Deployment guide series ibm tivoli compliance insight manager sg247531
Upcoming SlideShare
Loading in...5
×
 

Deployment guide series ibm tivoli compliance insight manager sg247531

on

  • 889 views

 

Statistics

Views

Total Views
889
Views on SlideShare
889
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Deployment guide series ibm tivoli compliance insight manager sg247531 Deployment guide series ibm tivoli compliance insight manager sg247531 Document Transcript

  • Front coverDeployment Guide Series:IBM Tivoli ComplianceInsight ManagerPlanning for an enterprise compliancemanagement deploymentInstallation and configuration ofmajor componentsBest practices andtroubleshooting Axel Buecker Ann-Louise Blair Franc Cervan Dr. Werner Filip Scott Henley Carsten Lorenz Frank Muehlenbrock Rudy Tanibm.com/redbooks
  • International Technical Support OrganizationDeployment Guide Series:IBM Tivoli Compliance Insight ManagerFebruary 2008 SG24-7531-00
  • Note: Before using this information and the product it supports, read the information in “Notices” on page vii.First Edition (February 2008)This edition applies to Version 8.0 of IBM Tivoli Compliance Insight Manager (product number5724-567).© Copyright International Business Machines Corporation 2008. All rights reserved.Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADPSchedule Contract with IBM Corp.
  • Contents Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix The team that wrote this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Comments welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiiPart 1. Architecture and design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Chapter 1. Business context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1 Introduction to compliance management . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2 Business drivers for compliance management . . . . . . . . . . . . . . . . . . . . . . 5 1.3 Criteria of a compliance management solution . . . . . . . . . . . . . . . . . . . . . . 8 1.4 Recent challenges for compliance management . . . . . . . . . . . . . . . . . . . 10 1.5 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Chapter 2. Architecture and component structure . . . . . . . . . . . . . . . . . . 13 2.1 Product overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.2 Product architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.2.1 Tivoli Compliance Insight Manager cluster . . . . . . . . . . . . . . . . . . . . 16 2.2.2 Tivoli Compliance Insight Manager Enterprise Server . . . . . . . . . . . 16 2.2.3 Tivoli Compliance Insight Manager Standard Server . . . . . . . . . . . . 18 2.2.4 Actuators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.2.5 Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.2.6 iView Web portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.2.7 Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.2.8 Component architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.3 Product processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.3.1 Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.3.2 Mapping and loading. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 2.3.3 Data aggregation and consolidation . . . . . . . . . . . . . . . . . . . . . . . . . 44 2.3.4 Reporting and presentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 2.4 The W7LogSDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 2.4.1 How the W7LogSDK works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 2.4.2 Event attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 2.4.3 W7LogSDK CSV format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 2.4.4 W7LogSDK XML format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 2.4.5 Validators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57© Copyright IBM Corp. 2008. All rights reserved. iii
  • 2.5 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Chapter 3. Planning for customer engagement . . . . . . . . . . . . . . . . . . . . . 59 3.1 Services engagement preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 3.1.1 Implementation skills. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 3.1.2 Available resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 3.2 Solution scope and components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.2.1 Basic solution definition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.2.2 Cross-sell and up-sell opportunities . . . . . . . . . . . . . . . . . . . . . . . . . 62 3.3 Service engagement overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 3.3.1 Executive assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 3.3.2 Demonstration system setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 3.3.3 Analyze solution tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 3.3.4 Creating a contract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 3.4 Defining solution tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 3.4.1 Deployment tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 3.5 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Part 2. Customer environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Chapter 4. Gym and Health Incorporation . . . . . . . . . . . . . . . . . . . . . . . . . 79 4.1 Company profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 4.1.1 GaH business initiatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 4.1.2 Geographic distribution of GaH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 4.1.3 Management of GaH members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 4.2 Current IT infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 4.2.1 Current infrastructure of GaH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 4.2.2 The GaH information security compliance initiative . . . . . . . . . . . . . 85 4.3 Information security compliance management . . . . . . . . . . . . . . . . . . . . . 86 4.3.1 Emerging issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 4.4 Project layout and implementation phases . . . . . . . . . . . . . . . . . . . . . . . . 87 4.5 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Chapter 5. Deployment design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 5.1 Business requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 5.2 Functional requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 5.3 Design approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 5.4 Implementation approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 5.4.1 Determination of needed reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 5.4.2 Monitored target assets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 5.4.3 Collected data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 5.4.4 Prioritization of target systems and applications . . . . . . . . . . . . . . . . 98iv Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 5.5 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Chapter 6. Installing Tivoli Compliance Insight Manager . . . . . . . . . . . . . 996.1 Planning the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006.2 Installing Tivoli Compliance Insight Manager Standard Server . . . . . . . . 100 6.2.1 Installing the database engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 6.2.2 Installing Tivoli Compliance Insight Manager components . . . . . . . 104 6.2.3 Enabling PDF export functionality after the installation . . . . . . . . . . 1196.3 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Chapter 7. Event source configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 1217.1 Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1227.2 Enabling and configuring auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 7.2.1 Auditing settings for the Windows Security log . . . . . . . . . . . . . . . . 124 7.2.2 Active Directory audit policy settings. . . . . . . . . . . . . . . . . . . . . . . . 125 7.2.3 File server settings: object access auditing. . . . . . . . . . . . . . . . . . . 1297.3 Configuring the new Windows event sources . . . . . . . . . . . . . . . . . . . . . 133 7.3.1 Create the GEM database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 7.3.2 Create system group and add Windows machines . . . . . . . . . . . . . 134 7.3.3 Add event sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1417.4 Installing Actuator on a target machine . . . . . . . . . . . . . . . . . . . . . . . . . . 1477.5 Configuring our Audit policy (W7 groups and rules) . . . . . . . . . . . . . . . . 156 7.5.1 Adding User Information Sources (UIS) . . . . . . . . . . . . . . . . . . . . . 157 7.5.2 Configuring a new policy with W7 rules . . . . . . . . . . . . . . . . . . . . . 165 7.5.3 Load the database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1827.6 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190Chapter 8. Report generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1918.1 Reporting portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1928.2 iView: the reporting application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 8.2.1 The enterprise overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 8.2.2 The trend graphic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 8.2.3 Database overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 8.2.4 Policy exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 8.2.5 Special attentions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2018.3 Standard reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 8.3.1 Configuration Tools Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 8.3.2 Daily verification reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2068.4 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209Appendix A. Statement of Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Environment analysis service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Assessment for the Statement of Work. . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Contents v
  • Project scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Key assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 IBM responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Customer responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Deliverables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Completion criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Estimated schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Charges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Additional terms and conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 IBM Redbooks publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Other publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Online resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 How to get IBM Redbooks publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Help from IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237vi Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • NoticesThis information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document in other countries. Consultyour local IBM representative for information on the products and services currently available in your area.Any reference to an IBM product, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product, program, or service thatdoes not infringe any IBM intellectual property right may be used instead. However, it is the usersresponsibility to evaluate and verify the operation of any non-IBM product, program, or service.IBM may have patents or pending patent applications covering subject matter described in this document.The furnishing of this document does not give you any license to these patents. You can send licenseinquiries, in writing, to:IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A.The following paragraph does not apply to the United Kingdom or any other country where suchprovisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATIONPROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS ORIMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimerof express or implied warranties in certain transactions, therefore, this statement may not apply to you.This information could include technical inaccuracies or typographical errors. Changes are periodically madeto the information herein; these changes will be incorporated in new editions of the publication. IBM maymake improvements and/or changes in the product(s) and/or the program(s) described in this publication atany time without notice.Any references in this information to non-IBM Web sites are provided for convenience only and do not in anymanner serve as an endorsement of those Web sites. The materials at those Web sites are not part of thematerials for this IBM product and use of those Web sites is at your own risk.IBM may use or distribute any of the information you supply in any way it believes appropriate withoutincurring any obligation to you.Information concerning non-IBM products was obtained from the suppliers of those products, their publishedannouncements or other publicly available sources. IBM has not tested those products and cannot confirmthe accuracy of performance, compatibility or any other claims related to non-IBM products. Questions onthe capabilities of non-IBM products should be addressed to the suppliers of those products.This information contains examples of data and reports used in daily business operations. To illustrate themas completely as possible, the examples include the names of individuals, companies, brands, and products.All of these names are fictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.COPYRIGHT LICENSE:This information contains sample application programs in source language, which illustrate programmingtechniques on various operating platforms. You may copy, modify, and distribute these sample programs inany form without payment to IBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operating platform for which thesample programs are written. These examples have not been thoroughly tested under all conditions. IBM,therefore, cannot guarantee or imply reliability, serviceability, or function of these programs.© Copyright IBM Corp. 2008. All rights reserved. vii
  • TrademarksThe following terms are trademarks of the International Business Machines Corporation in the United States,other countries, or both: AIX® iSeries® Redbooks® DB2® PartnerWorld® Redbooks (logo) ® IBM® RACF® Tivoli®The following terms are trademarks of other companies:Oracle, JD Edwards, PeopleSoft, Siebel, and TopLink are registered trademarks of Oracle Corporationand/or its affiliates.Snapshot, and the Network Appliance logo are trademarks or registered trademarks of Network Appliance,Inc. in the U.S. and other countries.ITIL is a registered trademark, and a registered community trademark of the Office of GovernmentCommerce, and is registered in the U.S. Patent and Trademark Office.Java, Solaris, Sun, and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the UnitedStates, other countries, or both.Active Directory, Excel, Internet Explorer, Microsoft, Windows, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.Intel, Pentium, Pentium 4, Intel logo, Intel Inside logo, and Intel Centrino logo are trademarks or registeredtrademarks of Intel Corporation or its subsidiaries in the United States, other countries, or both.UNIX is a registered trademark of The Open Group in the United States and other countries.Linux is a trademark of Linus Torvalds in the United States, other countries, or both.Other company, product, or service names may be trademarks or service marks of others.viii Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Preface In order to comply with government and industry regulations, such as Sarbanes-Oxley, Gramm-Leach-Bliley, and COBIT, enterprises have to constantly detect, validate, and report unauthorized change and out-of-compliance actions on their IT infrastructure. The Tivoli® Compliance Insight Manager solution allows organizations to improve the security of their information systems by capturing comprehensive log data, correlating this data through sophisticated log interpretation and normalization, and communicating results through a dashboard and a full set of audit and compliance reporting. We discuss the business context of security audit and compliance software for organizations, and we show a typical deployment within a business scenario. This IBM® Redbooks® publication is a valuable resource for security officers, administrators, and architects who wish to understand and deploy a centralized security audit and compliance solution.The team that wrote this book This book was produced by a team of specialists from around the world working at the International Technical Support Organization, Austin Center. Axel Buecker is a Certified Consulting Software IT Specialist at the International Technical Support Organization, Austin Center. He writes extensively and teaches IBM classes worldwide on areas of Software Security Architecture and Network Computing Technologies. He holds a degree in computer science from the University of Bremen, Germany. He has 21 years of experience in a variety of areas related to Workstation and Systems Management, Network Computing, and e-business Solutions. Before joining the ITSO in March 2000, Axel worked for IBM in Germany as a Senior IT Specialist in Software Security Architecture. Ann-Louise Blair is a Software Engineer in the IBM Australia Development Laboratory. She has four years of experience working in the IT industry and holds a Bachelor of Software Engineering (Hons1) degree from the University of Queensland. Having worked in both testing and development roles in the Gold Coast Integration Factory team, Ann-Louise has gained expertise working with many Tivoli software products. Her main focus for the past two years has been developing data integration solutions using IBM Tivoli Directory Integrator.© Copyright IBM Corp. 2008. All rights reserved. ix
  • Franc Cervan is an Advisory IT Security Specialist from IBM Slovenia. He holds a degree in electrical engineering and is also ITIL® certified. He has over 10 years of experience in security and systems management solutions. Since 2003 he is part of the IBM Software group as a Tivoli Technical Sales Specialist for the SEA region. His areas of expertise are Tivoli Security and Automation products. Dr. Werner Filip is a professor at the Department of Computer Science and Engineering at the University of Applied Sciences Frankfurt am Main, Germany and a Consultant in IT Security. His primary research interests are Systems and Network Management and Applied Security. Prior to joining the University of Applied Sciences Frankfurt, he worked for 25 years for IBM in various positions, and spent his last 10 years with IBM as a Consultant in Systems and Network Management at the former IBM European Networking Center, Germany. He received a diploma in Mathematics and a Doctorate in Computer Science from the Technical University Darmstadt, Germany. Scott Henley is an IBM Pre-sales Senior IT Specialist. He performs pre-sales support for the IBM Tivoli Security portfolio throughout Asia Pacific. He is an expert in many IBM Tivoli Security products and in recent years has specialized in the Security Information and Event Management space. His current role at IBM is as an above country expert for the Asia Pacific region, which means that he travels throughout the Asia and Pacific region speaking with and assisting IBM customers so that they get the best value from their investment in IBM security technologies. He is also often called upon to speak at various industry conferences on topics such as Compliance, Risk Management, and Governance. He holds a Bachelors Degree and Masters Degree with Distinction in Information Technology, is a CISSP, and holds numerous other industry and product certifications that he has collected throughout his almost 20 years in the IT Industry. Carsten Lorenz is a certified Senior Managing Consultant at IBM Germany. He manages security solutioning in large and complex IT infrastructure outsourcing engagements for customers throughout Europe, the Middle-East, and Africa. He has more than eight years of experience in the security and compliance field, specializing in the areas of Security Management, IT Risk Assessment, Governance, and Operational Risk Management. Carsten has performed consulting engagements with IBM customers in various industries, ranging from Fortune 500 to SMBs. Carsten is a CISSP and a CISA, and he holds a Bachelors Degree in European Studies from University of Wolverhamption, UK, and a diploma in Business Science from the University of Trier, Germany.x Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Frank Muehlenbrock is an IBM Information Security Manager. After having supported pre-sales and services activities in Germany for Tivoli Security Compliance Manager, he has specialized in recent years in implementing, managing, and maintaining security policies, standards, and guidelines. In his current role, he manages Information Security for a large global outsourcing customer of IBM that has a presence in EMEA and North America. Frank studied Information Management at the Fachhochschule Reutlingen, Germany. He is an accredited Security Architect and also holds a Certified Information Security Manager (CISM) certification. He also holds several other industry certifications, which he achieved during his 20 years of experience in the information technology industry. Rudy Tan is a Senior IT-Specialist and works as a technical course developer in the IBM Tivoli Lab in Delft, Netherlands. He has 15 years of experience in the IT industry with a focus on security. In the past 10 years, Rudy has worked at Consul as a Tivoli Compliance Insight Manager developer, consultant, and trainer.Figure 1 From left, Werner, Axel, Ann-Louise, Franc, Scott, Rudy, Carsten, and Frank Besides working on this IBM Redbooks publication, this great team also developed the Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager, SG24-7530. Preface xi
  • Thanks to the following people for their contributions to this project: Wade Wallace International Technical Support Organization, Austin Center Nick Briers, Koos Lodewijkx, Dimple Ahluwalia, Jose Amado, Bart Bruijnesteijn, Philip Jackson, Sujit Mohanty, Erica Wazewski IBMBecome a published author Join us for a two- to six-week residency program! Help write a book dealing with specific products or solutions, while getting hands-on experience with leading-edge technologies. You will have the opportunity to team with IBM technical professionals, Business Partners, and Clients. Your efforts will help increase product acceptance and customer satisfaction. As a bonus, you will develop a network of contacts in IBM development labs, and increase your productivity and marketability. Find out more about the residency program, browse the residency index, and apply online at: ibm.com/redbooks/residencies.htmlComments welcome Your comments are important to us! We want our books to be as helpful as possible. Send us your comments about this book or other IBM Redbooks publications in one of the following ways: Use the online Contact us review book form found at: ibm.com/redbooks Send your comments in an e-mail to: redbooks@us.ibm.com Mail your comments to: IBM Corporation, International Technical Support Organization Dept. HYTD Mail Station P099 2455 South Road Poughkeepsie, NY 12601-5400xii Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Part 1Part 1 Architecture and design In this part, we discuss the overall business context for security compliance management of IT systems and explain the general business requirements for a security compliance management solution. In addition, an understanding of the high level product architecture of Tivoli Compliance Insight Manager is provided. Finally, we describe the skills, resources, and everything else you need to consider and provide in order to make a Tivoli Compliance Insight Manager services project successful.© Copyright IBM Corp. 2008. All rights reserved. 1
  • 2 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 1 Chapter 1. Business context In this chapter, we discuss the overall business context for security compliance management of IT systems. After a short definition of the necessary terms, we describe the factors that influence why and how compliance management should be conducted in a given business context. Further, we explain the general business requirements for a security compliance management solution.© Copyright IBM Corp. 2008. All rights reserved. 3
