Standard (AS 5) based on a top-down approach. While guidance from the SEC is somewhat general, the new PCAOB auditing standard is very specific and based on four primary principles: 1. Focus the Audit on the Most Important Matters Implement a top down, risk based approach where energy is devoted proportionately to areas with the most-to-least impact on financial reporting. 2. Eliminate Unnecessary Procedures Make use of audit knowledge from previous years, particularly noting deficiencies identified in the prior year, in addition to making use of recent, internal audit work. The auditor may also use a benchmarking strategy for automated application controls to reduce testing in subsequent years. 3. Scale the Audit for Smaller Companies External auditors are encouraged to scale the audit based on the size and complexity of the company, rather than taking a one-size-fits-all approach. 4. Simplify the Requirements The level of detail and specificity has been reduced to encourage auditors to apply professional judgment under the facts and circumstances. 1 The SOX Act created the PCAOB - an organization whose purpose is to oversee the auditors of public companies in order to protect the interests of investors. The PCAOB operates under the SEC. 2 AS 5 supersedes AS 2 and is the auditing standard on attestation engagements referred to by Section 404(b) of the SOX Act.© 2007 Tango/04 Computing Group Page 10
    • New Guidance from the SEC and PCAOB Benchmarking of Automated Controls In the new auditing standard, AS 5, it is recognized that automated controls are generally not subject to breakdowns due to human failure and as such, are associated with less risk. As a consequence, AS 5 allows an auditor to use a benchmarking strategy if: • General controls over program changes, access to programs and computer operations are effective and continue to be tested and • The auditor verifies that the automated application control has not changed since the auditor established a baseline (i.e. last tested the application control). In this case, the auditor may conclude that the automated application control continues to be effective without repeating the prior year’s specific tests of the operation of the control. As a result, the previous year’s tests define the benchmark. Based on a number of risk factors, it is up to the auditor to determine whether or not to use a benchmarking strategy, but suffice it to say that the use of automated tools may in fact reduce the amount of time an external auditor needs to spend assessing your security measures which, in turn, reduces cost to your organization. In essence, the new guidance and auditing standard from the SEC and PCAOB is good news. It shows that both entities are making a serious attempt to ease the compliance burden and associated costs for affected companies, while still protecting the public at large.© 2007 Tango/04 Computing Group Page 11
    • COBIT COBIT Although SOX dictates the need for internal control over financial reporting and both the SEC and PCAOB have recently provided much needed guidance, a reference point against which internal controls are compared is necessary. This is where COBIT (Control Objectives for Information and related Technology) comes in. COBIT is an IT management and governance framework, developed by the IT Governance Institute (an outgrowth of the Information Systems Audit and Control Association or ISACA). COBIT supports IT governance by providing a structure that ensures that “IT is aligned with the business, IT enables the business and maximizes benefits, IT resources are used responsibly and IT risks are managed appropriately.” COBIT supports the linkage between business and IT goals. It also provides a common language that can be shared and understood by both sides of an organization. The core content of COBIT is comprised of 34 IT processes. Each process is divided into four sections consisting of a high level control objective, relevant detailed control objectives, management guidelines including goals and metrics and a maturity model interpreted specifically for the process. From a regulatory standpoint, COBIT is the de facto standard used by many audit firms to ascertain SOX compliance. Because business goals and IT security challenges are ever changing, COBIT is continually updated to maintain its relevancy and practicality. In fact, the latest release of COBIT, 4.1, was made available in May 2007 and can be downloaded from the ISACA website (www.isaca.org). With compliance in mind, how does an organization begin to use COBIT in order to prepare for their next audit? We recommend the following approach: • Measure current IT controls against the COBIT objectives and identify places where you either have no controls or where there is a gap between the control and the requirements of the objective. • Upgrade controls identified as deficient to at least COBIT maturity model level 3. The COBIT model for management and control over IT processes is derived from a model originally created by the Software Engineering Institute (SEI)3 to measure the maturity of software development. The COBIT interpretation of the model focuses on IT management processes, rendering a generic definition for six levels of maturity as shown in Figure 2. 3 For details regarding Capability Maturity Models go to http://www.sei.cmu.edu/cmm/© 2007 Tango/04 Computing Group Page 12
    • COBIT Managed Optimized Repeatable Defined And Initial or but Process Measurable Ad-Hoc Intuitive Non- Existent Level 0 Level 1 Level 2 Level 3 Level 4 Level 5 Figure 2 – COBIT Maturity Model The higher the level, the better the control over the IT process, as indicated by the following COBIT definitions: • Level 0 – Non-existent: there is a complete lack of recognizable processes and no recognition that an issue needs to be addressed. • Level 1 – Initial: the organization recognizes that issues exist and need to be addressed but processes are ad-hoc, applied on a case-by-case basis and the overall approach to management is disorganized. • Level 2 – Repeatable but Intuitive: similar procedures are followed by different people for the same task but there is no training or communication of standard procedures. Errors are likely because there is a high degree of reliance on the knowledge of individuals. • Level 3 - Defined Process: procedures have been standardized, documented and communicated through training. The procedures themselves are not sophisticated, but are the formalization of existing practices. • Level 4 – Managed and Measurable: compliance processes are monitored and management takes action when procedures are not working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited way. • Level 5 – Optimized: procedures have been refined to a level of good practice based on the results of continuous improvement. IT is used in an integrated way to automate workflow, providing tools to improve quality and effectiveness, making the organization quick to adapt. The maturity levels previously defined are intended as guidelines in order to benchmark current processes and subsequently set goals for improvement. The levels are not meant to be used as exact thresholds where one cannot move to the next level without meeting all of the requirements of the previous level. However, processes with aspects largely at levels 3 and above naturally result in a higher degree of predictability and tighter controls, significantly facilitating your next audit. It’s important to note the inclusion of automated tools and the concept of continuous improvement at the highest levels. These are ideas we’ll examine next as they support the notion of sustainable compliance.© 2007 Tango/04 Computing Group Page 13