  • 1.1 Introduction to compliance management The process that an organization operates in accordance with expectations is called compliance management. The expectations are formulized as requirements in the policies and can include requirements derived from external laws and regulations (like country-specific data privacy laws, such as Sarbanes Oxley1, or Basel II2) and from the individual mission statement of an organization (like ethical behavior or business conduct guidelines). Information security defines the level of protection for information assets of an organization and summarizes all activities around the security controls applied in order to achieve a desired level of confidentiality, integrity, and availability of information assets. In a best practice approach, the desired level is derived by determining the balance between risks resulting from compromised information security and the benefit aligned with the information asset. It is a good business practice to minimize the security risk to information in proportion to the importance of such information to the business. Security controls are usually defined in a security policy framework. A security policy framework is organized hierarchically, starting with a top level organizational security policy, which is directly derived from the business context, defines the requirements rather broadly, and leaves room for interpretation. The next level consists of refining policies per business unit or department to implement the top level policy. Depending on the size of an organization, there might be several layers of security policies with increasing precision from top to bottom. At one point, the policies start to define technology requirements at a high level and are often referred to as security standards. Again, there can be multiple levels of standards. Besides these standards about security requirements in technical terms, you can find security procedures and security practices describing process details and work instructions to implement the security requirements. The benefit of a policy framework is the reduction of interpretation to a minimum, the translation of broad business directions into corresponding work instructions for processes and technical settings for systems, and the provision of extensive editable records about the management direction for information security. 1 The Sarbanes-Oxley Act was established in 2002, as a result of corporate scandals (for example, Enron and Worldcom) about incorrect financial reporting and aims to protect stakeholders from huge losses and to prevent future shocks to confidence in the financial system in the USA. Since July 2006, the law applies to all companies listed on the US stock exchanges, including international or foreign companies. To learn more, go to http://www.soxlaw.com/. 2 Basel II is an accord issued by the Basel Committee on Banking Supervision that summarizes recommendations about banking laws and regulations with the intent to harmonize banking regulation worldwide. This second accord introduces matters concerning Operational Risk, which again includes risks in the area of technology, processes, and people. To learn more, go to http://www.bis.org/publ/bcbsca.htm.4 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Bringing both definitions together, security compliance is understood as the process that ensures that the operations of an organization meet the requirements defined in the security policies, which again consolidate legal and regulatory obligations and management direction. Compliance management requires the ability to identify compliance criteria and to assess, analyze, consolidate, and report on the previous, the current, and the expectable compliance status of security controls. Security controls exist on an organizational, process, and technical level: An organizational level security control can be a concept like separation of duties, for example, ensuring that someone changing something is not the same person controlling the business need and proper execution of the change. This type of security control may require an organizational setup where those two employees report to different managers. A process level security control can be a concept like the four eyes principle, where a specific authorization requires two signatures (or passwords) to be presented before a transaction can be completed. As a result, this process step would always require two employees to be available for execution. A simple technical security control can be a required length for a password or specific permissions that are defined for accessing an operating system resource or business data. Operating systems and applications provide configuration settings that allow the administrator to specify minimum password lengths so that the system itself can enforce this control. A more complex technical security control can be the requirement to run an antivirus service (with up to date virus definition files, of course!) on a computer system or a correctly configured port filter. Technical security controls are the easiest to monitor, as computer systems save audit trails and configuration files, which can be checked for the fulfillment of requirements. Security controls on the organizational and the process level (especially when process steps are not performed with the help of technology) are harder to check and to control, as they are less persistent, and audit trails are not created automatically and can be easier manipulated.1.2 Business drivers for compliance management While the traditional factors of production are defined as natural resources, capital goods, and labor, today’s economy relies on information as a fourth factor of production. Due to the large amount, frequent update, and fast aging of information, most businesses today rely heavily on their information technology to better use information. Information has become so critical, that damage incurred to this information can force a company out of business, for example, by Chapter 1. Business context 5
  • reduced availability caused by downtime of systems processing this information. The protection of information and the technology used to process it has become essential, and compliance management of companies focuses to a significant extent on the compliance of underlying information technology. Compliance management today is driven by multiple initiatives: Compliance towards commercial laws and industry regulation Compliance management can be externally driven to keep up with the changing global regulatory and business environment. This requires ongoing audit capabilities. Regulations, which translate into security control requirements, are, for example, data privacy laws (applicable for any organization dealing with personally identifiable information), Basel II (for organizations providing financial services), HIPAA3 (for organizations involved in activities with potential impact to public health and hygiene) and PCI4 (for organizations processing credit card information). Compliance to objected performance and efficiency targets Compliance management can be internally driven by the intent of organizations to stay in business and be profitable. Driven by the fact that compliance requirements must be fulfilled in order to meet legal and regulatory obligations, companies want to maximize the benefits of compliance management by also using the process to identify not only risks, but also opportunities to increase efficiency, which ultimately can lead to competitive advantage. Note: Customers are responsible for ensuring their own compliance with various laws and regulations such as those mentioned above. It is the customers’ sole responsibility to obtain the advice of competent legal counsel regarding the identification and interpretation of any relevant laws that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal, accounting, or auditing advice, or represent that its products or services ensure that the customer is in compliance with any law. The trend to use compliance management beyond its initial purpose is reflected in some of the regulations. For example, in Basel II, the excellence of risk management for IT systems, which is part of the operational risk complex, has an impact on the competitive advantage of banks. The level of excellence determines how much money a bank can use to provide credit to their customers and how much it has to keep in reserve to cover risks, which again affects the interest rates a bank can offer its customers. So today, even the external 3 For more information about HIPAA, go to http://www.hhs.gov/ocr/hipaa/. 4 For more information about PCI, go to https://www.pcisecuritystandards.org/.6 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • regulation itself develops further from a basic approach of compliance versusnon-compliance towards approaches in the area of control versusnon-compliance, where compliance is the highest level of control possible. Note: Being compliant versus being in control If you have ever been audited (or audited someone), you probably know that there is a difference between being: In compliance: All your systems and processes are operated and delivered according to the security policies and standards (and you have evidence for compliance). In control: You know what is in compliance and what is not, you know why, and you have a plan of action (and you have evidence for control). Now, what is more important? Being in control is. Because you could be in compliance by accident. Further, if you are compliant, but not in control, chances are high that you will not stay compliant for very long. If you are in control, you will end up being compliant eventually. Or at least you will have it on record why you are not compliant. And if you are not compliant and not in control, gaining control should be your primary goal. This is the reason why regulations shift more and more from compliance to control objectives.Most organizations do not stop after they have met the basic principles set out intheir policies, as they want to understand how efficiently this level of compliancewas achieved or even exceeded. Customers also want to identify indicatorsabout how stable and consistent the current compliance achievement is andwhether the state of compliance can be maintained. Chapter 1. Business context 7
  • 1.3 Criteria of a compliance management solution While having security compliance management in place is generally a good security practice, there are several factors that influence if and how compliance management is implemented in a specific environment. Let us take a look at the main dimensions of compliance management: Selection of security controls This is the intention to check technical security controls and security controls in processes and on the organizational level. Spot check versus duration check This is the intention to check the security configuration of systems, of network devices, and of applications at any given point in time (or multiple points in time), or it is the intention to monitor the behavior over a period of time that might cause a non-compliant configuration (and maybe even prevent this result, if the behavior is analyzed early enough to counteract it). Number of security controls This defines which and how many security controls are checked. Do you only check security settings in configuration files or do you check log entries as well? Do you check only operating system level controls or are application level controls checked as well? Which operating systems, middleware, and business applications need to be supported? Frequency of checks This defines how often a compliance check is performed. This does not only define how often the configuration settings are collected from the environment, but also the frequency in which system administrators are called upon to fix or investigate identified deviations. Follow up time frame This defines how fast reported deviations must be fixed. Scope of compliance checking This defines which business processes and their supporting IT systems are required to be checked for compliance and what level of control is required for these IT systems. As security is always concerned about the weakest link, related infrastructure systems need to be included as well. Level and depth of reporting This concerns organizations having to fulfill obligated external reporting requirements as well as individual reporting to fulfill needs inside the organization, for example, towards the board of directors, internal accounting, the security operations management, or even towards specific8 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • compliance-related projects. The reporting can differ in detail and range from reporting technical details to highly aggregated business level reporting. Also, the reporting can be discrete, for example, on a predefined time frame, or continuous (despite the checks still being performed non-continuously). The latter is often referred to as dashboard. Level of automation This concerns a compliance management solution relying on automated checks, which requires higher investments in technology, or for manual checks, which requires more human effort and skills, or a combination of both. Also, the level of automation can be limited by technological limitations, for example, compliance tools not supporting every system, that should be checked for compliance, or the system itself is not providing enough functionality to provide information about its compliance.The key dimensions listed above can be derived by considering the followingsecondary factors: Business environment of the organization Is corporate espionage or other business crime an issue? Does the company use outsourcing services? How dependent is the business on its IT systems? Regulatory and legal obligations In which industry is the business operating? In which countries is the business operating? Which laws and regulatory requirements exist in each country for this industry that influence information security? What level of scrutiny is executed by the regulators? Note: It is useful to keep in mind that a security compliance management system can provide a lot of evidence about the level of executive control. Organizational complexity The size and setup of the organization influences the speed of the reaction to deviations from the desired security level. Furthermore, it will have a significant impact on the requirements on an IT security compliance management solution, such as the administration approach. Technological complexity Obviously, the existing IT environment defines the scope of the operating system, middleware, and business applications that need to be supported by any IT security compliance management solution. Also, the level of standardization, centralization, and consolidation has a significant influence on the IT security compliance management solution. Chapter 1. Business context 9
  • Security policy framework maturity Mature businesses have shaped the existing security policies and standards as well as work practices and procedures from the policy level. This defines the general security control requirements and the standard level, which provides platform specific security settings that meet the security control requirements on a given platform, as well as descriptions about how to implement the standards and how to deal with situations where the standard cannot be applied due to specific technical requirements of a given system.1.4 Recent challenges for compliance management Even if the goal for security compliance is clear, defined by precise policies and standards, the task of compliance management for a larger number of systems has the following major challenges in addition to the requirements resulting from the factors discussed above: Maintenance of compliance over time Even in a stable environment, systems are constantly changed because patches must be applied, updates must be installed, or additional packages require a change in the configuration of the underlying operating environment. Also, the ever increasing requirements of regulations require companies to keep up with these changes in order to retain compliance. Complexity of the environment Few businesses can claim that their environment is homogenous and centralized. Heterogeneous, geographically distributed systems in large numbers is the norm, with not only systems from multiple vendors, but also running several different versions of operating systems at the same time. Complexity is growing, and today’s more complex applications and moves toward service-oriented architectures (SOA) take operations management to new levels of complexity. Complexity of the compliance criteria Checking the security controls of managed systems ensures that a system does not degrade in its security controls posture due to changes made on the system after it has been installed. For example, changes made while resolving a problem, while installing or upgrading a new application or middleware, or due to an attacker changing the configuration to hide his tracks or to compromise the system.10 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Performance efficiency and cost pressure Organizations always try to do more with less. As compliance is a matter of quality, there is a requirement for compliance to be delivered for less cost. As labor costs are considered one of the major operation expenses for organizations, the aim is to automate compliance management as much as possible. Organizations want to evolve from the traditional compliance checking, which focuses on collecting of the compliance status information at a given point in time towards controlling the non-compliant events at any point in time: Organizations want to be able to react to indicators that suggest a future status of non-compliance. Organizations want to identify what causes a status of non-compliance in order to avoid it in the future. In order to achieve both goals, organizations extend the scope of compliance checking from technical configurations of the operating environment towards the behavior of actors in this environment, including or even especially the users and administrators. It is not the IT systems that choose to become noncompliant over time, but it is the actions of people that can cause noncompliance accidentally or on purpose. Shifting the focus from the resulting status to evoking proactive behavior puts the focus closer to the root cause.1.5 Conclusion As a result of the influencing factors discussed above, a security compliance management solution must provide a flexible yet comprehensive framework that can be configured and customized to the specific organization in question and takes a holistic approach on collecting and controlling the information security compliance of an organization. Such business requirements for compliance management set the boundaries for functional and non-functional requirements of a technical compliance management solution. The increased pressure on organizations to demonstrate better control and compliance and the ever-increasing complexity of the business and the technical environment demands integrated and automated solutions for compliance management in order to prevent the organization from spending more time for managing compliance than for its primary objectives. Chapter 1. Business context 11
  • The rest of this book discusses the implementation of such an automated solution based on the IBM Tivoli Compliance Insight Manager.12 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 2 Chapter 2. Architecture and component structure In this chapter, we introduce the high-level components and new concepts for the design of a compliance management solution using Tivoli Compliance Insight Manager. We provide you with an understanding of the high level product architecture of Tivoli Compliance Insight Manager. We describe the role of each of the components within the Tivoli Compliance Insight Manager environment and the internal processes that occur to achieve centralized logging and compliance auditing. The final section of the chapter describes the W7LogSDK toolkit that can be used for extra flexibility in customizing your Tivoli Compliance Insight Manager deployment.© Copyright IBM Corp. 2008. All rights reserved. 13
  • 2.1 Product overview Tivoli Compliance Insight Manager helps organizations meet audit and logging requirements. It provides reliable, verifiable log data collection and centralizes security log data from heterogeneous sources. Log data is analyzed and compared with the security policy and if suspicious activities are detected, Tivoli Compliance Insight Manager can automatically trigger the appropriate actions and alerts. Tivoli Compliance Insight Manager has the ability to archive normalized log data for forensic review and to provide consolidated viewing and reporting through a central dashboard. It also provides specific forensic capabilities for searching and retrieving the original log data. Tivoli Compliance Insight Manager uses the Generic Event Model (GEM) and the W7 language to consolidate, normalize, and analyze vast amounts of user and system activity. These models are discussed in further detail in “The W7 model” on page 35. Tivoli Compliance Insight Manager is able to deliver alerts and reports on who touched what information and how those actions may violate external regulations or internal security policies. By revealing who touched what within the organization and comparing that activity to an established internal policy or external regulation defining appropriate use, security specialists can successfully implement the first layer of defense for information protection, thereby accelerating compliance efforts.2.2 Product architecture The Tivoli Compliance Insight Manager environment includes a number of key components: Enterprise Server Standard Server Actuators Management Console Web Portal (iView) Figure 2-1 on page 15 illustrates the high level Tivoli Compliance Insight Manager product architecture.14 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • · Archive audit trails · Normalization of audit trails · Archive security policies · Preparation of reports · Alerts and e-mail notification Standard Server · Collection of audit trails · Consolidation of statistics from multiple · Collection of user information databases · Overall compliance checking · Forensic search indexing Tivoli · Administration of log archives Enterprise Compliance Actuators Server Insight Manager Management · Tivoli Compliance Insight Manager Web Portal network configuration · Report viewing Console · Configuration of data for report - Compliance preparation - Event detail · Alert and e-mail notification - Log management configuration - Forensic search · Security policy violation definition · Policy management using Policy Generator · Tivoli Compliance Insight Manager · Scoping user managementFigure 2-1 Tivoli Compliance Insight Manager architecture This section describes each of these components in the Tivoli Compliance Insight Manager environment. Chapter 2. Architecture and component structure 15
  • A note on naming: This IBM Redbooks publication covers Tivoli Compliance Insight Manager V8.0. But when you look at the product manuals for this release, you will not be able to locate the terms Standard Server and Enterprise Server. What is happening in this situation? In the coming releases of Tivoli Compliance Insight Manager, IBM Tivoli is renaming the terms that are currently used in the product with the ones that are being used in this book—and a new release is not far out. This is why we decided to already use the new terms in our architecture discussion. These terms can be mapped as follows: Enterprise Server - Primary Server (in the manual) Standard Server - Expansion Server (in the manual)2.2.1 Tivoli Compliance Insight Manager cluster An operational Tivoli Compliance Insight Manager cluster configuration is comprised of one Enterprise Server and one or more Standard Servers. The sections that follow outline the major functional capabilities of each of these servers.2.2.2 Tivoli Compliance Insight Manager Enterprise Server The Tivoli Compliance Insight Manager Enterprise Server is a Windows®-based server that provides centralized log management and forensic functions, allowing these features to operate across multiple Tivoli Compliance Insight Manager Standard Servers. As a general guide, we recommend monitoring up to three Standard Servers per Enterprise Server. Centralized log management As shown in Figure 2-2 on page 17, the Enterprise Server offers consolidated log management facilities over all connected Tivoli Compliance Insight Manager Standard Servers. From one Enterprise Server, you can get a consolidated view of log collections and log continuity. This simplifies the management of a Tivoli Compliance Insight Manager cluster, reducing your operational impact as well as providing a single view for auditors to examine the complete log history. Finally, the centralized management feature provides a point of access to query and download the original log data collected by standard servers.16 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 2-2 A Tivoli Compliance Insight Manager cluster environmentCentralized forensicsThe Enterprise Server also provides forensic search capabilities. The EnterpriseServer allows you to search the archived logs for evidence without using theGEM and W7 tools. Sometimes you may want to look for the raw traces withoutgoing through the report preparation process. Note: The GEM and W7 tools are used by Tivoli Compliance Insight Manager for mapping and loading the data. They are described in detail in 2.3.2, “Mapping and loading” on page 33. Chapter 2. Architecture and component structure 17
  • 2.2.3 Tivoli Compliance Insight Manager Standard Server Tivoli Compliance Insight Manager uses a centralized Windows-based server, called the Standard Server, as the heart of its security audit and compliance system. The Standard Server performs the following main functions: Collects security logs from the audited event sources. Archives the logs. Normalizes the event data and loads it into the reporting databases. Sends e-mail alerts when a high severity event is detected. Creates reports. The security status of the audited systems can be viewed through the Web-based reporting application called iView. iView is described in 2.2.6, “iView Web portal” on page 20. Another main component of the Tivoli Compliance Insight Manager system is the Management Console, which is used to manage and configure the system. Each Standard Server has its own configuration database managed by the Management Console. The Management Console is described further in 2.2.5, “Management Console” on page 19. To exchange information between its components, Tivoli Compliance Insight Manager uses a virtual private network consisting of agents that maintain encrypted communication channels. This network runs on the TCP/IP layer of the existing organizational network.2.2.4 Actuators Depending on the platform, Actuator software is installed on audited systems as a service or daemon. Each Actuator consists of an Agent and numerous Actuator scripts. The Agent is responsible for maintaining a secure link with the Agents running on the Tivoli Compliance Insight Manager Server and other audited systems. The Actuator scripts are invoked by the Agent (at the request of the Tivoli Compliance Insight Manager Server) to collect the log for a particular event source. There is a different script for every supported event type. The Actuator is depicted in Figure 2-3 on page 19.18 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Actuator Actuator Scripts Agent Figure 2-3 Actuator software The Actuator software can be installed locally on the target system or remotely. We describe the log collection process in “Data collection using Actuators” on page 26.2.2.5 Management Console The Management Console is responsible for the configuration and management of the Enterprise Server and the Standard Server(s). The Management Console can operate locally or in a distributed manner, as shown in Figure 2-4 on page 20. All that is required for remote operation apart from the Management Console itself is a local Point of Presence to which it can communicate. Note: A system that has a Tivoli Compliance Insight Manager Actuator installed is referred to as a Point of Presence. “Data collection using Actuators” on page 26 describes this concept in more detail. Chapter 2. Architecture and component structure 19