    • Achieving Sustainable Compliance Achieving Sustainable Compliance Because SOX is here to stay, companies should view compliance as an opportunity rather than a burden. From an opportunistic standpoint, compliance measures can be defined in such a way as to improve operational efficiencies and reduce costs at your organization. A few simple concepts will start you on your way to achieving sustainable compliance: • Work with business users to identify critical processes • Integrate internal controls into daily routines • Transition manual controls into automated procedures using software tools • Strive for continuous improvement in your compliance measures Let’s explore each one of these concepts. Working with Business Users Although compliance details generally land in the lap of IT, the IT staff must communicate with the business side of the house early on in order to identify the most critical business processes and eliminate duplication of effort. Working closely with the business departments from the very beginning helps ensure that compliance efforts are risk based, focusing on corporate assets that are most important to your company. By protecting the most crucial assets first, you won’t waste time controlling and testing aspects of the business that are unlikely to lead to financial misstatements or compromise critical data integrity. This approach is also consistent with the new AS 5 auditing standard. Beyond that, close interaction with your business community will help to ensure that compliance measures don’t inadvertently hamstring day to day productivity. This type of cross-departmental cooperation facilitates corporate support - a vital component of a successful and ongoing compliance strategy. Integrating Internal Controls A key element of your SOX implementation plan is to integrate the control measures you’ve defined into your daily business activities. Integration ensures that your compliance efforts remain consistent and are not likely to be bypassed or forgotten. Compliance activities that are tightly woven into daily processes clearly support the notion of sustainability because they are easy to maintain and perform. For example, when a new user requires access to your system or an existing user needs more authority, have their supervisor fill out a standard request form that undergoes the appropriate approvals and ultimately lands in the hands of IT to execute. No matter what department the user is from or how high he/she is in the organization, the process should be the same for everyone. To supplement this process, you could schedule a report to run that lists all new and changed user profiles on a daily basis. The report can be reviewed for any unauthorized change and then filed away or archived as a continuing record for your next SOX audit.© 2007 Tango/04 Computing Group Page 14
    • Achieving Sustainable Compliance Automated Tools As a result of trying to meet SOX compliance requirements under tight time constraints, many companies have relied heavily on manual processes. Employees were tasked with creating spreadsheets, defining checklists and documenting procedures. However, the use of manual processes as the primary method of implementing internal controls introduces a host of problems over the long run, not the least of which is sustainability. Purely from a cost perspective, internal labor and/or hired consultants can comprise a large portion of total compliance expense. Add to that the fact that human beings are error prone, particularly when subject to fatigue, stress and distraction, and you aren’t really getting consistent value for your money. Although technology solutions, in the form of automated software tools, do require an up-front investment, they more than pay for themselves over time in reduced labor costs. They also provide consistent, accurate and reliable monitoring and reporting – something your SOX auditor will appreciate! Use of tools also enables you to draw upon your staff in a more productive way by reallocating their time to higher value, business activities. As discussed in previous sections, the use of automated tools is supported by the new AS 5 auditing standard and is also consistent with levels 4 and 5 of the COBIT maturity model. Implementing controls that follow the higher levels of the model will surely keep your executive management and external auditors satisfied. Continuous Monitoring and Real-time Alerts A major advantage of automated software tools is their ability to run 24/7, constantly keeping watch over your implemented security plan and data assets. Continuous monitoring is a vital component of a strategy intended to facilitate process integration and sustainability. We recommend that you only consider automated tools that have the capacity to send alerts to you in real- time when a security event occurs. Real-time notification is a necessity in terms of compliance with Section 409 which requires companies to disclose information about material changes within a 48 hour period. Beyond Section 409, real-time warnings are invaluable to your business because they allow you to minimize risk exposure and attend to security incidents as they occur. Continuous auditing is a major trend and since real-time alerting is technologically available today, there’s no reason not to know about a potentially serious security issue before it’s too late. Strive for Continuous Improvement Once you’ve implemented your SOX security plan, you’ll be monitoring your internal control processes to assess their effectiveness. As you monitor and run reports, new risk factors are likely to appear that you hadn’t yet considered. As these new risks are identified, you’ll need to update your control procedures to prevent any new occurrences of those issues. The refinement of your compliance paradigm is a natural and iterative process resulting in continuous improvement of your control strategy and better protection of your corporate information assets.© 2007 Tango/04 Computing Group Page 15
    • Achieving Sustainable Compliance For each internal control process, you should also strive to move up the COBIT maturity model to higher levels. More mature procedures contribute to better quality and more efficient business processes. They also enhance the likelihood of passing your next audit. In the following section, we’ll examine a particular automated toolset that is currently in use by many companies worldwide in support of their SOX compliance plan.© 2007 Tango/04 Computing Group Page 16
    • Tango/04 Solutions for SOX Compliance Tango/04 Solutions for SOX Compliance The Tango/04 Computing Group3 is a leading developer of Security and Infrastructure Monitoring, Reporting and Business Service Management solutions. Its VISUAL Security Suite is a multiplatform security solution that can easily become a part of your automated processes for achieving sustainable SOX compliance. As shown in Figure 3 below, VISUAL Security Suite receives audit information from various sources within your enterprise. Figure 3 – Overview of VISUAL Security Suite Its monitoring engine offers agents for your different platforms, network components, applications, logs and databases. In many cases, the monitors can run remotely (agentless), reducing deployment time and avoiding interference with other applications. 3 For detailed information about Tango/04, its solutions and customer case studies, please go to www.tango04.com© 2007 Tango/04 Computing Group Page 17
    • Tango/04 Solutions for SOX Compliance In addition, each monitor retrieves only the information you are interested in, allowing you to filter out all irrelevant data. This powerful filtering feature minimizes the monitoring process and keeps overhead down resulting in little to no performance impact on your system.© 2007 Tango/04 Computing Group Page 18
    • Tango/04 Solutions for SOX Compliance Full Operating System Level Coverage The VISUAL Security Suite agents for the System i, Windows, Unix, Linux and AIX can keep track of: • Changes and access to all files and objects, including financial databases, configuration files, sensitive information, etc. Specifically, the tracking of: − Deletes, copies, edits, renames, restores, and read-only access to specific data − Unauthorized access attempts • Authority failures, such as: − Persistent failed sign on attempts − Object access denials • System configuration changes, such as: − Creation and modification of user profiles − System value changes • Command use, so you can: − Watch suspicious users − Monitor use of sensitive commands. We have a library of standard controls you can leverage based on our experience with many different types of industries and security projects. However, new, custom checks can easily be added. For instance, system access times may be well defined at your company, and it is simple to define the time during the day when a login attempt (even if it is allowed by the operating system) should be considered suspicious. Other controls can be less direct, but equally important. For example, unusually increased storage occupation or bandwidth consumption can be a symptom of a suspicious activity (such as a virus sending out spam from a compromised workstation). Because VISUAL Security Suite allows you to monitor several performance indicators in addition to traditional security events, you can define a comprehensive list of controls. Please refer to Appendix A for a list of common controls per platform. Databases, Web 2.0 Enablers and other Middleware VISUAL Security Suite can extract information and continuously audit several databases and middleware such as Web Application Servers, including the IBM WebSphere Application Server. Platform-specific controls can be set. Log files can be scrapped, formatted, and correlated in real time from several sources. Different adapters (WMI, JMX, SNMP, syslogs, text files, message queues, etc.) are also available to maximize the integration capabilities.© 2007 Tango/04 Computing Group Page 19