  • Figure 2-4 Management Console component overview You can use the Management Console to perform numerous tasks related to the configuration and management of the Tivoli Compliance Insight Manager servers: Activate the Agents and have them collect audit trails from different platforms. Define the security policy and attention rules. Define users and their access rights. Start the preparations of the reports. All the actions on the Management Console are performed by the Tivoli Compliance Insight Manager server. You can think of the Management Console as being the user interface for the Tivoli Compliance Insight Manager server. After the reports have been prepared by the server, a Tivoli Compliance Insight Manager user may generate the specific reports using the iView component.2.2.6 iView Web portal The events found in the logs are normalized and stored in databases. The data in the databases is available for further investigation through the Web-based tool called iView. iView is a reporting application that Tivoli Compliance Insight Manager administrators can use to generate specific reports on compliance level and policy violations. It uses an HTTP-server, authorizing users to view reports through their Web browser.20 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 2.2.7 Databases Tivoli Compliance Insight Manager supports and maintains a set of embedded databases. These databases store the audit data from security logs and other sources of event information, for example, Syslog. In the flow from collection to archive, audit data is indexed and normalized to facilitate analysis, forensics, information retrieval, and reporting. An embedded database is also used to store configuration information about the Tivoli Compliance Insight Manager environment itself. Storing security audit data Tivoli Compliance Insight Manager uses a file system based log repository as a collection depot for the original security logs, and the embedded databases to store normalized audit data, aggregated data, and consolidated data. Depot Collected logs are stored in the log Depot, which is a compressed, online, and file system based log repository. Reporting database Data that has been mapped into the W7 format is stored in an instance of an embedded database. These reporting databases are also known as GEM databases. They are periodically emptied and then filled with more recent data. Typically, this refresh cycle is done on a daily scheduled basis, meaning that data from the previous period is present and available for analysis and reporting. Data from a Depot can be mapped and manually loaded into the reporting database for processing. Aggregation database The aggregation process takes a large number of individual events and duplicates them into a more manageable set of information. In addition, the aggregation process creates statistical data that can be used to provide management level trending data, charts, and reports. It takes multiple events that have a relationship and consolidates them into a single event. The aggregation process involves two key operations: A statistical database of events, exceptions, failures, and attentions is created. The events are used to generate management charts, reports, and trending information. For example, users can report on policy exception trends over a selected time period. Chapter 2. Architecture and component structure 21
  • It copies across the exceptions and attentions from the scheduled loads for each database that is configured. This provides the user with significant forensic capability. With these events in the same database as the statistical events, it is possible to perform drill down operations into the data for forensics, trending, and analysis. Aggregation is performed as part of the normal scheduled load processing. After a successful scheduled load, aggregation is performed for each reporting database. Aggregation vastly reduces the amount of event information that needs to be online, and allows users to have an organization view of security events through iView (the Tivoli Compliance Insight Manager dashboard). Additionally, these aggregated statistics are used for providing long-term trending information and are typically held for several years (dictated by local or statutory requirements). This is highly valuable data and provides a historical database of an organization’s performance against defined security policies and regulations. Consolidation database The consolidation database consolidates all the aggregation databases in a Tivoli Compliance Insight Manager cluster. This provides an overall view of all servers in the cluster for trending and statistical purposes. Tivoli Compliance Insight Manager configuration data The configuration data for the Tivoli Compliance Insight Manager environment itself is also stored in embedded databases known as Configuration Databases. Configuration Database The Configuration Database for each Standard Server is managed through the Management Console. Each Configuration Database includes information such as the Actuator configuration, collect schedules, location of audit log data, available GEM databases, the list of audited machines, and so on.2.2.8 Component architecture All of the components of Tivoli Compliance Insight Manager that have been outlined so far work together to create a compliance management solution. Each of the different components interact with one another and a number of processes are performed by each of them. Figure 2-5 on page 23 encapsulates the key components and processes in the Tivoli Compliance Insight Manager environment. Each of the components and the role that they play in the Tivoli Compliance Insight Manager environment will be discussed in further detail throughout the remainder of the chapter.22 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 2-5 Tivoli Compliance Insight Manager architecture2.3 Product processes The Tivoli Compliance Insight Manager product runs several automated processes. Together, these processes provide a complete solution from collecting and analyzing logs to reporting and auditing activities for compliance. Event data is retrieved from the audited systems through a process called collect. It is then stored on the Standard Server in the Depot. For analysis, the data is taken from the Depot and normalized into a data model called General Event Model (GEM). This process is called mapping. Subsequently, the mapped data is loaded into a reporting database called a GEM database. Chapter 2. Architecture and component structure 23
  • Data and statistics, spanning a longer period, are maintained by a process called aggregation. The aggregation process builds a special database, called the aggregation database, from which trends and summaries can be extracted. In order to check and investigate the information security status, the Tivoli Compliance Insight Manager system offers a large number of reports. These are produced on request by a Web-based application called iView. It can be used to view GEM databases as well as the aggregation database. Figure 2-6 shows the key processes performed by a Tivoli Compliance Insight Manager server. A Tivoli Compliance Insight Manager Enterprise Server also performs two extra processes, namely indexing and consolidation. Figure 2-6 Tivoli Compliance Insight Manager key processes flowchart These key processes are described in further detail in this section.24 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 2.3.1 Collection Collection is the process of centralizing event data by retrieving it from the audited machines and applications and archiving it in the Depot, the central storage repository for log data on the Tivoli Compliance Insight Manager Server. The reliable, verifiable collection of original log data is a key part of the process required for compliance. Through Tivoli Compliance Insight Manager, you can automate the collection process from your audited machines. Security audit data is collected in its native form, transferred securely from the target, and stored in the server’s Depot in the form of a chunk. The term chunk is used to refer to a set of compressed logs and is the unit of collection in Tivoli Compliance Insight Manager. The Depot supports the consolidation function of Tivoli Compliance Insight Manager and data remains there until it is explicitly backed up and removed. This way log data is preserved for forensic analysis and investigations. Tivoli Compliance Insight Manager provides a set of tools to verify that the collection process is operating and to detect if collection failures have occurred. Tivoli Compliance Insight Manager alerts selected administrators if a collection failure occurs so that immediate action can be taken to prevent possible loss of log data. Tivoli Compliance Insight Manager provides specific reporting for administrators and auditors to verify collections are occurring on schedule without problems. It also allows you to verify that there is a continuous collection of logs available. Tivoli Compliance Insight Manager can send alerts if the event data indicates there is cause for concern and further investigation is needed. Finally, it is possible to download selected logs from the Depot to a user’s local machine for further analysis outside of Tivoli Compliance Insight Manager. Methods of data collection The most common mechanism for retrieving security log data is through a process called batch collect. A security log is created on the audited machine by the application, system, or device being audited. In general, such logs contain records of many events, which all get processed as a batch. The Tivoli Compliance Insight Manager Server initiates the collection of security logs from the audited machines. This action is either triggered by a set schedule, or manually through the Management Console. After receiving the security logs, the Tivoli Compliance Insight Manager Server archives the security logs in the Depot. Chapter 2. Architecture and component structure 25
  • Event data is collected using a variety of methods to establish the consolidated archive stored in the Depot. Events can be collected in numerous ways, including: Logs Syslog SNMP NetBIOS ODBC External APIs SSH There are two methods of data collection: 1. Locally installed software (Actuator) on the target machine. 2. Agentless collection. This can be achieved by either: a. A remote Actuator installation that allows you to collect the application security log that is located on a different host machine. b. The Tivoli Compliance Insight Manager server acting as a Point of Presence to collect the data. Data collection using Actuators A typical Tivoli Compliance Insight Manager network consists of the Tivoli Compliance Insight Manager Server and a number of host machines to be audited. These host machines may be running one or more applications, each of which can be audited by the Tivoli Compliance Insight Manager Server. These host machines are often referred to as the audited systems. The Tivoli Compliance Insight Manager Actuator is comprised of Agent software and numerous Actuator scripts. Refer to Figure 2-3 on page 19 for a graphical representation of this architecture. The Actuator is used to facilitate the data collection process. The server where the Actuator is installed is referred to as a Point of Presence (POP). It can collect and forward security logs for the operating system, applications, databases, or devices on which it is installed. Every application that generates security audit log data is referred to as an event source. Each event source that is monitored has an associated Actuator. For example, the security log on a Sun™ Solaris™ server is collected by the Actuator for the Solaris event source. The same server running Oracle® could use the same Actuator to collect and monitor the Oracle security log. There is a different Actuator script for every supported type of event, so the Actuator can process26 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • logs for several different event sources. In this example scenario, the Actuator iscollecting the logs from two event sources, namely “Solaris” and “Oracle forSolaris”.The Agent listens continuously on a reserved port for collect requests issued bythe Tivoli Compliance Insight Manager server. When a request is received, theAgent invokes the appropriate script to gather the logs. After the Actuator hascollected the security audit log for a particular event source, the Agentcompresses and transfers the logs to the centralized Depot. The Agent maintainsan encrypted channel for all communication between the target machine and theTivoli Compliance Insight Manager server. That is, it provides a secure andguaranteed transmission service. Note: 1. The audited system often acts as the target system for event sources. 2. In regards to audit configurations, the audited system and the target system can be described as the audited system, a system on which the audited instance of the event source is hosted. 3. The Tivoli Compliance Insight Manager server can act as a Point of Presence in some configurations. If this is the case, no Actuator needs to be installed, because it is already included in the server installation. Otherwise, an Actuator corresponding to the operating system running on the Point of Presence needs to be installed.For the examples throughout the remainder of this chapter, in the event that theaudited systems also act as the target systems for the Tivoli Compliance InsightManager server to access the audit trail, the term audited system will be used. Chapter 2. Architecture and component structure 27
  • Agent collection mechanism Figure 2-7 illustrates the steps involved in collecting data from an audited system. Figure 2-7 Agent data collection method Note that: 1. The collection schedule is automatically triggered based on configured settings. Alternatively, a manual collect command is given to the Tivoli Compliance Insight Manager server through the Management Console. 2. The Tivoli Compliance Insight Manager server issues an audit trail collect command to the Actuator. This command activates the Actuator on the audited machine. 3. The appropriate Actuator script reads the security log and collects only those new records since the last collection. 4. The Actuator formats the collected records into chunk format and compresses the chunks. A chunk can contain many different log types from the audited machine. 5. The Agent reads the chunk log data. 6. The Agent securely sends the chunk data in encrypted form to the Agent on the Tivoli Compliance Insight Manager server.28 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 7. The Agent on the server receives the chunk. The server application stores the chunk in the Depot and archives the chunks by registering them in the logmanager application and configuration database.8. After successfully sending the chunks to the Tivoli Compliance Insight Manager server, the Actuator deletes its local copy of the chunk. In additional, on some platforms, you can also have the Actuator delete the original audit trail.Agentless collectionTivoli Compliance Insight Manager supports agentless collection on Windows,Novell, and UNIX® platforms. When using agentless remote collection, thepicture is slightly different than agent-based collection, but the steps remain thesame. This Point of Presence establishes the secure connection to the TivoliCompliance Insight Manager server, sending all agentless collected datasecurely to the Depot. Note: In the case of Windows, the agentless data collection requires one Point of Presence per domain.Agentless collection reduces the operational impact compared to anagent-based approach. The SSH approach with UNIX provides a secureconnection; the NetBIOS approach used with Windows remote collection doesnot provide a secure connection due to limitations inherent to the Windowsenvironment. Chapter 2. Architecture and component structure 29
  • Windows agentless collection The most common implementation of remote collection is on the Microsoft® Windows domain. To audit several machines in a domain, only one of them needs to be a Point of Presence and have an Actuator installed. Figure 2-8 shows the typical configuration used to perform an agentless collection when the audited systems are Windows machines. Be aware, however, the agentless collection method is not supported on all event sources. Figure 2-8 Agentless data collection over NetBIOS Note that: 1. The collection schedule is automatically triggered based on site specific settings. Alternatively, a manual collect command is given to the Tivoli Compliance Insight Manager server through the Management Console. 2. The Tivoli Compliance Insight Manager server issues a collect log command to the Actuator. This command activates the Actuator on the target machine. 3. The actuator reads the security log from the remote server(s) using a NetBIOS connection, collecting only those new events since the last collection cycle. 4. The log data is processed and sent to the Depot on the Tivoli Compliance Insight Manager server. UNIX agentless collection Tivoli Compliance Insight Manager also supports agentless collection for UNIX servers. It uses SSH to perform the collection so it is secure. The basic configuration for a UNIX agentless collection is shown in Figure 2-9 on page 31.30 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 2-9 Agentless data collection over SSHTivoli Compliance Insight Manager uses a PuTTY client to establish the SSHconnection, which needs to be appropriately configured. The UNIX server alsoneeds to be running an SSH daemon, set up with the appropriate privileges, asper the Tivoli Compliance Insight Manager documentation.Ubiquitous log collectionTivoli Compliance Insight Manager can collect logs from any source. In somecases, no mapping or normalization will be available for a specific source, butindexers can be built for forensic analysis of these logs.Tivoli offers a toolkit that shows how to configure an event source to collectarbitrary log data. This method allows the collection of log data that meets thefollowing criteria: File based Record oriented TextYou can refer to the IBM Tivoli Compliance Insight Manager User ReferenceGuide Version 8.0, SC23-6545 for further information about how to customizeubiquitous collect event sources for forensic search and analysis.Similar to the ubiquitous log collection, the W7LogSDK gives you the ability tocollect custom log files. Furthermore, the W7LogSDK allows you to map and loadthe data. This toolkit is described in 2.4, “The W7LogSDK” on page 46. Chapter 2. Architecture and component structure 31
  • IBM Services are available to assist with collecting logs from event sources that are not automatically supported by Tivoli Compliance Insight Manager. Syslog and SNMP collect Tivoli Compliance Insight Manager can process and analyze security events that are collected through the syslog and SNMP network logging mechanisms. The support for syslog and SNMP messages is done either using a built-in syslog/SNMP receiver or directly from a syslog-NG server. The Tivoli Compliance Insight Manager Actuator has a built-in listening component that can be activated on any Windows Point of Presence and can receive SNMP and syslog messages. The collection of syslog messages captured by a syslog-NG server is done through a Windows POP that collects the syslog files through SSH. Indexing and forensics As previously mentioned, in a Tivoli Compliance Insight Manager cluster environment, you have the forensic capability for in-depth investigation into your raw log data. When a chunk is placed in the Depot, it is indexed using the specific indexer that has been configured for that event source. Indexers do not normalize the data, only split it into fields. The fields, or terms, are indexed using a proprietary technique so the data can be easily searched using the forensic investigation user interface. You can build your own indexers using the Generic Scanning Language (GSL) Toolkit to include collected arbitrary log data in forensic investigations or in cases where the default indexer does not provide the analysis required. Through the user interface, you are able to search by: Date Event source Field within that event source A simple query language is available that supports Boolean operators (AND, OR) and allows the grouping of terms through parentheses. The forensic tools operate over all of the Standard Servers associated with the Enterprise Server. They access the Depots through normal Windows file share protocols. Forensic analysis needs to happen once a problem is suspected or detected. It can be carried out through the normal reporting databases very effectively. However there are circumstances where this is not adequate, such as when32 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • specific log data that is not part of the W7 model needs to be searched and correlated or where the criteria of the search is not practical for W7 analysis. For such situations, Tivoli Compliance Insight Manager provides a forensic investigation tool to search original unprocessed/non-normalized data in the Depot. This allows searches to be carried out over many years worth of data across a number of Standard Servers in a Tivoli Compliance Insight Manager cluster.2.3.2 Mapping and loading Once log data has been centralized in the Depot, it can be processed and analyzed. This process is shown in Figure 2-10. Figure 2-10 Mapping and loading steps Chapter 2. Architecture and component structure 33
  • Mapping To make the audit trail data accessible, it is translated (or normalized) into an easy-to-understand data model called the Generic Event Model (GEM). The Tivoli Compliance Insight Manager mapping process for each and every platform is coded using the Generic Scanning Language (GSL) and the Generic Mapping Language (GML) in files that reside on the Tivoli Compliance Insight Manager server. The chunks are sorted based on their timestamps and are processed sequentially by the appropriate mappers. These mappers determine the field translation values. That is, the mapper interprets the original log data and translates the chunk data into the GEM database model. For more information about GSL/GML, refer to the IBM Tivoli Compliance Insight Manager User Reference Guide Version 8.0, SC23-6545. Determine attributes Security log data consists of records. Each record usually describes one event that happened on the audited system. Central to GEM is the classification of these events according to their W7 attributes. This is the process of normalizing the data. W7 is an English Language format that describes: Who did What, When, Where, From Where, Where To, and on What. The use of W7 formatted information enables security specialists and non-technical personnel, including auditors, to interpret audit information without the need for detailed knowledge of each source. Most operating systems, infrastructure applications, and almost every security device produces log data that is not readily understandable, therefore mapping to the W7 format translates data into powerful audit information. Group and apply rules To prepare data for reporting, the Tivoli Compliance Insight Manager administrator will define one or more W7 grouping functions and policies that each resemble a set of filters. These filters determine how the attributes associated with each GEM event are classified. This grouping process takes the fields from the GEM tables and labels them according to the W7 model defined by the administrator. The process of adding meta information from the currently active policy to the GEM records using the W7 classification scheme for the assets is often referred to as grouping (or filtering). The process of comparing each GEM event with the defined policies allows the severity of each event to be evaluated. The policies applied to the event data throughout this process determines the contents of the policy exception and attention reports. When high severity events such as policy violations are detected, an automatic e-mail alert can be sent to predefined recipients.34 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • LoadingDuring the loading phase, the server uploads the GEM records together with themeta information into a relational GEM database. Usually, GEM databases areperiodically emptied and filled with recent data, often on a daily basis. Thismeans the data of the last day is present in the database in W7 format, ready foranalysis. If necessary, other data from the Depot can be mapped and loadedthrough manual commands for analysis. Note: Because mapping precedes and serves loading, the combination of the two is also called load (in short form).In the remainder of this section, we describe the key concepts related to mappingand loading in more detail.The W7 modelA security log consists of event records. Each record usually describes a singleevent that occurred on the audited system. Tivoli Compliance Insight Managernormalizes the collected event data into an English-based language called W7so that it can easily be interpreted. All Tivoli Compliance Insight Managersecurity events have seven basic attributes:Who Which user or application initiated the event?What What kind of action does the event represent?When When did the event occur?Where On which machine did the event happen?OnWhat What object (file, database, and printer) was involved?WhereFrom From which machine did the event originate?WhereTo Which machine is the target or destination of the event? Chapter 2. Architecture and component structure 35
  • Figure 2-11 shows the W7 model. Figure 2-11 W7 model Benefit of using W7 The disparate platforms and systems generating the logs will often use different terminology for the same action. For example, one operating system may use the term logging on, while another operating system uses login. Similarly, one system may request a user ID while another system asks for a user name. Unless you are an expert in all of the different systems used by your organization, it is very difficult to search through the logged data manually to find all instances of a given action or user. Mapping the raw event data into a standard set of seven distinctive attributes enables a consistent method for monitoring, analyzing, and reporting, irrespective of the original format of the event. When translating log records into W7 format, the seven Ws of the event are determined from the structure and content of the original log record. Log record formats are very different for every36 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • distinct event source; therefore, the normalization of data into W7 requires aspecialized knowledge of each event source to be mapped. The logic required todo this mapping is built into the mapper code that resides on each auditedmachine or device.W7 is a grammar that enables you to check if a certain GEM event is incompliance with the security policy. Through the use of this grammar, you candifferentiate between events that are compliant, that are considered exceptions,and require special attention.GroupsIn order to apply logic and draw conclusions from the normalized data, the eventshave to be classified. Knowing that an event happened on Monday at 8.30 AM isone thing, but in order to draw conclusions, it is more interesting to know whetherit happened during or outside a specific time period, for example, office hours.Similarly, a user ID has certain access rights, detailing what a user is allowed toinitiate. These user access rights are usually dependent on their role, forexample, based on whether he or she is an administrator, regular user, or guest.Therefore, all W7 attributes are classified into W7 groups. There are five types ofgroups:1. Who groups for classification of users and processes2. What groups for classification of event types3. When groups for classification of time periods4. Where groups for classification of machines and devices5. onWhat groups for classification of objectsThe Where, Where from, and Where to attributes are all classified using thesame Where groups.The correct classification for a particular object is site specific and isautomatically synchronized across the servers being audited. For example, inwhich Who group does each user belong and to which Where group should eachsystem be assigned? The Tivoli Compliance Insight Manager administratordefines the W7 elements and the grouping function that tells on which W7element each GEM event attribute is projected. All GEM event table values thatare not covered by the specified grouping functions will be classified into one ofthe default groups: Other Periods, Other Sources, Other Events, OtherPlatforms, or Other Objects.The Tivoli Compliance Insight Manager administrator can review and update thisinformation in the Grouping editor on the Tivoli Compliance Insight ManagerManagement Console. Chapter 2. Architecture and component structure 37
  • Figure 2-12 shows how the GEM event data is linked to the W7 model.Figure 2-12 The relationship between the GEM event and the W7 model Each W7 value of a GEM event is classified by the grouping process under a W7 group label. If you look at the W7 model as a five dimensional space, you can see that the GEM event in the example is linked to the W7 point determined by the W7 rule (EVENING, USERS, LOGON LOGOFF, LOCALMACHINE, and SYSTEM). Security policy rules are also represented by a combination of W7 group labels. Only the GEM events that collide with a W7 point that represents a policy rule are in compliance with the security policy. Attention rules are also represented by a combination of W7 group labels. GEM events are classified as attention events if they collide with a W7 point that represents an attention rule. That is, the W7 model can be used to determine if some GEM database records need special attention or whether the records comply with the set of policy rules. The result of the grouping for a particular record can be viewed in the Event detail report in iView, as shown in Figure 2-13 on page 39.38 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 2-13 Event Detail viewThe column called Field shows the GEM field values of a GEM event. Thecolumn Group shows for each GEM field value which W7groups are linked to thevalue to the left of it. For example, the GEM field valueAdministrator(MSTESTCEADMINISTRATOR) is linked to at least two W7groups: Administrators and IT.Policy managementWhether or not an event deserves special treatment is determined by comparingthe W7 groups it is classified into against a set of rules defined by the TivoliCompliance Insight Manager administrator. As previously mentioned, there aretwo kinds of rules:Policy rules These describe acceptable users, for example, allowed behaviorAttention rules These identify events deserving special attention Chapter 2. Architecture and component structure 39
  • Policy rules are used to monitor the way that information and processes are being used within an organization. That is, they specify which actions can be performed by which people on which systems at what times. Actions that do not match a policy rule generate policy exceptions. Policy rules have an associated priority that can be set to enable differentiation so that policy violations and other exceptions can be processed according to their severity or importance. This allows security administrators and auditors to focus on addressing those events that have the most significant impact on the business. By refining policy rules, you can ensure that existing policies are effective and can even establish new policies that reflect the actual behavior of users, as opposed to theoretical activities contained in policy manuals and non-automated tracking systems. Automatically applying the policy rules makes it easy to quickly determine whether or not each monitored action does or does not comply with policy. Attention rules are used to highlight instances of events that are critical to the organization. One typical application for these rules is to monitor change management activities even if the events are allowed by your policy rules. Actions that match an attention rule generate actions. For example, by looking for a specific instance of a data attribute in any of the W7 dimensions for certain events, you can set an alert to notify someone of a change to a server’s configuration.40 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 2-14 illustrates the process of comparing a logged event to the specifiedpolicy and attention rules to determine whether actions and alerts are necessary.Figure 2-14 Applying policy and attention rules Chapter 2. Architecture and component structure 41
  • Alerting and notification Alerts are messages that Tivoli Compliance Insight Manager sends when a serious or potentially harmful security event has occurred. Alerts allow for a fast response to the event by a systems manager or system administrator. The aim of alerts is to raise attention for events that require a follow-up, that is, special attention events or events above a defined severity level, such as security policy exceptions. These properties are evaluated in the policy evaluation step of the Map/Load process. The Map/Load process (mapper) sends alerts, as mentioned in “Group and apply rules” on page 34. Tivoli Compliance Insight Manager can send alerts through the following protocols: SMTP Alerts are sent as e-mails. SNMP Alerts are sent as SNMP traps. Custom alerts Alerts are sent through a mechanism invoked with a user-provided program or script. For more information about alerts, refer to “Managing Alerts” in IBM Tivoli Compliance Insight Manager User Guide Version 8.0, SC23-6544. Which IT security policies to map into policy rules Corporate IT security policies generally cover a whole range of controls, including: Awareness programs Security clearance Authorization matrixes Logon policies Only those IT security policy rules that interact with the security functions on a platform may be considered to become Tivoli Compliance Insight Manager security policy rules. The following requirements must be met in order to use Tivoli Compliance Insight Manager to report on a particular policy: 1. The security functions on the target must contain audit functions to monitor the actions relating to the rule. 2. Tivoli Compliance Insight Manager must support the platform and collect the information that the target provides.42 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 2-15 describes some high level steps in the process of evaluating the corporate IT security policy and creating rules to be used in the Tivoli Compliance Insight Manager security policy. Drop the rule if no match is Translate the rule found. Backup into W7, the rule with recognizing procedures if Subjects, Objects a partial match and Verbs. is found. Commit Corporate IT TCIM Security security Policy rule. policy. Classify it as either a Determine if the Add an appropriate W7 policy rule or an audit trail on the policy rule to the TCIM attention rule. target can be security policy. configured to provide entities that match the Subject, Object or Verb.Figure 2-15 Creating policies in Tivoli Compliance Insight Manager Policy generation and enforcement Policies are used as the baseline to filter all events (which are kept for forensic investigations and regulatory compliance purposes) facilitating the exposure of exceptions to the rules. Policies can be changed and adapted easily at any time. Tivoli Compliance Insight Manager provides an easy to use integrated policy generation tool, the Policy Generator, which allows the user to create policy rules simply by looking at current event data and making a decision as to what constitutes acceptable use of, or access to, information resources. Normal, acceptable behavior becomes the rule. Policy generation is an evolving process. If legitimate user actions are triggering policy exceptions and alerts in Tivoli Compliance Insight Manager, then the security administrator needs to adjust the Chapter 2. Architecture and component structure 43
  • policy to ensure it reflects the “real world” environment and permissible actions. Rules within policies can be adjusted at any time. If the policy is formulated to reflect the rules of a regulation, such as Sarbanes-Oxley or GLBA, or has been established as part of a security framework such ISO17799 or COBIT, Tivoli Compliance Insight Manager provides the ideal reporting tool to meet your regulatory compliance obligations. The Policy Generator is an automated tool for creating policies from loaded event data in a database and, based upon the in-built knowledge of various platforms, builds the most applicable policy from that data. This policy can then be loaded and modified if desired using the Policy Editor in the Management Console.2.3.3 Data aggregation and consolidation An aggregation process maintains data and statistics, spanning a longer period. The aggregation process builds an “aggregation database” from which trends and summaries can be extracted. When a scheduled load is performed, part of the GEM database contents is copied into the aggregation database. In particular, the following contents are copied: The number of GEM events represented by the W7 categories All GEM events that need attention or do not comply to a policy rule set For enterprise-wide trending in a Tivoli Compliance Insight Manager cluster environment, aggregation databases from multiple Standard Servers are brought together into a single consolidation database.2.3.4 Reporting and presentation Tivoli Compliance Insight Manager’s Web-based reporting tool, iView, provides a large number of standard and custom reports. These are produced on request by iView, which pulls information from mapped data, including information stored in the aggregation database. These reports can highlight attempts to breach security as well as (attempted) access to critical resources. Both standard and custom reports let you examine exceptions and events that require special attention, and since the data presented in these reports is in the W7 format, no specialized knowledge is required to interpret the output. Reports are clear, concise, and integrate all security data for your review. Tivoli Compliance Insight Manager provides a dashboard with graphical and statistical overviews of logged activities, with drill-down capabilities to identify and examine44 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • related events. Additionally, Tivoli Compliance Insight Manager’s clear illustrationof policy exceptions enables you to continuously monitor and tailor your securitypolicies to your changing business needs.Compliance management modulesFrom the boardroom to information technology departments, rules andregulations are placing ever-increasing demands on organizations of all sizes. Inthe middle are IT security managers and auditors, who face the overwhelmingtask of understanding the regulations and implementing a wide array ofcompliance measures.Tivoli Compliance Insight Manager has plug-in compliance managementmodules available that provide optionally installable sets of capabilities to allow acustomer to monitor and maintain compliance with a selected standard. Thesemodules include sample policies and compliance report templates to assistcustomers to meet their regulatory requirements.Regulations underscore the need to understand who is touching the most crucialcorporate data, and whether this behavior complies with security policy. You canuse Tivoli Compliance Insight Manager to monitor all security events and auditthem against your security policy.Compliance management modules for the following regulations or best practicesets exist: Sarbanes-Oxley HIPAA ISO17799These management modules are described in more detail in the IBM TivoliCompliance Insight Manager User Guide Version 8.0, SC23-6544.Report distributionTivoli Compliance Insight Manager Version 8.0 provides the functionality for theautomated distribution of reports in full or as excerpts to a predefined group ofTivoli Compliance Insight Manager users. This report distribution functionality isavailable through the Web interface of iView. More information about the reportdistribution functionality can be found in “Distributing Reports” in the IBM TivoliCompliance Insight Manager User Guide Version 8.0, SC23-6544. Chapter 2. Architecture and component structure 45
  • User roles You can assign every Tivoli Compliance Insight Manager user specific access and viewing rights from the Management Console. This level of granularity in setting user access lets you customize views and management rights for specific users, and limit access to administrative functionality. The ability to define the mailing lists for alerts regarding high severity events also allows the Tivoli Compliance Insight Manager administrator to control access to the security event data. Any Tivoli Compliance Insight Manager user activity, from administrative actions to report viewing, is automatically self-audited and included in the organization wide security reporting.2.4 The W7LogSDK Tivoli Compliance Insight Manager has Actuators available that cover a large number of event sources, including operating systems and applications. In addition to the Actuators, there is a W7LogSDK available to allow you to use Tivoli Compliance Insight Manager to monitor event sources that are not supported out of the box. You can use the W7LogSDK to create log files that present event data in a W7 format that can be interpreted by the Tivoli Compliance Insight Manager server. The W7LogSDK allows you to create these log files either in CSV or XML format, as described in the sections that follow.2.4.1 How the W7LogSDK works W7Log event sources integrate directly into the normal processing of all other event sources defined in Tivoli Compliance Insight Manager. The target application or transformation tool writes the audit log in the W7Log event format to a specified directory. On a schedule (or manually), the log data is collected and securely stored in the Tivoli Compliance Insight Manager log Depot. On a schedule (or manually), this data can then be normalized and loaded into a Tivoli Compliance Insight Manager reporting database. Note: The capability to collect W7Log event data is fully integrated into the Tivoli Compliance Insight Manager 8.0 Windows Actuator. As a result, W7Log event data must be collected through a Windows platform.46 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • The application developer needs to provide the following: A file with event data in one of the W7Log formats, which can be XML or CSV. The file must be fully compliant with the format definitions described in this chapter. The file(s) must be placed in a directory that is specified as an event source property through the Management Console. Each file in the specified directory must be COMPLETE (for example, containing only complete log records) when the W7Log Actuator reads it. A suitable manner to ensure that this task is done is to construct the log file somewhere else and then move it to the designated directory for collection. The contents of different log files shall not overlap in generation time of the log records. The files must be processed in the correct time sequence; the recommended way to ensure this is through the naming of the log files. Note: The W7Log Actuator will read ALL the log files from the designated directory on the Actuator system and combine them into a chunk file to be stored in the Depot. It then REMOVES all the log files from the directory.2.4.2 Event attributes Regardless of whether you elect to use the W7LogSDK CSV or XML format, every event that occurs on the audited system will need to be described by 16 values. These values cover all the W7 dimensions, as well as one event detail field, which can be used to store arbitrary text. More specifically, the following 16 items of information need to be present in each event: For the When dimension: when For the Who dimension: whorealname and whologonname For the What dimension: whatverb, whatnoun, and whatsuccess For the Where, WhereFrom, and WhereTo dimensions: wheretype, wherename, wherefromtype, wherefromname, wheretotype, and wheretoname For the OnWhat dimension: onwhattype, onwhatpath, and onwhatname Plus a single event detail: info Table 2-1 on page 48 through Table 2-8 on page 52 show the detailed syntax for each of these expected values, as well as giving some examples. Chapter 2. Architecture and component structure 47
  • Table 2-1 When W7 dimension When Defined as: Time at which the event has occurred Fields: When Syntax: The field is specified as: YYYY-MM-ddTHH:mm:ss±hh:mm where: YYYY: The year in the Gregorian calendar MM: The month number (1-12) dd: The day number (1-31) T: Literal separator between date and time HH: The hour (0-23) mm: The minute (0-59) ss: The second (0-59) since local midnight The second hour and minute specifications indicate the difference between the local time and Coordinated Universal Time (UTC). Example: When: 2005-11-27T10:33:45+05:00 Table 2-2 Who W7 dimension Who Defined as: Platform dependent logon ID and logon name of the user who initiated the event. The name of the system process or application can be specified here instead of the name of the actual user. Fields: whorealname whologonname Syntax: Arbitrary string values with a maximum length of 64 characters. Example: whorealname: John Doe whologonname: jdoe48 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Table 2-3 What W7 dimension What Defined as: Type of the event, specified as a triplet of values. The “verb” is an action type (for example, logon, create, and so on); “noun”- refinement of the action type (for example, user, file, correspondingly, and so on); and “success” can be Success if the action was successfully executed or Failure if otherwise. Fields: whatverb whatnoun whatsuccess Syntax: whatverb and whatnoun are arbitrary string values with a maximum of 20 characters. whatsuccess is an arbitrary string value with a maximum of eight characters. Example: whatverb: Create whatnoun: File whatsuccess: Success whatverb: Remove whatnoun: Group whatsuccess: Failure whatverb: Clear whatnoun: Auditlog whatsuccess: Success Remarks: The following values are used for the whatsuccess field: Success: The operation succeeded. Failure: The operation or attack failed. Warning: The attack succeeded, or an undesirable situation is detected. Info: If none of the above values are applicable. Each of these what attributes (whatverb, whatnoun and whatsuccess) should be written with an upper case first letter and lower case for the remaining letters. Chapter 2. Architecture and component structure 49
  • Table 2-4 Where W7 dimension Where Defined as: Platform (type and name) where the event was registered (for example, “SUN Solaris”, “GATEWAY”, and so on). Fields: wheretype wherename Syntax: wheretype is an arbitrary string value with a maximum of 20 characters. wherename is an arbitrary string value with a maximum of 128 characters. Example: wheretype: CISCO IDS wherename: ids-01.domain.com Table 2-5 Where From W7 dimension Where From Defined as: Platform (type and name) of the events origin platform (for example, “Internet”, “192.168.103.104”, and so on) Fields: wherefromtype wherefromname Syntax: wherefromtype is an arbitrary string value with a maximum of 20 characters. wherefromname is an arbitrary string value with a maximum of 128 characters. Example: wherefromtype: Internet wherefromname: host.domain.com Remarks: For traffic events, which identify something (for example, a packet) traveling from a source system to a destination system, the From Where identifies the source system. For action events, that is, events of types that are commonly associated with a single user account, the From Where dimension identifies the workstation from where the user who initiated the action logged on. If the Who implies that the action was not associated with a particular user account (for example, if it is equal to System), then the From Where is equal to the Where.50 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Table 2-6 The Where To W7 dimension Where To Defined as: Platform (type and name) of the events target platform (for example “Microsoft Windows”, “WORKSTATION”, and so on) Fields: wheretotype wheretoname Syntax: wheretotype is an arbitrary string value with a maximum of 20 characters. wheretoname is an arbitrary string value with a maximum of 128 characters. Example: wheretotype: WebApp wheretoname: webserver_01 Remarks: For traffic events, which identify something (for example, a packet) traveling from a source system to a destination system, the From Where identifies the destination system. For action events, that is, events of types that are commonly associated with a single user account, the Where To dimension identifies the namespace where the On What resides (such as a Domain). If there is no particular On What, then the Where To is equal to the Where.Table 2-7 On What W7 Dimension On What Defined as: Triplet indicating what object (for example, file, database, printer, and so on) was the object of the event. Fields: onwhattype onwhatpath onwhatname Syntax: onwhattype is an arbitrary string value with a maximum of 20 characters. onwhatpath is an arbitrary string value with a maximum of 150 characters. onwhatname is an arbitrary string value with a maximum of 110 characters. Chapter 2. Architecture and component structure 51
  • On What Examples: onwhattype: FILE onwhatpath: C:Documents and Settings onwhatname: ntuser.ini onwhattype: FILE onwhatpath: -/etc onwhatname: passwd onwhattype: PRINTER onwhatpath: printer01.domain.com onwhatname: HP LaserJet First Floor onwhattype: DATABASE onwhatpath: ORADBINSTANCE onwhatname: OracleSchema1 Remarks: The identity of the object is split into an object path and an object name. If no object path is present (for example, the name is a relative name), then a single period is used for it. The root directory or object of a file or object hierarchy is referred to as a single dash -. For example, the /etc directory on a UNIX system is displayed as -/etc, and the / (root) directory itself as -/-. The value for onwhattype should be capitalized. The values for onwhatpath and onwhatname should be in the same case as extracted from the audited system. Table 2-8 The info Where To Defined as: Any additional information that must be captured in the event Fields: info Syntax: info is an arbitrary string value with a maximum of 3900 characters.52 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Note: 1. Record fields can be empty or have only spaces; however, we recommend using a single dash “-” for absent values. 2. The size of the record fields is not checked by the Tivoli Compliance Insight Manager mapper. It is the responsibility of the producer of the W7Log file to ensure that fields do not exceed the maximum string length.2.4.3 W7LogSDK CSV format The W7Log CSV (comma separated values) format is similar to the popular CSV file format used by applications such as Microsoft Excel®, as a portable representation of a structured database. Each line is one entry or record and the fields in a record are separated by commas. If the value of a field includes a comma or a new line, the whole field must be surrounded with double quotes. When the field is in quotes, any quote literals must be escaped by two quotes (""). Text that comes after quotes that have been closed, but come before the next comma, will be ignored. Empty fields are returned as strings of length zero: "". The following line has three empty fields and three non-empty fields in it. There is an empty field on each end, and one in the middle. One token is returned as a space: ,second,, ,fifth, Blank lines are always ignored. No other lines will be ignored, even if they start with a "#" sign. This format differs from the standard in several respects: Leading and trailing white space is significant. A backslash is not a special character and is not used to escape anything. Quotes inside quoted strings are escaped with a double quote rather than a backslash. The W7LogSDK CSV format does not define any comment character. The W7LogSDK CSV file contents is defined as follows: 1. Log records must be written in UTF-8 encoding. Chapter 2. Architecture and component structure 53