    • Tango/04 Solutions for SOX Compliance Record-level and Field-level Database Auditing The Data Monitor module captures all Changes, Inserts, Deletions and Reads to files you specify so you know Who, What, When and How. It provides you with record-level audit data for each transaction including: • Before and after image of record changed, clearly indicating the changed fields • User that made the change (including the real user in application transactions) • Timestamp • Context data and platform specific information (such as the name of the application for SQL Server and library/program for DB2 on the System i). With this level of visibility, you’re able to keep all users (including database administrators and privileged users) under control by tracking every action to your sensitive files. As the control is done at the database level, it doesn’t matter where the change came from or which tool had been used to make the change. In addition, the before and after images of record changes allow you to revert a change back to its original value when necessary. Third Party Security Products, Network Appliances and Device Integration VISUAL Security Suite can monitor, correlate, inspect and immediately alert you of any log file, regardless of where it resides and the application that has produced it. In addition, it is easy to centralize the control of all disperse information, effectively monitoring the activity of network devices such as routers, switches, firewalls, and so on. Third party applications such as Intrusion Detection/Prevention Systems, antivirus products, vulnerability scanners, Virtual Private Networking (VPN), and the like, can also be easily integrated. Business Application Monitoring One area where most security products fail is the ability to extract relevant security information from different business applications. Home grown applications are particularly difficult for most products. However, as your level of maturity increases, there is a strong need to go from basic audit controls on operating systems and equipment to business-level controls. VISUAL Security Suite can help you to automate the control of your existing applications. (Note that several examples of relevant COBIT business-level controls can be found in the document “IT Control Objectives for Sarbanes Oxley: the Role of IT in the Design and Implementation of Internal Control Over Financial Reporting”, 2nd Edition, produced by the IT Governance Institute). VISUAL Security Suite has a universal log reader (Applications Agent) which can read virtually any log at blazing speed. By using advanced BNF (Backus Normal Form) grammar definitions that can be created and modified easily, integration of practically any application events can be done in real time. In other cases, instead of text files, application security logs and events are stored in data tables, which can easily be integrated with the VISUAL Security Suite Data Adapter.© 2007 Tango/04 Computing Group Page 20
    • Tango/04 Solutions for SOX Compliance When more complex business-level controls are required (such as changes to dormant accounts in banks, excessively discounted sales, or other domain specific checks) Data Monitor can be a perfect tool to inspect every single one of millions of transactions in real time. Integrity checks can be placed to make sure no unauthorized changes are done from outside the applications, bypassing the applications integrity controls. Examples of business applications that can be monitored with VISUAL Security Suite include SAP R/3, Siebel, JD Edwards, SWIFT, legacy (RPG/COBOL), and practically any custom application running in any environment, from mainframes to standalone desktop workstations. Modern Java applications can also be monitored by using JMX (Java Management Extension) technology. The information presented in this section is merely a subset of the kind of audit data you can collect with VISUAL Security Suite. Please refer to Appendix A for a more complete listing by platform. VISUAL Security Suite Output Once the audit information you specify has been collected, it can be accessed and presented to you in a variety of ways: • Business and Enterprise views • Real-time alerts • Automated actions • Reports Let’s examine each one of these output mechanisms. Business and Enterprise Views One of the key features of VISUAL Security Suite is that it allows you to centrally manage your security paradigm by consolidating events across all platforms in a single view. This is accomplished using the VISUAL Security Suite SmartConsole, shown below in Figure 4.© 2007 Tango/04 Computing Group Page 21
    • Tango/04 Solutions for SOX Compliance Figure 4 – The SmartConsole Within the SmartConsole, the left most pane contains your business view as a series of hierarchical folders that are color coded to quickly draw your attention to important events. Although a default security configuration is shipped with VISUAL Security Suite, you are free to customize this view to best fit your corporate needs. Note that the folders under the iSeries and Windows Security branches are green, indicating no imminent issues. However, there is a problem with the Infrastructure node as indicated by the red folder. Expanding any of the folders and then double clicking on the problem node will reveal underlying messages pertaining to the issue. These related messages contain detailed information about the problem and many soft-coded variables that can be passed to messages sent via email or to your cell phone. The uppermost right pane in Figure 4 summarizes your business services and the pane below it identifies the most probable root cause of the failure. Although this figure shows both security and infrastructure configurations, you can install the security portion alone and either grow into infrastructure monitoring at a later date or continue to use whatever infrastructure monitoring you may already have in place. In addition to business views, security information can also be presented in an enterprise view or dashboard accessible through the web. Enterprise views can be especially useful for CISO’s who need a high level glimpse of current security status but not the underlying details provided by the SmartConsole. Figure 5 below presents a sample enterprise view of a SOX compliance scenario.© 2007 Tango/04 Computing Group Page 22
    • Tango/04 Solutions for SOX Compliance Figure 5 – Sample Enterprise View of a SOX Security Plan Similar to the business view shown in Figure 4, the color of the icons provides visual information regarding status. For instance, a potential problem is indicated under iSeries Server > Object Access because the icon is yellow. Double-clicking on any icon allows you to drill down for specific information about the problem. Real-time Alerts Besides visual notification, with VISUAL Security Suite you can also define alarms and actions to send alerts regarding urgent situations in real-time. These alerts can take various forms such as email, SMS messaging, sound or video. Having real-time access to your security information is absolutely critical to comply with SOX Section 409. Remember that 409 requires companies to disclose information about material changes to its financial condition within 48 hours of the occurrence. Regulations aside, instant awareness of security exceptions enables you to respond to the suspect event as it happens, significantly reducing risk and giving you total control - even if the incident occurs after hours or over the weekend. Automated Actions In addition to real-time alerts, VISUAL Security Suite can be configured to automatically respond to events that you define. For example, if a user changes a critical system setting, VISUAL Security Suite can send you a real-time alert and also initiate predefined actions such as reverting the system setting back to its original value, ending the user’s job and disabling his/her user profile to prevent further malicious actions.© 2007 Tango/04 Computing Group Page 23
    • Tango/04 Solutions for SOX Compliance Compliance Reports VISUAL Security Suite includes a robust reporting system so you can perform forensic analyses, review events against security policies and comply with regulations such as SOX. We ship over 200 built-in reports to provide you with all the information you’ll need to satisfy your auditors. Figure 6 below shows a segment of the reporting system in addition to the data selection parameters for one of the reports. Figure 6 – Segment of the Reporting System and Sample Data Selection Screen It’s worth noting that our built-in reports can be customized so you can create your own subreport version. Furthermore, reports can be generated in different formats such as .pdf, .xls, .doc, .html and can also be scheduled and automatically emailed to the appropriate stakeholders. A sample report depicting User Inactivity on the Windows platform is shown below in Figure 7.This report shows users defined on a particular domain, the number of days they have been inactive and whether or not their profile is enabled. By running this report you can identify users who have not signed on for a period of time and either disable or eliminate the profile before it can be used maliciously to commit a security infraction. A similar report is also available for the System i.© 2007 Tango/04 Computing Group Page 24