  • 2. Header lines must list field names, separated by commas in the fixed order, exactly as follows: when,whorealname,whologonname,whatverb,whatnoun,whatsuccess,wheretyp e,wherename,wherefromtype,wherefromname,wheretotype,wheretoname,onwh attype,onwhatpath,onwhatname,info 3. The remaining lines must list the field values for every log record, one record per line. There must be exactly 16 values in each log record, describing one event that happened on the audited system. Refer to the event attributes listed in 2.4.2, “Event attributes” on page 47. Example 2-1 illustrates valid contents for a W7LogSDK CSV file. It specifies some imaginary events. Example 2-1 test.csv when,whorealname,whologonname,whatverb,whatnoun,whatsuccess,wheretype,w herename,wherefromtype,wherefromname,wheretotype,wheretoname,onwhattype ,onwhatpath,onwhatname,info 2003-07-18T14:22:00+00:00, John Smith, jsmith, Logon, System, Success, Microsoft Windows, PDC,-,WORKSTATION, Microsoft Windows,PDC,SYSTEM, -,PDC, successful logon 2003-07-18T14:22:01+00:00, -, exporer.exe, Create, File, Success, Microsoft Windows, PDC, -, -, -, -, FILE, C:Documents and Settingsjsmith,ntuser.ini,2.4.4 W7LogSDK XML format The W7LogSDK XML format is defined by the following XML schema: events.xsd <?xml version="1.0" encoding="UTF-8" ?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"> <!-- definition of simple type elements --> <xs:element name="when" type="xs:dateTime"/> <xs:element name="info" type="xs:string"/> <!-- definition of attributes --> <xs:attribute name="type" type="xs:string" /> <xs:attribute name="name" type="xs:string" /> <xs:attribute name="path" type="xs:string" /> <xs:attributeGroup name="whereAttributes"> <xs:attribute ref="type"/> <xs:attribute ref="name"/> </xs:attributeGroup> <!-- definition of complex type elements -->54 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • <xs:element name="who"> <xs:complexType> <xs:attribute name="logonname" type="xs:string" /> <xs:attribute name="realname" type="xs:string" /> </xs:complexType> </xs:element><xs:element name="what"> <xs:complexType> <xs:attribute name="verb" type="xs:string" /> <xs:attribute name="noun" type="xs:string" /> <xs:attribute name="success" type="xs:string" /> </xs:complexType> </xs:element><xs:element name="onwhat"> <xs:complexType> <xs:attribute ref="type"/> <xs:attribute ref="path"/> <xs:attribute ref="name"/> </xs:complexType> </xs:element><xs:element name="where"> <xs:complexType> <xs:attributeGroup ref="whereAttributes"/> </xs:complexType> </xs:element><xs:element name="wherefrom"> <xs:complexType> <xs:attributeGroup ref="whereAttributes"/> </xs:complexType> </xs:element><xs:element name="whereto"> <xs:complexType> <xs:attributeGroup ref="whereAttributes"/> </xs:complexType> </xs:element><xs:element name="event"> <xs:complexType> <xs:all> <xs:element ref="when"/> <xs:element ref="who"/> <xs:element ref="where"/> <xs:element ref="what"/> <xs:element ref="onwhat"/> <xs:element ref="wherefrom"/> <xs:element ref="whereto"/> Chapter 2. Architecture and component structure 55
  • <xs:element ref="info"/> </xs:all> </xs:complexType> </xs:element> <xs:element name="sample"> <xs:complexType> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element ref="event" /> <xs:element ref="sample" /> </xs:choice> </xs:complexType> </xs:element> </xs:schema> The XML log file must contain XML log records defined by the above schema, each of which describes one event that happened on the audited system. Refer to the event attributes listed in 2.4.2, “Event attributes” on page 47. The record fields cannot contain XML special characters, so corresponding XML entities must be used instead: &lt The less than sign (<) &gt; The greater than sign (>) &amp; The ampersand (&) &apos; The single quote ( ) &quot; The double quote ( " ) Example 2-2 shows a valid XML file that has been formatted using the W7LogSDK XML schema. Example 2-2 test.xml <sample> <event> <when>2003-07-18T14:22:01-02:00</when> <what verb="Logon" noun="System" success="Success"/> <onwhat type="SYSTEM" path="-" name="PDC"/> <who logonname=" John Smith" realname="jsmith"/> <where type="Microsoft Windows" name="PDC"/> <whereto type="Microsoft Windows" name="PDC"/> <wherefrom type="-" name="WORKSTATION"/> <info>testing record</info> </event> <event> <when>2003-07-18T14:22:01-02:00</when>56 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • <what verb="Create" noun="File" success="Success"/> <onwhat type="FILE" path="C:Documents and Settingsjsmith" name="ntuser.ini "/> <who logonname="-" realname="explorer.exe"/> <where type="Microsoft Windows" name="PDC"/> <whereto type="-" name="-"/> <wherefrom type="-" name="-"/> <info></info> </event> </sample>2.4.5 Validators There are W7LogSDK Format Verification tools available that allows software developers to test the validity of the generated logs. Note: The validators do not check the size of each record field; the person responsible for producing each log must ensure that the size requirements for each field are satisfied. These validators are available on the installation CDs. You can refer to the IBM Tivoli Compliance Insight Manager Installation Guide Version 8.0, GI11-8176 for further details on installing and using these validators.2.5 Conclusion Tivoli Compliance Insight Manager gathers audit information from across the organization and compares activity to the acceptable use policies defined by both your organization and by your regulators. The core of Tivoli Compliance Insight Manager is based on a secure, reliable, and robust log collection engine that supports effective, complete log collection and fast, efficient query and retrieval. By focusing on security from the inside, it uses the W7 methodology (Who, did What, on What, When, Where, Where from, and Where to) to consolidate, normalize, analyze, and report on vast amounts of user behavior and system activity. As a result, organizations can quickly and easily reveal who touched what within the organization (with alerts and proactive reports) and compare that activity to an established internal policy or external regulations. Numerous organizations rely on the policy-based approach of Tivoli Compliance Insight Manager to simplify monitoring the activities of privileged users, such as administrators and outsourcers, improving security auditing, compliance Chapter 2. Architecture and component structure 57
  • monitoring, and enforcement for heterogeneous environments, ranging from super servers to the desktop.58 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 3 Chapter 3. Planning for customer engagement Planning for a customer engagement in the context of this book means that deploying Tivoli Compliance Insight Manager will be set up as a services project. This chapter describes skills, resources, and everything else you need to consider and provide in order to make a Tivoli Compliance Insight Manager services project successful.© Copyright IBM Corp. 2008. All rights reserved. 59
  • 3.1 Services engagement preparation The purpose of this chapter is to discuss the resources needed to deliver a solution successfully. Before we do that, we will give you an example of what information has to be gathered to make the implementation project a success. Having all this information will help you understand the business and technical objectives, expectations (completion criteria), and project scope (platforms, time frame, implementation, and so on).3.1.1 Implementation skills Developing and deploying a Tivoli Compliance Insight Manager solution successfully requires at least the following skills: General skills – Operating system skills on Windows – Operating skills on target platforms – Client/server communication concepts – Methods for distributing applications to a large number of systems Tivoli Compliance Insight Manager skills – An understanding of Tivoli Compliance Insight Manager component architecture – The ability to troubleshoot Tivoli Compliance Insight Manager issues Depending on the target environment, you might possibly need additional skills on applications that are installed in the environment.3.1.2 Available resources The prerequisite skills that we list in the previous section are those needed to customize or develop the solution. For each of these skills, there are a variety of resources available to help acquire the necessary skill level. The educational resources available are: Online Help Tivoli Compliance Insight Manager provides online help and product manuals at the following Web site: http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliCompli anceInsightManager.html60 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Classroom Training IBM PartnerWorld® provides current information about available classes and their dates, locations, and registration. Additionally, check the Partner World Education Web site, which serves as a single point of contact for all Business Partner education and training: https://www-304.ibm.com/jct09002c/partnerworld/mem/support/trs_train ing.html A Partner World user ID is required to access this site. IBM Education Services IBM offers a variety of classes at all knowledge levels to help you achieve any of the offerings prerequisite skills. For more information about Tivoli based education classes, visit the following Web site: http://www.ibm.com IBM Redbooks publication You can access various practical and architectural information regarding IBM hardware and software platform from IBM Redbooks publications. You can download PDFs of IBM Redbooks publications from the following Web site: http://www.rebooks.ibm.com3.2 Solution scope and components You need to define the scope of the solution, which can be one of two types: Basic offering A combination of cross-sell and up-sell opportunities3.2.1 Basic solution definition The basic solution is the one that we are discussing in this deployment guide. It does not encompass a full Security Information and Event Management (SIEM) solution. It will only cover the Security Event Management (SEM) part. A Security Information and Event Management (SIEM) architecture can be broken down into two major elements: Security Information Management (SIM) and Security Event Management (SEM). Chapter 3. Planning for customer engagement 61
  • The SIM component provides reporting and analysis of data primarily from host systems and applications, and secondarily from security devices to support regulatory compliance initiatives, internal threat management, and security policy compliance management. It can be used to support the activities of the IT security, internal audit, and compliance organizations. The SEM component improves security incident response capabilities. It processes near-real-time data from security devices, network devices, and systems to provide real-time event management for security operations. It helps IT security operations personnel be more effective in responding to external and internal threats. A SIEM solution will need to provide log data capturing capabilities. Aggregated information will need to be securely stored. Archived data will need to reside in a database format that will allow for accurate and expedient reporting and viewing capabilities. For a more detailed explanation of SIEM, refer to Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager, SG24-7530. There are two types of installs that can be considered for a basic solution definition: turnkey and partial install. Turnkey install: This includes help with identifying and documenting reporting requirements. During this installation method, the majority (if not all) of the licensed event sources will be installed. Also, the product will be configured and baseline policies will be built. Specified reports will be created and documenting the information for future reference is part of this installation type. Last, but not least, hands-on training as well as technical project management will be provided. Partial install: This offers a similar service as the turnkey install, but only includes the installation of a couple of event sources of each type that are licensed by the customer.3.2.2 Cross-sell and up-sell opportunities The Tivoli Compliance Insight Manager can be seen as only one part of a SIEM solution. To fully implement a SIEM architecture, the SIM part of this architecture needs to be incorporated into the solution as well. Combining Tivoli Compliance Insight Manager, which provides SEM functionality, with Tivoli Security Operations Manager, which provides SIM functionality, the customer would be in the position to monitor its environment according to the SIEM principles.62 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 3.3 Service engagement overview Relying routinely on skills and previous experience is always right. Most of the time, there are issues in services projects that might require some educated guesswork. This section provides information to minimize the guesswork that is involved in planning and implementing a solution by providing a framework and time estimates for the major tasks. A typical services engagement consists of: Building an executive assessment Setting up a demonstration system or proof of concept (POC) Analyzing solution tasks Creating a contract (commonly also known as Statement of Work) Every organization has different requirements and a different working environment or might even migrate to a different infrastructure. For this reason the time needed to accomplish the actual set of tasks may vary from client to client. If all of the items of the above outlined list are done with highest attention and an attitude for high quality results, it will help you to understand the implementation details much better. Sizing the solution to the client organization is a result of that as well. Last, but not least, it ensures a profitable engagement to yourself. It is important to work with the project team of the organization you are engaging with to understand their expectations. Once you have gathered this information, document the tasks, deliverables, and associated costs in a Statement of Work. The Statement of Work acts as your contractual agreement with the organization for the duration of the project. Therefore, a detailed and well-defined Statement of Work is absolutely mandatory and results in advantages to both you and the client organization. A good overall understanding of the solution scope is a crucial prerequisite to successfully selling, developing, and implementing it. As a solution provider, you have to understand what is involved in developing such a solution before you can discuss it with the project team of the client organization and size it for a cost estimate. Chapter 3. Planning for customer engagement 63
  • 3.3.1 Executive assessment An executive assessment is a service that you can offer to your prospective client organization that is billable. The process this assessment uses helps you to evaluate the business needs of an organization that is planning to deploy a security compliance solution. It was created to support IBM Business Partners in closing a higher ratio of opportunities. The benefits of using the executive assessment in your sales process include: Earning additional service fees More effectively qualifying prospective client organizations Shortening the sales cycle Streamlining the development process Closing a much higher ratio of potential engagements This toolset helps you to ask the right people the right questions so that you get the information that you need to propose the appropriate solution. The assessment then helps you create a compelling business case. This business case then will better persuade your prospective client to buy the required hardware, software, and services from you in the shortest possible time. Remember, this is a business case assessment, not a technical assessment. Your audience should be business owners, line-of-business executives, marketing and sales managers, and finally, the IT manager. Administrators or technical staff cannot help decide the business requirement and are not required during this assessment. The business owner or line-of-business executive is likely to be the decision maker. For their initial investment, your clients get: A business assessment prepared by a professional (you) A competitive analysis A prototype solution for their review A strategic and tactical proposal for justifying and implementing their solution for e-business Over the duration of the executive assessment, you determine who will be involved in the project, what they want to accomplish, and when they plan to deploy. This plays a mission-critical role in their business, and how the project will be funded. Armed with this information, a competitive analysis, and a prototype solution, you will be able to justify their investment, build perceived value, present your recommendations in a way that is almost irresistible, and successfully close the contract.64 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Having the ability to recommend the correct course of action to your client has tremendous value. In a market where it is difficult for organizations to find qualified business intelligence consultants, the executive assessment and resulting presentation gives you a chance to prove conclusively that you have the right technology and the right people to do the job.3.3.2 Demonstration system setup A demonstration system is typically set up in advance to show the organization the attributes of the solution. The demonstration system should be set up with a limited number of systems that are separate from the systems that will be used in production. You can set up Tivoli Compliance Insight Manager on a notebook computer that meets the minimum hardware requirements using a VMWare image. In this VMWare image, you should demonstrate to the customer all of the capabilities of Tivoli Compliance Insight Manager. The demonstration system allows your customers to evaluate whether the solution suits their particular needs. The starting point is assumed to be a VMWare image with the operating system installed. The tasks of demonstrating the solution is shown here: Install a primary server of Tivoli Compliance Insight Manager. This installs the management console and the Web applications. Install a Standard Server of Tivoli Compliance Insight Manager and register it on the Enterprise Server. Use the “Add Machine” and “Add Event Source” wizards from the management console to add systems to be audited and the event sources to the Tivoli Compliance Insight Manager. You should install at least one additional server for this purpose. The operating system for this purpose is optional, but should be one that is supported by Tivoli Compliance Insight Manager. Configure auditing for the event sources you want to demonstrate. For details, refer to the IBM Tivoli Compliance Insight Manager Installation Guide Version 8.0, GI11-8176. Register all users in the Management Console. For details, refer to the IBM Tivoli Compliance Insight Manager User Guide Version 8.0, SC23-6544. Chapter 3. Planning for customer engagement 65
  • Create a security policy. For details, refer to the IBM Tivoli Compliance Insight Manager User Guide Version 8.0, SC23-6544. Demonstrate to the customer.3.3.3 Analyze solution tasks After the customer agrees to use the solution in their environment, you then decide what effort you must perform to implement it. These estimates are then collected and implemented into a contract or Statement of Work. This is discussed in 3.4, “Defining solution tasks” on page 69. The tasks that we list are our suggested tasks, and we list them in the order that we think you should run them. You might complete the tasks in a different order or might omit or add tasks depending on the environment in which you implement the solution. The overall success of the tasks and the required time can be influenced by the amount of skill and experience that you or your team have on the solution. The solutions tasks include: Working knowledge of the operating system Good understanding of client and server communication concepts Working knowledge of Tivoli Compliance Insight Manager For the detailed task breakdown, see 3.4, “Defining solution tasks” on page 69.3.3.4 Creating a contract A Statement of Work (SOW) is a binding contractual agreement between you and the client organization. It defines the service engagement that you have to perform and the result that the customer can expect from the engagement. The contract should leave nothing in doubt. This section will help you put the SOW together. An example of a possible Statement of Work can be found in Appendix A, “Statement of Work” on page 211. What is the business objective of the customer for installing Tivoli Compliance Insight Manager? This will drive the installation and determine what direction the customer wants to take in evaluating, testing, or implementing the software.66 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Does the customer need to comply with industry regulations or standards?Assess and pinpoint which of the following regulations and standards are ofinterest to the customer:– Sarbanes-Oxley The Sarbanes-Oxley Act of 2002 is a United States federal law that was passed on July 30, 2002 in response to the well-known accounting scandals of Enron, WorldCom, and others. Every organization listed on the New York Stock Exchange (NYSE) has to comply with this act.– HIPAA The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by the United States Congress in 1996. There are two titles of the HIPAA Act. Title I of the HIPAA Act protects health insurance coverage for employees and their families when they change or lose their jobs. Title II of the HIPAA Act requires the establishment of standards for electronic health care transactions. HIPAA also addresses the security and privacy of health data.– GLBA The Gramm-Leach-Bliley Act allows commercial and investment banks to consolidate.– ISO 27002 This standard describes the context of confidentiality (ensuring that information is accessible only to those who are authorized), integrity (safeguarding the accuracy and completeness of information), and availability (ensuring that authorized users have access to information).– Basel II Basel II provides an international standard that banking regulators can use when creating regulations about how much capital banks need to put aside to guard against the types of financial and operational risks banks face.– Other If there are other regulations or standards the organization has to be in compliance with, they should be listed in this section of the data gathering process for the implementation project. Chapter 3. Planning for customer engagement 67
  • What are the reporting requirements? Try to understand which reporting requirements the various groups of organizations have that will be using Tivoli Compliance Insight Manager. If the customer is unable to provide their reporting requirements, but has a business or security requirement for monitoring privileged users, then recommending the top 10 PUMA reports would be a good start to showing the customer Tivoli Compliance Insight Manager’s capabilities. Reporting requirements can have a big impact on the type of consulting services. During the discovery phase, it is always better to get the customers security policy and reporting requirements as well as the current audit settings for the different platforms that will be monitored with Tivoli Compliance Insight Manager. What are the target platforms? Some organizations are more interested in monitoring UNIX servers while others concentrate on Windows servers. Use the implementation spreadsheet, which requires the customer to provide information about event sources, platforms, versions, log sizes, and so on. An example of how this spreadsheet could look can be seen in “Implementation spreadsheet” on page 75 What kind of installation does the customer expect? The standard approach should be to combine partial installation with on-the-job training to make the customer self-sufficient as soon as possible. This is probably also what most customers want. But this can only be achieved with the help of the customer. The customer and you will install a couple of agents per platform together and you will then explain the installation procedure per platform. How will progress be tracked for this implementation project? Agree on a format and the frequency of regular status reports with the customer. How will the customers change control procedures impact the project time line? Coordinate the dates for the install. Also make sure that the right resources will be available on that day on both sides. Be sure to use the customer’s change management process. Who will be on the implementation team? This includes key players like system administrators for the target platforms, the security team, and many others at the customer site and also the assigned Tivoli Compliance Insight Manager experts.68 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Is there a technology certification process that must be adhered to? Before the installation of applications, tools, and so on, some customers might require a committee to evaluate the software in a test or acceptance environment first or to present the architecture in detail to various departments with a vested interest. What are the procedures and standards for security auditing and event management of the target servers and applications? This information is needed to define the initial solution requirements, constraints, and critical success factors. We provide a sample Statement of Work in Appendix A, “Statement of Work” on page 211.3.4 Defining solution tasks The key to a profitable services engagement is to identify the tasks that you have to perform correctly and to allocate the necessary time to perform them. This section guides you on the tasks that you might need to perform for a security compliance solution implementation using the Tivoli Compliance Insight Manager. Your estimates for timing will depend largely on the following factors: Number of Tivoli Compliance Insight Manager event sources that need to be deployed. An event source for Tivoli Compliance Insight Manager can be a database, an application, an operating system, a network device, and so on, which records its events in logs and to which the Tivoli Compliance Insight Manager has access in order to collect a selection of security-relevant logs for event monitoring and reporting. Therefore, you need to determine the size estimates separately for each adapter. Number of Tivoli Compliance Insight Manager group policy rules that need to be defined. Policy rules define allowed behavior. Most events that happen in organizations are normal events, created by normal working activities. Group policy rules represent this behavior. Any action that these rules do not cover are automatically policy exceptions. A policy rule for every platform needs to be defined. Chapter 3. Planning for customer engagement 69