    • Tango/04 Solutions for SOX Compliance Figure 7 – Windows User Inactivity Report Figure 8 below, presents a segment of a Data Monitor report showing detailed information about a data record change. As indicated, Data Monitor can capture and report the date and time of a file access, the type of access (read, update, insert, deletion, etc), the actual user and even the before and after images of the accessed data record. This is exactly the kind of information you need to help provide evidence for compliance with SOX Section 1102.© 2007 Tango/04 Computing Group Page 25
    • Tango/04 Solutions for SOX Compliance Figure 8 – Data Monitor Report Segment As shown in Figure 8, you can even instruct Data Monitor to hide sensitive field values in the generated reports, such as Social Security or credit card numbers. This feature is essential in order to ensure and protect the privacy of consumer information. The Data Monitor module also has many other advanced features including the ability to: • Select the files you want to monitor and even particular fields within those files; • Select particular users or user groups to monitor; • Store your audit data on a different LPAR or platform which might be more secure or where storage space is less expensive; • “Enrich” the audit data so, for instance, an account number can appear as a customer name on your reports, making them easier to read; • Include information on your reports that is not stored in the journal such as user group or class.© 2007 Tango/04 Computing Group Page 26
    • Tango/04 Solutions for SOX Compliance Ease of Use VISUAL Security Suite is fast to deploy and easy to use so Complete Coverage for the System i you can immediately begin to monitor and protect your As a Premier IBM Business Partner, corporate assets as soon as you install the product. We Tango/04 provides the most complete offer Professional Services to help you configure business functionality on the market for auditing views, real-time alerts and automated actions to meet your System i security environments. With more than 15 years experience on this platform, specific compliance needs. We also train your designated Tango/04 works directly with IBM staff so they can add additional controls as you need them laboratories in Rochester, Minnesota to take due to changes in regulations or in your corporate advantage of new i5 technology developments. environment. We continuously invest in improvements and support for the latest versions of i5/OS in Because the SmartConsole component allows you to order to offer you the best solution on the centralize the management of your security controls market. across platforms, within a single view, your security staff (Refer to Appendix A for more information will be highly productive as they maintain the integrity of regarding our technology alliance with IBM) your compliance plan. Tango/04 Solutions and the COBIT Objectives As mentioned earlier in this paper, COBIT is an internal control framework often used by external auditors to measure compliance. Although the use of automated tools is highly supported by COBIT, there’s not a single tool that can help you comply with all of the COBIT objectives. In fact, some objectives aren’t even suited to the use of a technology solution and are best addressed with written policies and/or employee training. In the end, it’s your job to put together a mix of manual and automated processes in order to satisfy each objective. As you evaluate the use of automated software solutions, be sure to consider tools that will not only help you to comply with SOX but also improve your business processes, productivity and overall competitive advantage. By meeting 19 of the detailed COBIT objectives, the Tango/04 solution set can not only offer assistance with your SOX compliance needs, but also provide value to your business by helping you protect your corporate assets. Please refer to Appendix B for descriptions of each objective and how the Tango/04 solutions address each one. Valid for Cross Compliance We understand that many companies today are subject to multiple regulations such as SOX and HIPAA or PCI or GLBA. Despite the fact that the details of complying with these laws differ, they all share common objectives. That is, the intent of these regulations is to protect shareholders, patients and consumers from financial misstatements and the disclosure of private information. The Tango/04 security solution aptly supports this intent by providing you with the capabilities of real-time alerts, automated actions, visual status displays by PC or web, monitoring of data changes at the field level and overall abundant reporting. When used together, these aspects of our solution are very powerful and can be easily implemented at your company to help you successfully comply with multiple regulations.© 2007 Tango/04 Computing Group Page 27
    • Tango/04 Solutions for SOX Compliance Extendability One of the best parts about the Tango/04 solution suite is that you can implement it in a step-by-step fashion. Start with your most critical platform and begin to define the security controls you need to monitor and report on. Because our solution is so easy to use, you’ll find that once you’ve defined a business view and associated it with alarms and actions, it’s a snap to define other security views. Although VISUAL Security Suite can be used exclusively as a security compliance solution, it shares a number of modules and agents with VISUAL Message Center, Tango/04’s solution for IT infrastructure monitoring and Business Service Management (BSM). This concept allows you to expand the scope of the solution in a progressive fashion over time as shown in Figure 9. Security BSM/SLM Applications Management Infrastructure Security BSM Operations Figure 9 – Extend the Tango/04 Security Solution to Infrastructure and BSM It also allows you to create dashboards in order to visualize the impact of security problems on your different business applications. Integrating IT with business operations will not only facilitate corporate support for your compliance activities, but will also help your company function more efficiently as a whole. As various departments work together, increases in productivity are achieved, resulting in overall cost reductions. Maximize Your Return on Investment Because Security, Infrastructure and BSM all share the same concepts in terms of installation, configuration and training time, your initial investment can be reused to monitor the status of services, SLAs, user experience and application availability. Security administrators, auditors and operation managers can all have different views of the SmartConsole to focus in on what they need to know. In essence, you have one console with many possibilities at your finger tips.© 2007 Tango/04 Computing Group Page 28
    • Tying It All Together Tying It All Together If you’ve read this far, it’s likely that you’re required to comply with SOX and are looking for ideas on how best to do so. Clearly, you need to develop a compliance paradigm that’s sustainable and does not overburden your staff or your corporate bank account. While you’re at it, you might as well define a strategy that will benefit your company beyond compliance requirements. Namely, you want to develop a security plan that not only satisfies your auditing requirements but one that also provides the added benefits of increased productivity and overall cost reduction. If you implement a risk-based approach per the new AS 5 auditing standard, the task of achieving compliance will be well within your reach. To achieve sustainable compliance, we suggest that you include automated software tools as an integral part of your security paradigm. The use of automated technology is supported by both AS 5 and COBIT. Multiplatform Cross Compliance The Tango/04 security solution can assist you in attaining sustainable compliance across multiple regulations. With our built-in real-time alerting capability, you’ll not only meet mandated SOX requirements but you will also have instant awareness of the efficacy of your security plan. This enables you to address problems as they occur, before they propagate and when they are easiest to fix. With our multi-platform capabilities, we can consolidate security information across your enterprise in a single view, greatly simplifying the task of assessing compliance. Our rich reporting feature will also help you to satisfy the needs of your external auditor as you demonstrate compliance year after year. Field Proven in Different Industries The Tango/04 security solution is fast to deploy, easy to use and field proven. We have over one thousand customers across the globe and our technology has been adopted by 7 of the 18 largest banks in the world. In fact, Henry Schein Inc. – a Fortune 500 distributor of healthcare products with global operations based in Melville, NY – is just one of our customers to effectively achieve SOX compliance year after year using VISUAL Security Suite. Our customer base also includes a number of well known enterprises such as BankBoston, CocaCola, Dole Fresh Fruit, Pfizer, Shell, Office Depot and Nike. Unique Extensibility Beyond security auditing, our software also offers infrastructure monitoring, application monitoring and business service management, so you can continue to align IT with the business side of the house using a single software solution. The beauty of our solution is that you can implement additional controls and functions in a stepwise manner and at your own pace.© 2007 Tango/04 Computing Group Page 29
    • Tying It All Together Consider the Tango/04 family of solutions to help you achieve your compliance goals, protect your corporate assets and facilitate business management. As you continue to grow into the Tango/04 solutions you will increase productivity levels and save money over time.© 2007 Tango/04 Computing Group Page 30
    • Appendix A – Tango/04 Security Solutions Appendix A – Tango/04 Security Solutions VISUAL Security Suite: List of Controls As previously discussed and illustrated (see Figure 3 – Overview of VISUAL Security Suiteon page17), VISUAL Security Suite can collect auditing information from multiple platforms and make it available for you to filter and analyze within a single console. Below is a summary of the types of events we can monitor by platform: System i: DB2 UDB: Windows: • System access • Use of special editing tools • Changes in auditing • Profile and user activity or (e.g. DFU, STRSQL) configuration, privileges, inactivity • Exit point control directory services, domain • Adopted security • SQL statement level policies… • Sensitive commands auditing • Complete event log • Object access • File access at record level monitoring (real-time) • System values • Auto control of logs with • Spool files any format • Any type of log such as • Control of Active directory, QSYSOPR, QHST or IIS, firewall service, system audit log Exchange, Citrix, remote • Use of service systems access… • Message queues • Changes to system folders • Invalid logins • Inactive users SQL Server: Oracle: Linux, UNIX, AIX: • Instance status • SQL statements run by • Complete verification of • Changes to roles and sysda syslogs (real-time) users • User SQL statements • Changes made to system • Transaction log • Role and user monitoring configuration • Connections and access • Critical processes • Control of super users • SQL statements • Special permissions • Invalid logins • Locks • Relevant users • Changes to folders/objects • Table auditing (field level) • Table auditing (field level) • Changes in privileges and • Objects • Super user activity user accounts • Errors • Authentication • Change in security policies • Windows processes • Log monitoring • Sensitive command management • Suspicious processes© 2007 Tango/04 Computing Group Page 31
    • Appendix A – Tango/04 Security Solutions Beyond platform specific abilities, a full array of other third party products, including middleware, network equipment, appliances, firewalls, IDS, antivirus systems, etc. can also be integrated easily. Business applications logs can be monitored in real time, and custom business-specific controls are easy to create and maintain. Overall, Tango/04 offers the most comprehensive security solution on the market. Tango/04 Solutions Offer Extensive Coverage for the System i Although our security solutions are multi-platform capable, it’s important to stress our strength on the i5 platform for those of you that manage System i centric shops. Tango/04 is a Premier IBM Business Partner and key member of IBM’s Autonomic Computing initiative. In addition to receiving industry recognition on numerous occasions, our solutions have been validated by IBM and designated as IBM ServerProven. Other associations we have with IBM include: • IBM PartnerWorld for Developers (Advanced Member) • IBM ISV Advantage Agreement • IBM OS Early Code Release member • IBM ServerProven Solution Provider Technology Alliances outside of IBM In addition to our strong ties to IBM, the success of our solution also relies on the working relationships we have with other platform providers. These include: • Microsoft Developer Network (MSDN) • Microsoft Early Code Release member • Red Hat Linux Partner Professional Services We provide top notch professional services to help you install "Tango/04 pre-sale activities, post-sale and configure our products across your critical platforms to implementation and support services meet your specific security needs. We’ll work together with exceeded our expectations. The Tango/04 employees are intelligent, your staff to add the precise controls you need in order to helpful, funny, patient and honest. The achieve compliance year after year. We’re not happy with any training they provided was outstanding." implementation unless you are completely satisfied. In fact, David Dresdow, Team Leader since 2004 we’re proud to say that all of our projects for JDEdwards System Administration security, data protection and operations monitoring have been Stora Enso implemented on time and with full customer satisfaction. The loyalty and high rate of customer satisfaction is one of the best guarantees we can offer you.© 2007 Tango/04 Computing Group Page 32
    • Appendix B - COBIT 4.1 Control Objectives Appendix B - COBIT 4.1 Control Objectives COBIT is the de facto IT governance framework used by many auditing firms to assess SOX compliance. The latest release4, published in May 2007, is comprised of 34 IT processes that fall under the following domains: • Plan and Organize • Acquire and Implement • Deliver and Support • Monitor and Evaluate The domains and associated processes are consistent with the responsibilities of “plan, build, run and monitor”, providing an end-to-end view of IT. Each of the 34 IT processes is linked to a high level control objective which is further broken down into numerous detailed control objectives. The table below indicates that there are a total of 210 detailed control objectives under COBIT 4.1 Number of detailed Domain Number of Processes Control Objectives Plan & Organize (PO) 10 74 Acquire & Implement (AI) 7 40 Deliver & Support (DS) 13 71 Monitor & Evaluate (ME) 4 25 Total: 34 210 Each new release of COBIT has resulted in a decreased number of detailed control objectives as the IT Governance Institute (ITGI) has tried to consolidate objectives and consequently simplify the implementation of the framework. As a company striving to comply with SOX, you must review each of the 210 control objectives and devise a plan to meet them. Many of the objectives can be met with the support of automated software tools, while others simply require a documented policy or procedure. As an example, consider one of the processes under the PO domain: 4 COBIT 4.1, IT Governance Institute, ISBN 1-933284-72-2, 2007© 2007 Tango/04 Computing Group Page 33
    • Appendix B - COBIT 4.1 Control Objectives Process PO6: Communicate Management Aims and Directions Detailed objective PO6.5: Communicate awareness and understanding of business and IT objectives and direction to appropriate stakeholders and users throughout the enterprise. This is not an objective that is likely to be met through the use of technology. Meeting this objective would more likely involve presentations and the dissemination of a written security plan which includes business risks at stake and planned measures to mitigate those risks. Other detailed control objectives can clearly be met with the use of technology. The remainder of this Appendix will present detailed control objectives that are supported by the use of Tango/04 software solutions. Mapping of Tango04 Solutions to COBIT Objectives Domain: Acquire & Implement Process: Acquire & Maintain Application Software Detailed Control Objectives: AI2.3 Application Control and Auditability Implement business controls, where appropriate, into automated application controls such that processing is accurate, complete, timely, authorized and auditable. Tango/04 Solution: VISUAL Security Suite can both leverage existing auditability and enhance and extend application auditability by adding new business controls easily. For instance, checks for completeness and timeliness of processing that are usually forgotten at application design time are frequently deployed using Tango/04 technology in our compliance projects. Extensive business integrity controls can be added at the database level, preventing data tampering from outside the applications. VISUAL Security Suite can alert on not only the existence of a certain event log entry, but also in its absence (for instance, if someone disables the incident logging capability of an application). Disperse audit logs can be properly formatted and centralized on the Tango/04 console, leveraging its visibility and usefulness, and adding powerful real-time notification mechanisms. The use of web-based, real-time business and enterprise views aligns security auditing to business practices and compliance standards. Application response times can be measured and application failures or service disruptions are easily detected, so specific COBIT measurement objectives (such as the number of production problems per application causing visible downtime) can be produced. Reports provide historical information for auditing and forensic purposes.© 2007 Tango/04 Computing Group Page 34