  • The next section provides a description of the necessary tasks required for a Tivoli Compliance Insight Manager deployment. Make sure that the following prerequisites are in place. In the course of this book, we assume: You have a dedicated client organization engineer that is available for the duration of the project. You have identified the pilot environment and defined the test criteria for the solution. In addition, the client organization has signed off on the pilot environment and test criteria. Documentation for the solution will be done offsite.3.4.1 Deployment tasks This section lists the required tasks for a Tivoli Compliance Insight Manager deployment. You can use these tasks when creating a Statement of Work. Technical details What would a technical project be with some details about it? This section shows you what you need to consider when implementing Tivoli Compliance Insight Manager: Assess if auditing is enabled. If so, then ask how much data is being collected per platform. If not, then standard audit settings should be implemented. After this step, details on the data volume should be gathered to identify hardware sizing. Is the auditing subsystem on the target servers fine-tuned? This will help to avoid generating an excessive amount of log data. Are there any special considerations for auditing on the target machines? Think about Group Policy Objects (GPOs), third-party products, change control for modifying audit settings, separate partitions for audit logs, requirements to delete audit logs on the target platform, and requirements for agentless log collection. These are just a few examples. Do brainstorming with the customer representatives to evaluate as much as possible. Find out how much data needs to be online in the log repository. This is important in determining the hardware requirements. The following is a guideline to determine minimum requirements: The server needs to be partitioned in a RAID 5 configuration (preferred, but not required).70 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Determine the appropriate hard disk space, depending on the amount of daily log data that needs to be collected for the monitored platforms and applications, as shown in Table 3-1.Table 3-1 Memory requirements based on the amount of logged data Log data per day Processor Memory Up to 3 GB per day Intel® Pentium® 4 (2.0 4 GB Ghz) Up to 16 GB per day 2x Xeon (2.8 GHz) 6 GB The amount of data that is to be kept in the log repository determines the required hard disk space. Tip: The repository size can be calculated using the following formula (this is an approximate size): 1.5 * (total GB of daily logs / 10 compression factor) * number of days to keep in repository + 25 GB for program files, temp files, and databases A minimum of 200 GB should be considered, if the above formula gives a lower result. For further details on how to size the disk space, refer to the IBM Tivoli Compliance Insight Manager Installation Guide Version 8.0, GI11-8176. On what operating system will Tivoli Compliance Insight Manager run? The Tivoli Compliance Insight Manager runs on the following operating systems: – Windows 2000 Server – Windows 2000 Advanced Server – Windows 2003 Standard Edition – Windows 2003 Enterprise Edition The Tivoli Compliance Insight Manager server should be a newly installed system. This system should be dedicated to Tivoli Compliance Insight Manager and should not host or run any other applications. The Tivoli Compliance Insight Manager system should have a static IP address. Chapter 3. Planning for customer engagement 71
  • Is communication between the Tivoli Compliance Insight Manager server and target machines filtered by firewalls? Analyze the network architecture diagrams and topology of the customer to identify solution constraints or limitations. For example, will port 5050 be available in both directions for the server and agent to communicate? Is host name resolution (DNS) working across the target environment? What type of data gathering should be used per platform? This can only be done per platform. There are two types of data gathering methods: – Agent/Agentless For more information about agent/agentless data gathering, refer to “Platform specifics” on page 73. – Real time Will Security Event Manager (SEM) be part of the implementation project? Will the customer be using Tivoli Compliance Insight Manager for real-time related security event monitoring? Which antivirus program is the customer running on the Tivoli Compliance Insight Manager server and target platforms? Which remote control programs does the customer normally use to access their Windows servers? The Oracle database engine does not allow it to be installed when using certain remote control programs like Terminal Services/Remote Desktop. Which Oracle environment does the customer wish to use? Does the customer want to use the embedded Oracle engine, or do they wish to use their own Oracle environment? What version of Oracle (including OS) are they running? The embedded Oracle engine can be considered a black box. No maintenance or DBA actions need to be taken for this database engine. The preferred method is therefore to run the embedded Oracle engine (most customers use it this way). Is it possible to FTP files from the Tivoli Compliance Insight Manager server to the target systems? Reporting By getting this information from the customer, it is easier to understand what the reports should look like. Knowing in advance whether the customer needs to generate reports by platform, by business unit, by location, or by another type of group will help the service provider and the project team with the product configuration.72 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • For systematic analysis, event data is taken from the Depot and normalized intoan easily understood data model called the Generic Event Model (GEM). Thisprocess is called mapping. Subsequently, the mapped data is stored in a GEMdatabase. GEM databases are periodically emptied and filled with recent data,often daily. Data from the previous day is present in the database, ready foranalysis. If necessary, other data from the depot can be mapped and loadedthrough manual commands.Be sure to explain to the customer that they can monitor/report on their eventsources using a combination of different reporting databases. For example, theycan include their Solaris machines in a UNIX GEM database (AIX®, Solaris,Linux®, and so on) and then include the Solaris event source in another GEM fortheir business unit (Solaris, Win, RACF®, and so on).Platform specificsThis section will describe some of the supported platforms of the TivoliCompliance Insight Manager. Of course, we cannot discuss all the specifics of allsupported platforms. This section only focus on some special considerationsneeded for a successful implementation on Windows, HP-UX, Solaris, andiSeries® systems. For a complete set of supported platforms, refer to the IBMTivoli Compliance Insight Manager Installation Guide Version 8.0, GI11-8176.WindowsFor Wintel platforms, you need to consider whether the organization’senvironment uses Active Directory® or NT domains. Also, evaluate whether theTivoli Compliance Insight Manager server service and the agent services rununder one central domain account.For agent and agentless collections, it is important to know whether the customerplans to create the domain users and groups manually. If so, you must ensurethat the required user permissions are set. A summary of the user permissionsrequired for agent and agentless collection follows: Agent collects – On the target machine, it will create a local group called CeAUsers. – The global domain group g_CeAUsers will be part of the local CeAUsers group. – The global domain group g_CeAUsers will be part of the local administrators group. On the target machine, the local group CeAUsers will acquire the following rights: – Act as part of the OS. – Log on as a service. Chapter 3. Planning for customer engagement 73
  • – Load and unload device drivers. – Manage auditing and security log. Agentless collect This type of collection mechanism requires a valid domain user account with the permission of “Manage auditing and security log” on the domain directory or local machine. For a Wintel installation, it is important to know whether the Windows agents will be installed manually or remotely. For remote installations, NetBIOS has to be enabled. NetBIOS is also important for pushing out audit settings. On which kind of server systems will the Tivoli Compliance Insight Manager agents be installed? Domain controllers, file servers, print servers, or simple member servers all have different tasks to perform and applications installed. This will influence the amount of data gathered. HP-UX Before a successful Tivoli Compliance Insight Manager installation can be carried out, the organization needs to ensure that the HP-UX systems are trusted systems; otherwise, the native operating system auditing cannot be enabled. Solaris If the organization is using tcsh or csh, then the start-client script will have problems executing. Tip: To work around this problem, call the start-client script as follows: $ sh start-client If the organization does not already rotate and purge old logs from the target systems to avoid filling up disk space, we recommend using a cron job to do so. Some organizations can have very large volumes of data that can fill up their disks on the target systems. iSeries The iSeries systems should have an English language module. The iSeries should have a CD-ROM drive for the installation. The default priority for Tivoli Compliance Insight Manager subsystems is 20. If the priority should be different than this, change it. The QALWOBJRST is a system value on iSeries systems. It controls whether security sensitive objects can be restored. Before installing a Tivoli Compliance Insight Manager agent on an iSeries system, determine whether it is set to74 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • *NONE. If this value is set, it is not possible to install a Tivoli Compliance Insight Manager agent. Implementation spreadsheet An implementation spreadsheet can be a Microsoft Excel sheet that you create and fill out during the pre-implementation phase. It can help the project team to get information about all systems in scope. It should have following columns: In or out of scope of the project Name of the application Owner of the application Platform where the application is running on Server name Event source name Daily log size Business unit Server location Function of server Domain IP address of server Number of network cards attached Which Tivoli Compliance Insight Manager server assigned to Tivoli Compliance Insight Manager group With the information gathered into this list, it is much easier to plan the implementation of Tivoli Compliance Insight Manager server and its agents on the target systems.3.5 Conclusion In this chapter, we gave you an overview of what it needs to prepare for a services engagement. We also showed what it needs to define a solution scope and its components. We also showed how to define the solution tasks. With this knowledge, we will now continue with Figure 4 on page 79, where we guide you through our (fictional) scenario of a fitness center company, call Gym and Health Corporation (GaH). Then we go to Chapter 5, “Deployment design” on page 89, which contains information about the deployment design. Then we need to show you how to install the Tivoli Compliance Insight Manager in Chapter 6, “Installing Tivoli Compliance Insight Manager” on page 99. The last two chapters, Chapter 7, “Event source configuration” on page 121 and Chapter 8, “Report generation” on page 191, explain how to configure event sources and do some basic reporting. Chapter 3. Planning for customer engagement 75
  • 76 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Part 2Part 2 Customer environment In this part of the book, we discuss how to deploy Tivoli Compliance Insight Manager in a particular customer environment.© Copyright IBM Corp. 2008. All rights reserved. 77
  • 78 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 4 Chapter 4. Gym and Health Incorporation To demonstrate the concepts of this book, this chapter introduces a scenario about a fictional premium health club, called Gym and Health Incorporation (GaH). This chapter discusses the overall structure of GaH, including a business profile, a current IT architecture and infrastructure, as well as the medium-term business vision and objectives. Note: All names and references for company and business institutions used in this chapter are fictional. Any match with a real company or institution is coincidental.© Copyright IBM Corp. 2008. All rights reserved. 79
  • 4.1 Company profile The Gym and Health Incorporation (GaH) is one of the leading fitness companies within the United States with a premium level of fitness offerings. It has been in business for more than 10 years and operates more than 200 fitness centers in 40 U.S. states with more than 300,000 members. GaH offers a variety of training and service standards to its members and professional supervision during training. One reason for GaH being one of the leading U.S. fitness companies is the availability of fitness and health data of its members whenever a member enters any of GaH’s fitness centers. Logging on to member data can be done by a chip card in conjunction with fingerprint authentication. Authentication can be granted on every piece of training equipment. New training results will be stored automatically after each training session and will be replicated to each of the data centers during the night. GaH also offers a program called gymnastics on demand (gymod). This program has reduced monthly fees and charges the member on an “as used” basis by sliding the chip card at the fitness station through the same card reader that is used to logon to the training information. An application will ask the member to confirm to be charged from the prepaid amount of money that can be loaded onto the chip card at any GaH fitness center.4.1.1 GaH business initiatives GaH understands that globalization is a worldwide process that a company needs to follow (be part of) in order to be or become a market leader. The mid-term business objective is to be among the top three listed fitness companies in America. GaH has therefore ordered a survey regarding the expansion of its business by either building new fitness centers or acquiring existing fitness centers in Canada, and the major travel destinations in South America and the Caribbean Sea isles would help to accomplish this objective. There is a strong desire for high quality fitness centers, not only downtown of cities or in suburban areas, but surprisingly also in vacation “all inclusive” clubs.80 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 4.1.2 Geographic distribution of GaH GaH was founded in Ft. Myers, Florida in 1995. GaH’s headquarters is still based there. The central IT data center is located downtown. GaH operates the following three regional data centers: New York City, New York for all the northern and northeast states Kansas City, Kansas for all midwestern states Salem, Oregon, for all western states, including Alaska and Hawaii These regional data centers service the IT needs of the region, such as user administration and help desk support.4.1.3 Management of GaH members Members are managed centrally from the Ft. Myers site. For the scenario described in this book, the following important procedures apply to membership management: If new members do not enroll for a membership through the Internet, they have to apply for membership locally in one of the fitness centers. If new members enter a fitness center for the first time, they have to register their fingerprint. The new member can then start using the training equipment in this fitness center immediately. The information will be replicated over night to all other fitness centers. This ensures that the use of training equipment in any other GaH fitness center is guaranteed within 24 hours. With the two-factor authentication in place (chip card + fingerprint), it is not possible to share the membership card, even among family members. This was one of the major concerns of GaH in the early days of being in the business. Personal and training data is stored at the location where the member uses the training equipment and is replicated to a centralized database at the Ft. Myers site over night. GaH guarantees its members that all data is available at all fitness centers in no more than 24 hours from when it was entered or registered. Since credit card, personal information, and health data is processed on the servers, GaH is concerned about the security of this data. That is why GaH wants (and needs) to adhere to the regulations and security standards outlined in 4.2.2, “The GaH information security compliance initiative” on page 85. Chapter 4. Gym and Health Incorporation 81
  • Note: In this book, we omit any detailed description of IBM Tivoli Access Manager and IBM Tivoli Identity Manager solutions, because the focus is on information security compliance using Tivoli Compliance Insight Manager only. Also, for this scenario, we assume that these solutions are in place already. For further details, you might want to consult the following IBM Redbooks publications: Enterprise Security Architecture Using IBM Tivoli Security Solutions, SG24-6014 Enterprise Business Portals with IBM Tivoli Access Manager, SG24-6556 Enterprise Business Portals II with IBM Tivoli Access Manager, SG24-6885 Identity Management Design Guide with IBM Tivoli Identity Manager, SG24-6996 Deployment Guide Series: IBM Tivoli Identity Manager Express 4.6, SG24-72334.2 Current IT infrastructure In this section of the book, we describe the current IT environment of GaH, which covers: An overview of the GaH network – GaH’s production environment – GaH’s management environment – GaH’s intranet GaH’s security compliance initiative – HIPAA requirements of GaH – Data privacy requirements of GaH – PCI requirements of GaH4.2.1 Current infrastructure of GaH The Gym and Health Incorporation has an IT environment which basically consists of only Wintel components. They have defined three different zones, which are: Intranet Production zone82 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Management zone (new with this project)The GaH intranetGaH’s intranet has MS Windows XP workstations deployed to all fitness centersand manages them with Active Directory. Also, utility servers used for file andprint services on the intranet run on MS Windows 2003.GaH’s production zoneIn the production zone, the DB2® database on which member profiles, trainingdata, and so on are stored and managed are also deployed on MS Windows2003 servers. The Web application for remote member enrollment and Webpresentation is outsourced to an external service provider and is not part of thisbook.Gym and Health Incorporation uses three fully resilient data centers in Ft. Myers(Florida), Kansas City (Kansas), and Salem (Oregon) for their operations.GaH’s management zoneWith the deployment of Tivoli Compliance Insight Manager, GaH introduces athird and new zone to its infrastructure: the management zone. In this zone, theTivoli Compliance Insight Manager will be installed and from here theadministrators will monitor GaH’s IT infrastructure. Chapter 4. Gym and Health Incorporation 83
  • Figure 4-1 shows the current IT infrastructure of GaH. Figure 4-1 IT Infrastructure of GaH84 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 4.2.2 The GaH information security compliance initiative As outlined earlier in this chapter, GaH’s mid-term expansion plans cover building or acquiring fitness centers in the rest of America in order to become a market leader on the continent. Since they hold personal data (address or age information), health and training data (current state of training fitness and heart information) and financial data (amount of money loaded onto the chip card) of their members on their databases, they are, by law, compelled to be compliant with some regulatory requirements, such as: Health Insurance Portability and Accountability Act (HIPAA) Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Also, the security and privacy of health data is addressed here. The standards are meant to improve the efficiency and effectiveness of the U.S.’s health care system by encouraging the widespread use of electronic data interchange in the US health care system. In our example, HIPAA refers to training and health data stored on GaH’s databases. Data Privacy Act(s) Each country in which GaH operates (and will operate) has its own data privacy act. Data privacy stands for giving an individual the right to decide what personal data can be disclosed to the public. In the GaH scenario, this applies to personal data such as address data, age, profession, and so on. Payment Card Industry Data Security Standard (PCI) The PCI standard is comprehensive body of regulation in the area of monetary transactions. It refers to transactions with credit cards and is supported by all major credit card organizations. Companies and service providers that store, transfer, or transact with credit card payments have to adhere to these rules. Since GaH members are allowed to load their chip cards by using credit cards in the fitness centers, GaH has to adhere to these regulations. GaH knows that they have to be compliant with these rules and regulations. They have implemented a variety of security measures to ensure information security compliance. With the expansion plans in place, they need to be in much better control of information security compliance. For that reason, they decide to implement Tivoli Compliance Insight Manager, which gives them control over who in the IT infrastructure does what, when, where, and so on. Chapter 4. Gym and Health Incorporation 85
  • Gym and Health Incorporation uses these messages to attract more new members. Their marketing message to prospective members is: “We care for your health and your personal data”. This puts pressure on themselves, but also will ensure a rapid deployment of Tivoli Compliance Insight Manager.4.3 Information security compliance management GaH currently only looks at one particular aspect of information security compliance: adherence to security policies. The executive board has defined the business requirements from which the Information Security Manager has developed GaH’s security policies and standards. There is a strong commitment to the compliance activities from the executive board. Note: Compliance to security policies can be monitored and reported by the IBM Tivoli Security Compliance Manager. Again, this book assumes that a technical solution using this tool is already in place for GaH. For further details, you might want to consult Deployment Guide Series: IBM Tivoli Security Compliance Manager, SG24-6450.4.3.1 Emerging issues Despite having an environment that uses Tivoli Identity Manager and Tivoli Access Manager tools that concurrently checks for policy compliance with Tivoli Security Compliance Manager, GaH has identified some personnel issues: Administrators log on to systems outside of their normal working hours. Administrators share passwords in teams for various systems. Database administrators perform system administrative tasks. Membership representatives have inappropriate access rights on databases. GaH also wants to discover who does what. With this information, an internal project will be set up to level up the quality of internal security standards. GaH want to get as much control over information security compliance as possible by being compliant with all of the above mentioned rules and regulations. This is a mandatory requirement if the business expands outside the U.S. Also, with Tivoli Compliance Insight Manager, they will be able to demonstrate, in a better and efficient way, to internal and external auditors the compliance to rules, regulations, and security policies.86 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 4.4 Project layout and implementation phases Based on the corporate business vision, GaH decided to implement the new security compliance solution in three phases: 1. Deployment of Tivoli Compliance Insight Manager 2. Configuring event sources 3. Setting up basic reporting4.5 Conclusion This chapter gives you an overview of how the Gym and Health Corporation is currently setup. Future plans have been discussed and you know what steps need to be taken to ensure GaH’s future security compliance. Chapter 5, “Deployment design” on page 89 describes the design of the deployment, which should be the first step in each deployment project. Chapter 4. Gym and Health Incorporation 87
  • 88 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 5 Chapter 5. Deployment design In this chapter, we describe the design approach that will be taken by Gym and Health Incorporation in order to design a compliance management solution that meets all their regulatory requirements. This discussion is divided into the following sections: Business requirements Functional requirements Design approach Implementation approach As described in 4.2.2, “The GaH information security compliance initiative” on page 85, GaH has to be compliant with HIPAA, PCI, and Data Privacy Acts of various countries. By using Tivoli Compliance Insight Manager as the basis for their compliance management solution, GaH will be able to meet these regulatory requirements.© Copyright IBM Corp. 2008. All rights reserved. 89