    • Appendix B - COBIT 4.1 Control Objectives AI2.4 Application Security and Availability Address application security and availability requirements in response to identified risks and in line with the organization’s data classification, information architecture, information security architecture and risk tolerance. Tango/04 Solution: Application usage and availability can easily be monitored and reported on in real-time or from a historical audit standpoint. Synthetic (simulated) transactions can be created and executed periodically to test production applications’ behavior on an ongoing basis, or application logs can be used to monitor end user response times. Color coded, web-based dashboards can be readily configured for a dynamic view of an application failure or slow down. Real-time alerts of application failures can also be in the form of an email or sent to a pager or cell phone. Strategic planning reports can be produced to analyze the best improvement alternatives to optimize application availability. New controls can be added at the database level using different levels of auditability to match the sensitiveness of the protected data. Process: Acquire & Maintain Technology Infrastructure Detailed Control Objective: AI3.2 Infrastructure Resource Protection and Availability Implement internal control, security and availability measures during configuration, integration and maintenance of hardware and infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure components should be clearly defined and understood by those who develop and integrate infrastructure components. Their use should be monitored and evaluated. Tango/04 Solution: The use of powerful tools (such as data editors, system service tools and other specific applications) that can compromise integrity and availability can be monitored and logged. Login and logon can be monitored for most applications, middleware, and operating systems. File-system level checks can be created to monitor access and usage to ensure that access policies are respected. In addition, application availability and data integrity can also be monitored on a continuous basis. Suspicious events can produce instantaneous alerts and audit reports can be run to reveal usage patterns.© 2007 Tango/04 Computing Group Page 35
    • Appendix B - COBIT 4.1 Control Objectives Domain: Deliver & Support Process: Define and Manage Service Levels Detailed Control Objective: DS1.5 Monitoring and Reporting of Service Level Agreements and Contracts Continuously monitor specified service level performance criteria. Reports on achievement of service levels should be provided in a format that is meaningful to the stakeholders. The monitoring statistics should be analyzed and acted upon to identify negative and positive trends for individual services as well as for services overall. Tango/04 Solution: Tango/04 is extremely capable in this area, since VISUAL Security Suite and VISUAL Message Center share the same technological foundation. As a consequence, it’s easy to extend VISUAL Security Suite to monitor availability and end-to-end response time for applications, reusing most of its components, agents, and product knowledge. Synthetic (simulated) transactions can be created and executed periodically to test production application behavior on an ongoing basis, or application logs can be used to monitor end user response times. Real-time alerts can be produced if expected Service Level Agreements (SLAs) are not met. Underlying IT infrastructure can be easily mapped to the supported business services, and vice versa, rapidly modeling applications and service control points. Extensive IT infrastructure monitoring can be deployed through modular, extensible Tango/04 agents. Real-time, visual correlation of technical components with the business applications they support helps to identify the root cause of poor performance in order to expedite problem resolution and ensure the alignment of IT operational staff with the business strategy. SLA achievement can be evaluated against reports that include numeric data as well as graphs to clearly depict application availability and response times. ITIL-compliant indicators (such as MTBSI) can also be generated. Top reasons of non-compliance with underpinning contracts can be easily identified to facilitate the continuous improvement of service levels.© 2007 Tango/04 Computing Group Page 36
    • Appendix B - COBIT 4.1 Control Objectives Process: Manage Performance and Capacity Detailed Control Objective: DS3.5 Monitoring and Reporting Continuously monitor the performance and capacity of IT resources. Data gathered should serve two purposes: • To maintain and tune current performance within IT and address such issues as resilience, contingency, current and projected workloads, storage plans, and resource acquisition. • To report delivered service availability to the business, as required by the SLAs. Tango/04 Solution: Performance goals can be continuously monitoring by adding Tango/04 extension monitoring modules. Extensive support for popular IT infrastructure components, devices, platforms, and middleware, and open standards can be used to embrace and leverage existing monitoring tools. Any undesired deviation from normal performance goals is immediately detected and appropriate stakeholders are notified. Storage occupation and activity can be monitored at the device, file system, folder or file level. End user response time can be monitored to guarantee adequate performance at the application level, not only at the component level. Extensive reporting includes the ability to create historical graphs with trend and forecasting analyses to facilitate basic system capacity planning, analysis of peak load, utilization rates, SLA compliance, transaction failures, worst components (to identify components that must be replaced or fixed immediately), etc. In addition, for the System i there are several modules to model and forecast capacity, and automatically tune the system. Process: Ensure Continuous Service Detailed Control Objective: DS4.1 IT Continuity Framework Develop a framework for IT continuity to support enterprise wide business continuity management using a consistent process. The objective of the framework should be to assist in determining the required resilience of the infrastructure and to drive the development of disaster recovery and IT contingency plans. The framework should address the organizational structure for continuity management, covering the roles, tasks and responsibilities of internal and external service providers, their management and their customers, and the planning processes that create the rules and structures to document, test and execute the disaster recovery and IT contingency plans. The plan should also address items such as the identification of critical resources, noting key dependencies, the monitoring and reporting of the availability of critical resources, alternative processing, and the principles of backup and recovery.© 2007 Tango/04 Computing Group Page 37