  • 5.1 Business requirements GaH would like to implement a compliance management solution that they can customize for their environment. Furthermore, GaH wants the solution to assist them in meeting their PCI and HIPAA compliance. Keeping PCI and HIPAA compliance in mind, the CIO and the Information Security team have identified the three primary business requirements for their solution: 1. Implement processes to help achieve PCI and HIPAA compliance. Although GaH currently is considered a “Level four Merchant” for PCI (less than 20,000 transactions per year), their outlook is going to be far beyond this number. Compliance to PCI for Level four is recommended but not mandatory. Nevertheless, looking ahead into the future, the CIO of GaH decided to make this a key project. In particular, they want to monitor and report on user access to sensitive company assets, that is, the sensitive assets that need to be protected include the company’s financial data, as well as confidential customer data that is stored on their servers. 2. Monitor and audit the actions taken by privileged users for internal purposes. The GaH security representatives recognize the need to monitor privileged users and their activities on key corporate systems and data to ensure that confidentiality, integrity, and the availability of systems is properly maintained. This monitoring and auditing can help prevent costly damages or outages due to inadvertent mistakes or malicious actions of powerful users. 3. A centralized logging mechanism is needed. In order to meet regulatory requirements, the IT security team would like to automate rapid, reliable log file collection and management across their distributed IT environment, which includes a variety of applications, operating systems, and databases: a. This logging mechanism needs to be configurable so that it can change as the corporate requirements and reporting needs evolve. b. Historical log data should be accessible in order to get a global view of compliance. Supporting business requirements were also identified: The CIO wants to be able to quickly gain an overview of the corporate security compliance posture. The security IT staff needs the ability to quickly and easily generate reports that cover the internal security processes, including the actions of privileged users. Reports should be able to compare user activities and security events to regulatory and acceptable use frameworks.90 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 5.2 Functional requirements We extract functional requirements by mapping business requirements to their underlying reasons. We expand the reasons in increasing detail until we find problems that can be solved using the capabilities of Tivoli Compliance Insight Manager. Our functional requirements will tie the low-level reasons for each business requirement to a capability of the compliance management solution that can be used to fulfill that business requirement. Let us examine every business requirement, and search for reasons and the functional requirements: Business requirement 1: In order to meet PCI regulations, GaH needs to monitor user access to all sensitive company assets. This monitoring is important for two key reasons. First, there is the threat of employees misusing the data and breaching privacy. Employees may fraudulently access or disclose confidential information. The second primary issue is data integrity. It is essential that the company ensures that their data records are accurate and complete. Therefore, GaH must be able to detect if someone tampers with critical data. GaH has corporate IT security policies outlined to help prevent the misuse of sensitive assets. To guarantee that these IT security policies are being adhered to, GaH wants to audit the logs of critical systems and applications. The core business of GaH is fitness training. Therefore, the number of IT staff needs to be on a very low, absolutely mandatory level. GaH wants to implement a compliance management solution that enables total monitoring of all system events, with automatic identification and reporting of potential security breaches. Extracting relevant information from the raw logs manually can be difficult because the format of logs is often quite incomprehensible. This can be overcome by implementing a compliance management solution that is capable of processing the log data and transforming it into a standardized format that is easier to read. GaH want the ability to easily generate meaningful reports to display the compliance information. The key functional requirements for monitoring user access to sensitive company assets are listed as follows: a. The corporate IT security policies can be mapped into policies within the compliance management solution. b. Use of company assets are continuously monitored, with automatic detection and reporting of potential security breaches. c. The compliance management solution should transform the data extracted from the logs into a readable, easy to comprehend format for the user. Chapter 5. Deployment design 91
  • d. The Tivoli Compliance Insight Manager administrator should be able to easily generate reports regarding user access to corporate assets. Business requirement 2: Monitoring and auditing the actions of privileged users is important. A special focus on monitoring privileged users is necessary since they have more authority than regular users to perform actions on corporate systems. The IT security staff needs to know that privileged users are managing data and systems as expected. Powerful users could mistakenly or deliberately damage systems or information assets, which can be extremely costly. GaH must be able to verify that the privileged users are behaving as expected and not violating the company’s internal IT security policies. The following list describes the functional requirements for monitoring and auditing the actions of privileged users: e. The administrators of the compliance management solution can define the group of privileged users to be monitored. f. The administrators of the compliance management solution can specify which corporate data systems and assets contain critical data. g. Policies can be configured to describe the access rights for privileged users and the actions they are allowed to perform. h. Reports can be generated automatically regarding privileged users and their actions over a period of time. Business requirement 3: A centralized logging mechanism should be at the heart of the compliance management solution. GaH has at least one point in each fitness center across the enterprise generating log events. Regulators and auditors require these log files to be captured and retained. Additionally, GaH wants to be able to investigate any events that may represent internal or external threats. Time and cost constraints mean that this log file management must be fast and affordable. In order to fulfill this requirement, the logging mechanism should have the ability to automatically collect logs on a predefined schedule. The mechanism should also have a backup and archival process in place to ensure that no logs are lost. Auditors will require the history of logs to be available to prove that the log data is continually captured and to allow old events to be investigated. The historical log data can be used to obtain an overall view of compliance. Given these parameters, the following functional requirements for the compliance solution apply for the logging mechanism: i. Automatic log collection can be scheduled. j. The logging mechanism should have a backup and archival process.92 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • k. Logs should be retained so that the continuity of the logs can be proven. Business requirement 4: The compliance management solution needs to have extensive reporting capabilities. After the log data has been collected and stored, it needs to be analyzed to get an overview of GaH’s compliance. For example, the logged events need to be compared with GaH’s IT security policies to find any violations and other potential threats. GaH wants to automatically generate reports to display meaningful compliance information that has been extracted from the logged data. These reports will assist the company in demonstrating their PCI and HIPAA compliance. Since GaH is just starting to plan for PCI and HIPAA compliance, sample report templates for the different PCI and HIPAA requirements would be a very useful starting point. GaH needs to determine exactly which reports they want to generate for their unique IT environment and exactly how they would like them to be presented. The compliance management solution needs to allow new customized reports to be created so that GaH can create reports that are useful for their IT security staff. These customized reports will allow them to actively enforce their security policies and meet their regulatory requirements. The following functional requirements are applicable to reporting: l. Sample reporting templates will be available to assist with meeting PCI and HIPAA requirements. m. The compliance management solution will have the ability to customize reports.5.3 Design approach Here we consider how compliance design objectives can be realized using Tivoli Compliance Insight Manager. Our goal is to produce a plan containing a phased set of implementation steps where the end result satisfies the functional requirements and therefore also satisfies the original business requirements. While business and functional requirements are the main parts of the security design objectives, we also have to consider other non-functional requirements and constraints. These may include objectives that are necessary to meet general business requirements, or practical constraints on designing the compliance solution. Chapter 5. Deployment design 93
  • Tivoli Compliance Insight Manager implementations often include non-functional requirements relating to the following areas: High availability Backup and recovery Performance and capacity Change management Existing infrastructure Budget and staffing Non-functional requirements are outside the scope that is covered by the scenario implementation within this book. We focus on the use of Tivoli Compliance Insight Manager to meet the functional requirements for the scenario outlined in 5.2, “Functional requirements” on page 91. The steps involved in producing an implementation plan are described here: 1. Determine what reports need to be generated for GaH to monitor its compliance. The reports that are needed should be based on the existing IT security policies that are in place for GaH. Tivoli Compliance Insight Manager provides a HIPAA component module with sample report templates for this regulatory obligation. This template can then be customized for GaH’s specific needs. A PCI sample report has to be produced manually. 2. Decide which target assets should be monitored to produce these reports. 3. Identify what data will need to be collected from each event source on the target machines and whether the auditing on that system can be configured to log the required event details. If it is not possible to capture sufficient data in the target system logs, then it is not possible to audit and report on that type of event. 4. Ensure that Tivoli Compliance Insight Manager has the ability to monitor audit trails from that event source. 5. Prioritize the monitoring and reporting requirements for the various target systems and applications. Prioritizing the monitoring and reporting requirements of the target systems and applications is important because the priorities are one of the primary factors used to decide which implementation tasks will be done in which phase of the project. It is rare that a compliance management solution can be created as a single deliverable satisfying every requirement on all targets. It is far more likely that it will be delivered in phases and the highest priority requirements should be included in the earliest phases.94 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Assigning priorities to the requirements is often difficult because depending on to whom you talk in the client organization, their requirements are most likely the “most important” ones. You can more easily compare the priorities of the target systems and applications by performing a risk assessment. The targets that are identified as being a high risk can then be treated as the highest priority.5.4 Implementation approach This section applies the design approach described in 5.3, “Design approach” on page 93 to GaH’s specific requirements.5.4.1 Determination of needed reports The main goal of GaH, as discussed earlier, is to comply with internal IT security policies and PCI requirements. Chapter 8, “Report generation” on page 191 will show you how basic reporting can be achieved. In this book, we will not focus on customized reports, since this is addressed in the Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager, SG24-7530. Internal IT security policies Let us assume that the logging requirements of GaH’s security policies are as follows: All logon attempts, both successful and failed All attempts to access classified resources All denied attempts to access all resources Use of privileged user ID Use of user ID with system privileges Administrator’s actions in the access control system All attempts to access resources belonging to access control systems PCI The Payment Card Industry Data Security Standard outlines best practices for credit card data that is stored, transmitted, or processed. This standard consists of security requirements and guidelines that are mandatory for all major credit card issuers. Each organization that works with one of these card issuers also has to be compliant to the PCI standard. Chapter 5. Deployment design 95
  • There are two key steps needed to comply to the PCI standard: All systems that hold or process credit card data have to pass a quarterly vulnerability scan. Internet-facing systems have to undergo this vulnerability scan by an independent external service provider. Pass an annual security assessment. This assessment can either be done the organization itself or by a certified service provider. GaH has barely below 20,000 credit card transactions per year. As outlined previously, they have many more transactions built into their expansion plans. Being a “Merchant Level 4” organization, it is not mandatory to be in compliance with the PCI standard. Levels 1 to 3 must be compliant. Table 5-1 describes the merchant level definitions table. Table 5-1 Description of PCI merchant levels Level Description Merchant Level 1 Any organization that processes more than 6 million credit card transactions (Visa or MasterCard) per year Merchant Level 2 Any organization that processes 150,000 to 6 million credit card transactions (Visa or MasterCard) per year Merchant Level 3 Any organization that processes 20,000 - 150,000 credit card transactions (Visa or MasterCard) per year Merchant Level 4 Any organization that does not fit into Level 1, 2, or 3. The PCI requirements can be broken down into six different topics, containing the twelve requirements, which are discussed in the following sections. Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect cardholder data 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data sent across open, public networks. Maintain a vulnerability management program 5. Use and regularly update antivirus software. 6. Develop and maintain secure systems and applications.96 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. Regularly monitor and test networks 10.Track and monitor all access to network resources and cardholder data. 11.Regularly test security systems and processes. Maintain an information security policy 12.Maintain a policy that addresses information security. HIPAA The Health Insurance Portability and Accountability Act is one of regulations to which GaH must adhere. There are a lot of predefined HIPAA reports and policies available out-of-the-box within Tivoli Compliance Insight Manager, so we will not concentrate on this topic within this book, although GaH must still implement these policies and reports.5.4.2 Monitored target assets For these reports to be meaningful, it is important that we identify the target systems and applications for which each of the reports should be generated. In particular, we need to identify the classified (confidential) assets as well as the access control systems. There are two common classifications for GaH’s assets: Confidential Not classified As outlined in 4.1, “Company profile” on page 80, we assume that identity and access management tools and systems are in place. These, of course, also need to be monitored, but are not within the scope of this book. We will only concentrate on GaH’s current IT infrastructure described in 4.2, “Current IT infrastructure” on page 82. Chapter 5. Deployment design 97
  • 5.4.3 Collected data Each of the individual reports need to be analyzed and a list of the event details that are needed from each event source need to be identified. Once the list of required attributes has been determined, the audit subsystem of the target system can be investigated to determine whether audit settings exist that will produce logs containing the required details. If it is not possible to generate the required log data, then that report cannot be produced for that particular system.5.4.4 Prioritization of target systems and applications The set of administrative or high privileged accounts can be viewed as an asset that has a high impact once compromised. The systems are quite vulnerable to privileged access, because they are only protected by a user ID, password, and account locks, and are exposed to anyone who is using the system. This asset should therefore be monitored with high priority. In our scenario, this would be the Active Directory server. Once compromised, the set of sensitive business data also has a high impact, but it is not so vulnerable because it is protected by ACLs, encryption, and authentication. In our scenario, this would be the DB2 system containing all personal, health, and credit card data. As a result, GaH will address these two systems first with Tivoli Compliance Insight Manager. The file and print server on the intranet zone of GaH in this scenario will not hold any confidential data, so it is considered to be not classified. It needs to be monitored, but it is not part of the priority 1 phase (most critical servers).5.5 Conclusion In this chapter, we have defined the business and functional requirements. Now that we have defined the design and a subsequent implementation approach definition, we are now ready to install the Tivoli Compliance Insight Manager server. This will be described in Chapter 6, “Installing Tivoli Compliance Insight Manager” on page 99.98 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 6 Chapter 6. Installing Tivoli Compliance Insight Manager This chapter guides you through the installation process of Tivoli Compliance Insight Manager. The first section discusses planning the installation. Depending on your system requirements, you can choose one or more of the following installation options: Tivoli Compliance Insight Manager Enterprise Server This installs the Enterprise Server, the Web applications, the Management Console, and the consolidation database. Tivoli Compliance Insight Manager Standard Server This installation method installs the Standard Server, the Web applications, and the Management Console. Point of Presence This will install the Actuator component. Remote Management Console This will install the Actuator and the Management Console. The second part will outline the installation of a Tivoli Compliance Insight Manager server and its components.© Copyright IBM Corp. 2008. All rights reserved. 99
  • 6.1 Planning the installation As you might have noticed, the only difference between a Tivoli Compliance Insight Manager Enterprise Server and a Tivoli Compliance Insight Manager Standard Server is the consolidation database in the Enterprise Server. This component allows viewing aggregated data from multiple servers. Every Standard Server that is registered to an Enterprise Server automatically aggregates the data it collects by group. The Enterprise Server collects aggregated data of all Standard Servers in the Enterprise Server database (the consolidation database). In the scenario of this book, you are not required to install an Enterprise Server, since we are only monitoring a very small umber of servers. We will concentrate on installing a Standard Server that has all the functionality that we need for our customer Gym and Health Incorporation (GaH).6.2 Installing Tivoli Compliance Insight ManagerStandard Server Installation of a Standard Server consists of the following procedures: 1. Install the database engine provided by the Tivoli Compliance Insight Manager. 2. Install the desired Tivoli Compliance Insight Manager components.6.2.1 Installing the database engine Tivoli Compliance Insight Manager provides its own database engine that has to be installed. To install the database engine, do the following: 1. Insert the IBM Tivoli Compliance Manager for Windows CD 1 of 2 into the CD-ROM drive. The installation program does not start automatically; launch the Setup.exe program located in the root directory of the installation CD. Figure 6-1 on page 101 shows you the initial welcome window of the Tivoli Compliance Insight Manager installation program.100 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 6-1 Tivoli Compliance Insight Manager database engine welcome window2. Click Next to continue3. Read the license agreement and agree by clicking Yes. Chapter 6. Installing Tivoli Compliance Insight Manager 101
  • 4. Enter the preferred installation directory by either clicking Next (this accepts the default directory) or by clicking Browse to select a different directory. A new window appears, as shown in Figure 6-2. Figure 6-2 Tivoli Compliance Insight Manager database engine installation directory102 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 5. Figure 6-3 shows you where to enter the desired values for the database instance: – Database Engine Name: This field indicates the name of the database engine. The default entry is EPRORADB. This value, of course, can be changed if desired. – Password: Specify the password for the database administration user ID sys. The sys user ID is only used for the installation of the database. Be sure the password adheres to your organization’s security policy. – Confirm Password: Reconfirm the password here. After you have entered all the required information, click Next to proceed.Figure 6-3 Tivoli Compliance Insight Manager database instance definition Chapter 6. Installing Tivoli Compliance Insight Manager 103
  • 6. Figure 6-4 shows you all the entered information. Check that all of the input you made on the Check Setup Information page is correct. Click Back to make any necessary changes. Click Next to begin the installation of the database engine. Figure 6-4 Tivoli Compliance Insight Manager check setup information page 7. After the installation is complete, you must reboot your system before continuing with the installation of other Tivoli Compliance Insight Manager components. You can either choose to have the installation program perform the reboot, or you perform the reboot yourself. Click Finish to exit the installation program.6.2.2 Installing Tivoli Compliance Insight Manager components To install Tivoli Compliance Insight Manager components, do the following: 1. Insert the CD labeled Tivoli Compliance Insight Manager for Windows CD 2 of 2 into the CD-ROM drive. The setup program starts automatically. If it does not start, use the Windows Explorer to navigate to the NT directory on the CD. This is where the setup.exe program resides. Double click it to start the104 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • installation. Figure 6-5 shows the first window that appears after having started the setup program. Click Next to continue.Figure 6-5 Tivoli Compliance Insight Manager setup welcome window Chapter 6. Installing Tivoli Compliance Insight Manager 105
  • 2. As with the database engine, it is mandatory to accept the license agreement. Figure 6-6 shows the window where you must accept the license agreement. Click Next to continue. Figure 6-6 Tivoli Compliance Insight Manager license agreement statement106 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 3. Figure 6-7 shows you the components that are available from the current CD. In our current scenario, we want to install the Standard Server on the Expansion Server window.Figure 6-7 Tivoli Compliance Insight Manager component installation window Chapter 6. Installing Tivoli Compliance Insight Manager 107
  • 4. In Figure 6-8, either click Next to accept the default install directory or click Browse to select a different one. The default value for the installation directory is %SystemDrive%:IBMTCIM. Figure 6-8 Tivoli Compliance Insight Manager target directory selection108 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 5. In Figure 6-9, enter a password that complies with your organization’s password policy for the default Tivoli Compliance Insight Manager account user cearoot. Re-enter the password the Confirm Password field to confirm it.Figure 6-9 Tivoli Compliance Insight Manager account name configuration Chapter 6. Installing Tivoli Compliance Insight Manager 109
  • 6. In the database connection window shown in Figure 6-10, specify the database instance. This is a database instance that Tivoli Compliance Insight Manager can use that was specified during the installation of the database engine. The default name is EPRORADB. Refer to 6.2.1, “Installing the database engine” on page 100 for instructions for installing the database engine for Tivoli Compliance Insight Manager. If the installation cannot connect to a selected database instance using the OS authentication, specify the following values when prompted: System User (with DBA role): The name of the system user with the database administration role used to access the selected database instance during the installation. The default name the setup provides is sys. Password: The password for the system user. Optionally, you can test the connection by clicking the Test Connection button to see whether the entered data is correct. Figure 6-10 Tivoli Compliance Insight Manager database connection110 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 7. In the window shown in Figure 6-11, you have to enter the database account information. Specify the following values: Database Account: This is the name of the database account that Tivoli Compliance Insight Manager uses to communicate with the database that contains its audit data. The setup creates this account during the database engine installation. Details about this installation can be found in 6.2.1, “Installing the database engine” on page 100. The default value is cearoot. Password: Specify the password for the cearoot user. Confirm Password: Confirm the password in this field. Optionally, you might want to verify that the database account is valid. Do the following: a. Click Test Account. If this account has already been used, a confirmation message prompts you to confirm the this user. b. Click OK to confirm. c. Click Next to continue the installation.Figure 6-11 Tivoli Compliance Insight Manager database account selection Chapter 6. Installing Tivoli Compliance Insight Manager 111
  • 8. Now you will see the target directory where the components will be installed, as shown in Figure 6-12. Click Next to start the installation. Figure 6-12 Tivoli Compliance Insight Manager target directory112 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 9. The installation of Tivoli Compliance Insight Manager takes a few moments. In Figure 6-13, you have to enter the server name. The default value is the name of the local host. Click Next to continue.Figure 6-13 Tivoli Compliance Insight Manager server name definition Chapter 6. Installing Tivoli Compliance Insight Manager 113