    • Appendix B - COBIT 4.1 Control Objectives Tango/04 Solution: Although this objective requires the use of other technologies (such as clustering, backup devices, etc.), monitoring can help enormously to automate several testing tasks of the continuity framework, since Tango/04 technology helps you identify problem areas (measuring the availability of critical business processes, generating rankings of failing components, etc.) and monitors the compliance of the continuity strategy. For instance, Tango/04 security projects usually include the monitoring of backup and recovery products (such as IBM BRMS or Tivoli Storage Manager), file system checks, real time indication of the health of the continuity processes (such as replication software), etc. Process: Ensure Systems Security Detailed Control Objectives: DS5.3 Identity Management Ensure that all users (internal, external and temporary) and their activity on IT systems (business, application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms. Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. Ensure that user access rights are requested by user management, approved by system owners and implemented by the security-responsible person. Maintain user identities and access rights in a central repository. Deploy cost-effective technical and procedural measures, and keep them current to establish user identification, implement authentication and enforce access rights. Tango/04 Solution: Procedures to keep authentication and access mechanisms in check include ongoing monitoring of user profile creation, deletion, changes to user profiles, and management of passwords. User activity such as log-ins and access to applications are also audited. Access right rules can be enforced using simple (IP address filtering) or complex custom rules (such as automatically holding user processes for a profile corresponding to an employee currently on vacation, until the incident is investigated). Correlation technology can be used to check authentication mechanisms. Real-time alerts can be executed when a suspicious event occurs and built-in reports can be run in order to provide user activity information to the appropriate management personnel. DS5.4 User Account Management Address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges with a set of user account management procedures. Include an approval procedure outlining the data or system owner granting the access privileges. These procedures should apply for all users, including administrators (privileged user) and internal and external users, for normal or emergency cases. Rights and obligations relative to access to enterprise© 2007 Tango/04 Computing Group Page 38
    • Appendix B - COBIT 4.1 Control Objectives systems and information should be contractually arranged for all types of users. Perform regular management review of all accounts and related privileges. Tango/04 Solution: Continuous user profile monitoring and regularly scheduled reporting allows easy tracking of user accounts and access rights for your users. Real-time alerts can be executed when a questionable event occurs such as the granting of special authority to an existing user profile. Privileged user activity can also be tracked and reported. Inactive (obsolete) accounts can be detected easily and automatically disabled if desired. In addition, the Data Monitor module can audit the actions of privileged users as they access your critical data files. Our ability to track changes to files at the record level, including “before” and “after” images of the change, helps you to monitor and control powerful users on your system. DS5.5 Security Testing, Surveillance and Monitoring Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed. Tango/04 Solution: The real-time notification feature provides instant alerts and automatic actions to quickly respond to security violations. Audit reports provide full information on potential violations, and specific issues, for example, use of sysdba / sysadmin / security officer user profiles, or access to sensitive objects. Integration of third-party security products (such as antivirus or vulnerability scanners) is possible through the use of any of the numerous industry standard protocols and technologies supported by Tango/04. Extensive business application controls can be added to extend existing application security controls. Complex security policy rules can be implemented and automatically checked on using the Tango/04 console in real time. DS5.9 Malicious Software Prevention, Detection and Correction Put preventive, detective and corrective measures in place, (especially up-to-date security patches and virus control) across the organization, to protect information systems and technology from malware (e.g. viruses, worms, spyware, spam). Tango/04 Solution: VISUAL Security Suite can detect deviations from corporate security policy in many areas including changes to system settings, user profiles, objects and data files. We also monitor logs and alerts coming from antivirus software, firewalls, IDS, applications, web servers and network devices. Events are sent to a centralized console where they are consolidated into a single view for further analysis. Beyond that we provide you with the ability to generate real-time alerts when a suspicious event occurs so you can take immediate action to the problem at hand.© 2007 Tango/04 Computing Group Page 39
    • Appendix B - COBIT 4.1 Control Objectives Our technology additionally includes the ability to perform actions (such as disabling a user at once from several platforms and domains, modifying a system setting, or ending a process) when an alert is generated so incidents can be handled automatically. Process: Manage Service Desk and Incidents Detailed Control Objective: DS8.3 Security Requirements for Data Management Establish service desk procedures, so incidents that cannot be resolved immediately are appropriately escalated according to limits defined in the SLA and, if appropriate, workarounds are provided. Ensure that incident ownership and life cycle monitoring remain with the service desk for user-based incidents, regardless which IT group is working on resolution activities. Tango/04 Solution: Security incidents can be automatically escalated using notification rules and multiple delivery mechanisms (pager, SMS, email). Guidance text (or even multimedia files) can be shown to the operators at incident time, offering context-sensitive information about the procedures to be followed from the knowledge base. The open architecture of the Tango/04 console makes it easy to forward incident data to third party service desks products, such as Remedy. Bi-directional integration is also possible. As the modeling of the business services and its underlying IT components is very easy on the Tango/04 console, real-time, accurate, dynamic information about the real business impact of each incident is easy to attach to the original event, thus aligning IT priorities with business priorities easily. Enrichment of event data, correlation, and business impact information can be added to the forwarded event to reduce resolution times. Process: Manage Problems Detailed Control Objective: DS10.1 Identification and Classification of Problems Implement processes to report and classify problems that have been identified as part of incident management. The steps involved in problem classification are similar to the steps in classifying incidents; they are to determine category, impact, urgency and priority. Categorize problems as appropriate into related groups or domains (e.g., hardware, software, support software). These groups may match the organisational responsibilities of the user and customer base, and should be the basis for allocating problems to support staff. Tango/04 Solution: Security incidents can be automatically classified or categorized based on the original event data, correlated data, or any additional data that is able to be calculated or retrieved, even from remote systems. As the modeling of the business services and its underlying© 2007 Tango/04 Computing Group Page 40
    • Appendix B - COBIT 4.1 Control Objectives IT components is very easy on the Tango/04 console, real-time, accurate, dynamic information about the real business impact of each incident is easily attached to the original event, thus aligning IT priorities with business priorities easily. Conversely, when analyzing a business service failure, it is very easy to relate it to its most probable root causes, enormously reducing the time to resolution. Color coding is possible to immediately attract attention according to the impact of the problem. The open architecture of the Tango/04 console makes it simple to forward incident data to third party service desks products, such as Remedy. Process: Manage Data Detailed Control Objective: DS11.6 Security Requirements for Data Management Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organization’s security policy and regulatory requirements. Tango/04 Solution: Access and modifications to critical data files on several platforms can be monitored and reported on. Changes to data records are available on leading databases at the field level and reports show “before” and “after” images. Real-time alerts can also be triggered when data files are inappropriately read or modified. Data restoration and backup is continuously monitored. Storage health can be proactively monitored. Data management processes can be monitored and automatically restarted in case of failure. Process: Manage Operations Detailed Control Objectives: DS13.1 Operations Procedures and Instructions Define, implement and maintain procedures for IT operations, ensuring that the operations staff members are familiar with all operations tasks relevant to them. Operational procedures should cover shift handover (formal handover of activity, status updates, operational problems, escalation procedures and reports on current responsibilities) to support agreed-upon service levels and ensure continuous operations. Tango/04 Solution: The VISUAL Message Center SmartConsole presents a consolidated view of all system activities and messages. During a shift change, real-time views and event navigation panels make it extremely easy to understand what happened in the previous shift. Views can be customized so operators only see what is relevant to them. The optional modules of the Tango/04 solution can effectively monitor infrastructure and processing, providing automated resolution in© 2007 Tango/04 Computing Group Page 41
    • Appendix B - COBIT 4.1 Control Objectives several cases, and, for these incidents that require manual attention, can show relevant contextual information about the standard steps to follow to resolve the incident. Application-level views and business service modeling makes it very easy to understand downtime root causes, shortening resolution times. Process performance and service level reports can be produced automatically. DS13.2 Job Scheduling Organize the scheduling of jobs, processes and tasks into the most efficient sequence, maximizing throughput and utilization to meet business requirements. Tango/04 Solution: Although the Tango/04 solution is not a job scheduling product, it can be used to streamline operations and ensure that scheduled activities are effectively executed. Tango/04 technology can automatically manage subsystems, jobs, tasks, processes and programs on multiple platforms. Both the scheduling mechanisms and the scheduled processes health can be continuously monitored and automated actions can be executed to solve common problems. Actions can be taken both in the presence of an event (such as “backup failed”) and in the absence of an event (“backup terminated normally”) at a given time. Resource abusive tasks can easily be detected and frozen so they do not interfere with scheduled operations. Real time alerts are escalated to system operators so they can further investigate potential problems. DS13.3 IT Infrastructure Monitoring Define and implement procedures to monitor the IT infrastructure and related events. Ensure that sufficient chronological information is being stored in operations logs to enable the reconstruction, review and examination of the time sequences of operations and the other activities surrounding or supporting operations. Tango/04 Solution: Our technology provides continuous monitoring of the IT infrastructure, including Windows, OS/400-i5/OS, Linux, AIX, Unix platforms and related network devices, security products, middleware, databases and applications. Detailed data pertaining to all infrastructure events is kept in a separate database enabling reports to be run long after system logs or security journals have been deleted. The reports can present the monitoring information in chronological order to enable review of the sequence of events in the context of supporting operations. Automated resolution is possible in several cases, and, for those incidents that require manual attention, relevant contextual information about the standard steps to follow to resolve the incident can be shown to the operators. Application-level views and business service modeling makes it very easy to understand downtime root causes, shortening resolution times. Process performance and service level reports can be produced automatically.© 2007 Tango/04 Computing Group Page 42
    • Appendix B - COBIT 4.1 Control Objectives Domain: Monitor and Evaluate Process: Monitor and Evaluate Internal Control Detailed Control Objectives: ME2.1 Monitoring of Internal Control Framework Continuously monitor, benchmark and improve the IT control environment and control framework to meet organizational objectives. Tango/04 Solution: Constant monitoring of security events, instant alerts and regular reporting are likely to expose risks that had not yet been considered. As these risks and deviations from security policies are uncovered, new controls can be defined to yield continuous improvement of the IT control environment. ME2.3 Control Exceptions Identify control exceptions, and analyze and identify their underlying root causes. Escalate control exceptions and report to stakeholders appropriately. Institute necessary, corrective action. Tango/04 Solution: When security control exceptions occur, the appropriate stakeholders can be immediately notified using our real-time alerting capabilities. Real-time notification of the issue can be accomplished by email or by sending an SMS message to a cell phone. Automatic actions can also be defined when a security control exception occurs to implement corrective or defensive measures, such as stopping a service that is under attack, executing a program or disabling a suspicious user profile. Our solution also provides detailed information about each infraction to help you identify the root cause of the issue. ME2.7 Remedial Actions Identify, initiate, track and implement remedial actions arising from control assessments and reporting. Tango/04 Solution: Continuous monitoring, frequent reporting and real-time alerts can help to identify weaknesses in your internal controls. Once remedial action has been taken, our solution can be used to track those new controls and quickly identify deviations from your security policy.© 2007 Tango/04 Computing Group Page 43
    • About Tango/04 Computing GroupAbout Tango/04 Computing Group Tango/04 Computing Group is one of the leading developers of systems management and automation software. Tango/04 software helps companies maintain the operating health of all their business processes, improve service levels, increase productivity, and reduce costs through intelligent management of their IT infrastructure. Founded in 1991 in Barcelona, Spain, Tango/04 is an IBM Business Partner and a key member of IBM’s Autonomic Computing initiative. Tango/04 has more than a thousand customers who are served by over 35 authorized Business Partners around the world. Alliances Partnerships IBM Business Partner IBM Autonomic Computing Business Partner IBM PartnerWorld for Developers Advanced Membership IBM ISV Advantage Agreement IBM Early code release IBM Direct Technical Liaison Microsoft Developer Network Microsoft Early Code Release Awards © 2007 Tango/04 Computing Group Page 44
    • Legal noticeLegal notice The information in this document was created using certain specific equipment and environments, and it is limited in application to those specific hardware and software products and version and releases levels. Any references in this document regarding Tango/04 Computing Group products, software or services do not mean that Tango/04 Computing Group intends to make these available in all countries in which Tango/04 Computing Group operates. Any reference to a Tango/04 Computing Group product, software, or service may be used. Any functionally equivalent product that does not infringe any of Tango/04 Computing Group’s intellectual property rights may be used instead of the Tango/04 Computing Group product, software or service Tango/04 Computing Group may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. The information contained in this document has not been submitted to any formal Tango/04 Computing Group test and is distributed AS IS. The use of this information or the implementation of any of these techniques is a customer responsibility, and depends on the customer’s ability to evaluate and integrate them into the customer’s operational environment. Despite the fact that Tango/04 Computing Group could have reviewed each item for accurateness in a specific situation, there is no guarantee that the same or similar results will be obtained somewhere else. Customers attempting to adapt these techniques to their own environments do so at their own risk. Tango/04 Computing Group shall not be liable for any damages arising out of your use of the techniques depicted on this document, even if they have been advised of the possibility of such damages. This document could contain technical inaccuracies or typographical errors. Any pointers in this publication to external web sites are provided for your convenience only and do not, in any manner, serve as an endorsement of these web sites. The following terms are trademarks of the International Business Machines Corporation in the United States and/or other countries: AS/400, AS/400e, iSeries, i5, DB2, e (logo)®Server IBM ®, Operating System/400, OS/400, i5/OS. Microsoft, SQL Server, Windows, Windows NT, Windows XP and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and/or other countries. UNIX is a registered trademark in the United States and other countries licensed exclusively through The Open Group. Oracle is a registered trade mark of Oracle Corporation. Other company, product, and service names may be trademarks or service marks of other companies. © 2007 Tango/04 Computing Group Page 45