  • 10.In Figure 6-14, you see the Indicate time zone window. Specify the time zone that is to be used for the aggregation. Make the necessary changes and then click Next to continue. Figure 6-14 Tivoli Compliance Insight Manager time zone definition114 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 11.In Figure 6-15, you can specify the maintenance task window for the Tivoli Compliance Insight Manager server. This service runs for about five minutes and should be scheduled at a time when the Tivoli Compliance Insight Manager is not used.Figure 6-15 Tivoli Compliance Insight Manager maintenance start time Chapter 6. Installing Tivoli Compliance Insight Manager 115
  • 12.The last piece of information that is needed for the installation is optional. In Figure 6-16, you can specify the SMTP host name and e-mail address. Clicking Next starts the installation of the components. Figure 6-16 Tivoli Compliance Insight Manager SMTP definition116 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 13.If the Web applications component is being installed, the Specify iText library location for PDF export window is displayed later in the installation process. This is shown in Figure 6-17. If you have installed iText, you can enter the location of the iText library in the field or click Browse to locate the directory. If you do not specify a JAR file, the PDF export function is not enabled. You can certainly choose to enable this function after the installation is complete. Refer to IBM Tivoli Compliance Insight Manager Installation Guide Version 8.0, GI11-8176 for more information. There are no installation windows for the Management Console.Figure 6-17 Tivoli Compliance Insight Manager PDF export functionality Chapter 6. Installing Tivoli Compliance Insight Manager 117
  • 14.Figure 6-18 shows a message box that comes up once the Standard Server of Tivoli Compliance Insight Manager is installed. If you install an Enterprise Server later and would like to register this Standard Server to the Enterprise Server, then you can do so by running the command that is saved in a text file. The location of this text file is shown in this message box. You can retrieve this text file and copy the command for use when you register the Standard Server with the Enterprise Server. Figure 6-18 Location of the text file containing the command to register to an Enterprise Server 15.The Setup Complete window shown in Figure 6-19 on page 119 is displayed when the installation is complete. This window lists the Tivoli Compliance Insight Manager components that were installed, and whether the installation succeeded. If the window indicates that the installation did not succeed, run the setup program again.118 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 6-19 Tivoli Compliance Insight Manager setup finished window6.2.3 Enabling PDF export functionality after the installation If you did not specify the location of the iText directory during the installation of the Web Applications component, the PDF export function is not available. To enable this function after the installation is complete, do the following: 1. Download the iText PDF library from http://www.lowagie.com/iText/ to a specific directory, such as C:iText. 2. Open a command prompt, and go to the iViewsrv subdirectory in the Tivoli Compliance Insight Manager installation directory. For example, if the default installation directory was used, use the following command: cd /d C:IBMTCIMiViewSrv 3. Run the updateITextPath.bat script and specify the path to the iText.bat file. The script will restart the Tivoli Compliance Insight Manager application server. For example: updateITextPath.bat c:iTextitext-2.0.1.jar After the script has run and the server has been restarted, the newly-configured version of iText is used and the PDF export function is enabled. Chapter 6. Installing Tivoli Compliance Insight Manager 119
  • 6.3 Conclusion This chapter lead you through the installation process of a Tivoli Compliance Insight Manager Standard Server. The Standard Server is used in the scenario in this book. GaH only has a few servers running in their IT infrastructure. For that reason, it is not necessary to install multiple Standard Servers that need to be registered to an Enterprise Server. Chapter 7, “Event source configuration” on page 121will guide you through the configuration of event sources that will be monitored for our scenario.120 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 7 Chapter 7. Event source configuration In this chapter, we show the procedures required to configure Tivoli Compliance Insight Manager to collect the various event sources that are required by the Gym and Health organization (GaH) in order to meet their three primary business requirements that were introduced in Chapter 5, “Deployment design” on page 89.© Copyright IBM Corp. 2008. All rights reserved. 121
  • 7.1 Auditing Figure 7-1 on page 123 shows the IT architecture of the Gym and Health Organization. This architecture was described in detail in Figure 4 on page 79. This chapter will show the process for configuring Tivoli Compliance Insight Manager to collect audit event data from the various components of this architecture in order to meet the three business requirements that were introduced in Chapter 5, “Deployment design” on page 89. Those requirements were: 1. Implement processes to help achieve PCI and HIPAA compliance. 2. Monitor and audit the actions taken by privileged users for internal purposes. 3. Set up a centralized logging mechanism. In order to meet regulatory requirements, the IT security team would like to automate rapid, reliable log file collection and management across their distributed IT environment, which includes a variety of applications, operating systems, and databases.122 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 7-1 IT Infrastructure of GaHTo meet these requirements, auditing will need to be configured on each of theWindows 2003 target machines, Active Directory servers, and Windows File andPrint servers. Key information that is required to be audited includes events suchas user logon, logoff, failed logon attempts, use of special privileges, actions byprivileged and system accounts, and administration actions (such as adding andmodifying users, changing passwords, modifying groups/group memberships,and so on). Chapter 7. Event source configuration 123
  • GaH also has sensitive data residing on various Windows File and Print server shares. GaH would like to collect additional audit information about access to this sensitive data. The sensitive data resides on the following shared folders: D:Finance D:HR D:CustomerData Print Share: C:WINDOWSsystem32spool7.2 Enabling and configuring auditing All of the Windows 2003 servers will need to have appropriate audit policies configured so that the Windows Security logs contain sufficient information. In this section, we describe the settings that are configured for all of the Windows 2003 servers, as well settings specific to the Active Directory and File and Print servers.7.2.1 Auditing settings for the Windows Security log The Microsoft Management Console (MMC) can be used to set the Audit Policy for the Windows servers. The following steps are followed to configure the policy: 1. Select Start → All Programs → Administrative Tools → Local Security Policy. 2. In the left hand menu, navigate to Local Policies → Audit Policy. 3. Set the Audit Policy to log the appropriate events. For GaH’s reporting requirements, the audit policy shown in Figure 7-2 on page 125 is configured on each Windows 2003 Server.124 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 7-2 MMC Audit Policy settings7.2.2 Active Directory audit policy settings The GaH Active Directory servers are hosted on Windows 2003. The Windows local audit policy settings should be configured on the Active Directory servers. Configure the appropriate settings by selecting Administrative Tools → Domain Security Policy and Administrative Tools → Domain Controller Security Policy. Chapter 7. Event source configuration 125
  • GaH want to closely monitor the actions of their domain users. Figure 7-3 and Figure 7-4 on page 128 show the configuration on the Windows 2003 Active Directory servers. Figure 7-3 Domain security settings By default, the Active Directory is configured to log critical and error events only. Only change this behavior if a detailed investigation is needed, because extensive logging of events can quickly consume data storage space. The following types of events that can be written to the event log are defined in the Active Directory: 1. Knowledge Consistency Checker (KCC) 2. Security Events 3. ExDS Interface Events 4. MAPI Events 5. Replication Events 6. Garbage Collection 7. Internal Configuration 8. Directory Access 9. Internal Processing 10.Performance Counters 11.Initialization/Termination 12.Service Control 13.Name Resolution 14.Backup 15.Field Engineering 16.LDAP Interface Events 17.Setup 18.Global Catalog 19.Inter-Site Messaging126 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Microsoft has defined six levels of diagnostic logging for the Active Directory (seeTable 7-1).Table 7-1 Active Directory Diagnostic logging levels Logging level Definition 0 (None) Only critical events and error events are logged at this level. 1 (Minimal) Very high-level events are recorded in the event log at this setting. 2 (Basic) Events with a logging level of 2 or lower are logged. 3 (Extensive) Events with a logging level of 3 or lower are logged. 4 (Verbose) Events with a logging level of 4 or lower are logged. 5 (Internal) All events are logged, including debug strings and configuration.GaH decided to perform a high level of logging on Security Events and DirectoryAccess. These settings are applied through the registry settings as follows:1. Run regedit on the Active Directory target machine.2. Navigate to the registry subkey HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSDiag nostics. Chapter 7. Event source configuration 127
  • 3. Assign a value from 0 to 5 for each of the available REG_DWORD values in this Diagnostics subkey. The values for GaH’s Active Directory servers are shown in Figure 7-4. Figure 7-4 Registry settings 4. Close the registry. Note: The example in this chapter describes the monitoring of a single Active Directory server only. For bigger Active Directory implementations where a domain forest has been implemented, the process for monitoring the single Active Directory server shown in this chapter would need to be repeated for each member of the forest.128 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 7.2.3 File server settings: object access auditing As described in 7.1, “Auditing” on page 122, the following Windows 2003 file shares contain sensitive data that needs to be monitored: D:Finance D:HR D:CustomerData Print Share: C:WINDOWSsystem32spool This section describes how to monitor and audit one of these file shares (for example, C:Finance). GaH would repeat this process for all of the shared folders that need to be audited. To enable and configure auditing of access to the C:Finance folder, these steps are performed on the target systems: 1. Open Windows Explorer, right-click the folder, and select Properties, as shown in Figure 7-5. Figure 7-5 Folder Properties Chapter 7. Event source configuration 129
  • 2. Click the Security tab and then the Advanced button, as shown in Figure 7-6. Figure 7-6 Advanced Security options 3. Select the Auditing tab. Figure 7-7 on page 131 shows the default contents of this tab.130 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 7-7 Auditing Security settings for a Windows folder4. Configure auditing for a new user or group by clicking Add. An input box will be displayed. You can enter the name of the user group to be monitored and click OK. In Figure 7-8, the Domain Users group has been added because all authenticated users of the GaH systems are contained in this group.Figure 7-8 Select User, Computer, or Group input box Chapter 7. Event source configuration 131
  • 5. An Auditing Entry window for the selected folder is displayed. Select an Apply onto option from the available drop-down menu and check the appropriate Access options before clicking OK. As you can see in Figure 7-9, GaH has elected to monitor the create, read, write, and delete access to this folder, as well as all subfolders and files. Figure 7-9 Auditing Entry window 6. The new auditing entry will now appear in the Advanced Security Settings window, as shown in Figure 7-10 on page 133.132 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 7-10 The new auditing entry is displayed in the Advanced Security Settings window 7. Click OK to close.7.3 Configuring the new Windows event sources Now that the audit subsystems have been configured on the target machines, the Tivoli Compliance Insight Manager server needs to be configured to monitor the Windows targets. This configuration involves the following high level steps in the Tivoli Compliance Insight Manager Management Console: 1. Create a GEM database to store the event data. 2. Create a Windows Machine Group and add the machines to be audited. 3. Add the individual event sources for each target machine. Each of these steps are shown in 7.3.1, “Create the GEM database” on page 134 to 7.3.3, “Add event sources” on page 141. Chapter 7. Event source configuration 133
  • 7.3.1 Create the GEM database You can create new GEM databases for event data in the database view of the Management Console as follows: 1. Open the Tivoli Compliance Insight Manager Management Console. 2. Switch to the Database View. 3. Select Database → Add GEM Database. 4. The Add GEM Database window will appear. Fill out the name and size for the new database and click OK. GaH will be storing all Windows event data in a database called General, as shown in Figure 7-11. Figure 7-11 Add GEM Database 5. Figure 7-12 shows how the new database will now appear in the Database View. Figure 7-12 New database7.3.2 Create system group and add Windows machines In order for Tivoli Compliance Insight Manager to monitor one or more event sources on a particular machine, the machine needs to be registered in the Management Console. If desired, the registered machines can be grouped together into system groups to organize the audited systems. GaH want to group their audited Windows machines into a system group called “Windows” in the Machine View of the Management Console.134 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Create Windows system groupThis section describes how to create a system group from the Machine Viewwindow.To create a system group:1. From the Machine View in the Management Console, select System → Create Machine Group. The Create Machine Group window is displayed.2. In the New group name field, type a name for the group (see Figure 7-13).Figure 7-13 Create machine group3. Click OK to confirm the action.4. The new Machine Group is now displayed in the Machine View window.Add Windows target machinesEach of the Windows 2003 servers to be audited should be added as a newmachine. GaH will place each of its Windows targets into the new WindowSystems group. In this section, the setup and configuration for auditing one ofGaH’s domain controller servers (FSPDC) will be shown. GaH will repeat thisprocess for adding the other Windows target machines. Chapter 7. Event source configuration 135
  • These steps should be performed to add each machine: 1. Right-click the WindowsSystems machine group shown in the Management Console Machine View and select Add Machine. The Add Machine Wizard will begin (see Figure 7-14). Figure 7-14 Add Machine Wizard136 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 2. Select the Audited Machine Type from the available drop-down menu. For GaH’s Windows 2003 servers, the correct machine type is Microsoft Windows, highlighted in Figure 7-15. Select Next.Figure 7-15 Choose Machine Type Chapter 7. Event source configuration 137
  • 3. Enter the name of the target machine(s) to be audited in the Name input box within the Machine frame and click the Add button. As illustrated in Figure 7-16, the machine name now appears in the Selected frame. Click Next. Note: Checking the Show Available Event Source Types box will cause the Event Source Type panel on the right hand side of the window to appear. This allows you to browse the supported event sources for the type of machine you are adding. Figure 7-16 Choose Audited Machines 4. A local Actuator will be installed on each of the target machines. This option is selected in Figure 7-17 on page 139. Click Next.138 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 7-17 Select Point of Presence5. The default port that will be used for the Point of Presence is 5992. You can check the availability of your configured port by clicking on the Test Port button. In this window, you can elect to perform an Automatic or a Manual install. For demonstration purposes, this chapter will show a manual Actuator installation on a single Windows 2003 target system (FSPDC), as shown in Figure 7-18. When adding the remaining Windows 2003 server machines in Tivoli Compliance Insight Manager, GaH can use the option of automatically installing the Windows Actuators on the targets.Figure 7-18 Configure new Point of Presence Chapter 7. Event source configuration 139
  • 6. Providing the port you have configured is available, the message box shown in Figure 7-19 will be displayed. Click OK on the Test IP and Port message box. Click Next in the New Point of Presence window to advance the Wizard. Figure 7-19 Test Port success 7. The Choose Event Source Type window appears. For the FSPDC machine, which is an Active Directory Domain controller, both Microsoft Active Directory and Microsoft Windows has been selected (see Figure 7-20). Select Next. Note: When adding the Windows 2003 server machines that are not Active Directory servers, only the Microsoft Windows event source would be selected. Figure 7-20 Choose Event Source Type 8. Figure 7-21 on page 141 shows the Completing the Add Machine Wizard window that appears. Click Finish to complete the Add Machine setup.140 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 7-21 Complete Add Machine Wizard7.3.3 Add event sources Immediately after the Add Machine wizard completes, the Event Source wizard will automatically run once for each event source that was selected in step 7 in “Add Windows target machines” on page 135. For the FSPDC domain controller that has just been added, the wizard runs twice: once for Microsoft Active Directory and once for Microsoft Windows. This section illustrates how to complete the Add Event Source Wizard for the Microsoft Active Directory event source on the FSPDC Windows server. The wizard for the Microsoft Windows event source on FSPDC is similar and so are the wizards for each of GaH’s other Windows server event sources. Chapter 7. Event source configuration 141
  • The steps that follow describe how to complete the Microsoft Active Directory Event Source wizard for the FSPDC server: 1. Click Next on the Event Source Wizard welcome window that is displayed in Figure 7-22. Figure 7-22 Add Event Source Wizard142 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 2. The Choose an Audit Policy Profile window is displayed. GaH has already configured the audit subsystems on each of the target machines and wants Tivoli Compliance Insight Manager to leave those existing settings. Therefore, the option None is selected in Figure 7-23. Click Next.Figure 7-23 Choose an Audit Policy Profile Chapter 7. Event source configuration 143
  • 3. The next window that appears allows you to Choose a Collect Schedule shown (see Figure 7-24). Configure the desired schedule and click Next. Figure 7-24 Choose a Collect Schedule144 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 4. The next window prompts you to select the GEM database where the data collected from this event source should be stored. GaH will be storing all Windows events in the GEM database called GENERAL that was created in 7.3.1, “Create the GEM database” on page 134. We select GENERAL, as shown in Figure 7-23 on page 143, and click Next.Figure 7-25 Choose a GEM Database Chapter 7. Event source configuration 145
  • 5. Figure 7-26 shows the next window that is displayed. This window allows you to configure a Load schedule for loading the data from the event source into the GEM database. The Load schedule should be related to the Collect schedule that was configured in step 3. Configure the Load schedule and click Next. Note: In general, set the load frequency to an interval as long as or longer than the collect schedule interval. For example, data may be collected hourly, and loaded twice a day. It is unlikely that you would want to collect data twice a day, and load it hourly. Set the load schedule time at least 15 minutes after each scheduled collection time. This delay ensures that Tivoli Compliance Insight Manager loads the most recently collected data into the database. Figure 7-26 Choose a Load Schedule 6. The Event Source Wizard is now complete and the final window shown in Figure 7-27 on page 147 is displayed. Click the Finish button.146 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 7-27 Complete the Add Event Source Wizard7.4 Installing Actuator on a target machine The Manual install type was selected when adding the FSPDC machine through the Add Machine wizard in step 5 of “Add Windows target machines” on page 135. Therefore, the Windows Actuator needs to be manually installed on the FSPDC Windows server. Chapter 7. Event source configuration 147
  • This section describes the process of installing the Actuator locally on the Windows 2003 server called FSPDC: 1. Start the installation wizard on the Tivoli Compliance Insight Manager Windows using CD-ROM 2 of 2. The Setup.exe file is located in the NT directory. The Welcome window in Figure 7-28 will be displayed. Click Next. Figure 7-28 Welcome window of installation wizard148 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 2. You are presented with the License Agreement window (see Figure 7-29). Read through the license terms and conditions. Click Yes if you agree and are ready to proceed with the installation.Figure 7-29 License Agreement Chapter 7. Event source configuration 149
  • 3. Figure 7-30 shows the Choose Setup window for the installation wizard. Select Point of Presence to install a Windows Actuator on the FSPDC server and click Next. Figure 7-30 Choose Setup window150 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 4. Enter the path to the installation directory. The default location of C:IBMTCIM is being used on the FSPDC server, as shown in Figure 7-31. Click Next.Figure 7-31 General Installation Directory Chapter 7. Event source configuration 151
  • 5. Figure 7-32 shows the next window. It confirms the target directory based on the installation directory selected on the previous window. Click Next to proceed. Figure 7-32 Target Directory152 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 6. The Select Configuration window is displayed, as shown in Figure 7-33. In order to complete this window, the configuration file that was created when adding the event source through the Management Console will need to be available to the FSPDC server. Note: The default location for this configuration file on the Tivoli Compliance Insight Manager Standard Server is <TCIMHomeDir>/ManConsole/<TargetMachineName>-<TCIMServerNam e>.cfg. This config file has been copied to the FSPDC server. Enter the complete path to the file and click Next.Figure 7-33 Select Configuration File Chapter 7. Event source configuration 153
  • 7. The Enter OS Account window allows you to configure an operating system account that will be used to run the Tivoli Compliance Insight Manager Actuator service (refer to Figure 7-34). GaH will be using an account called cearoot_os. Click Next. Figure 7-34 Enter OS Account 8. The setup process is performed. A Setup Status window is displayed to monitor the progress of the setup tasks, as shown in Figure 7-35 on page 155.154 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 7-35 Setup Status9. The Updates Overview window shown in Figure 7-36 outlines the installed components. Click Next.Figure 7-36 Updates Overview Chapter 7. Event source configuration 155
  • 10.The Actuator Installation Wizard is now complete and the Setup Finished window appears (see Figure 7-37). Click Finish. Figure 7-37 Setup Finished7.5 Configuring our Audit policy (W7 groups and rules) Now that the audit subsystems have been configured on the Windows servers and the event sources have been registered with Tivoli Compliance Insight Manager, the W7 rules can be configured on the Standard Server. In particular, the groups need to be defined, along with the appropriate W7 policy and attention rules. This section describes the process of setting up the W7 rules for the GaH’s Windows event sources.156 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 7.5.1 Adding User Information Sources (UIS) In order to create meaningful policy and attention rules, it is important to define W7 groups that represent the structure of your IT environment. To assist with creating these W7 groups, Tivoli Compliance Insight Manager allows you to import grouping data from an existing User Information Source (UIS). GaH will import the user information from Active Directory on the FSPDC server to simplify the creation of their W7 grouping definitions. The following steps illustrate how to import this UIS data: 1. We open the System menu and select Add → User Information Source, as shown in Figure 7-38. Figure 7-38 Add User Information Source Chapter 7. Event source configuration 157
  • 2. The Add User Information Source Wizard will start. We click Next on the welcome window, as shown in Figure 7-39. Figure 7-39 Add User Information Source Wizard welcome window158 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 3. The next window that is displayed allows us to select the machine where the User Information Source resides. Figure 7-40 shows that for this example, FSPDC is selected. Click Next.Figure 7-40 Choose a Machine Chapter 7. Event source configuration 159
  • 4. The next window shown in Figure 7-41 allows us to select what User Information Source should be used. Active Directory groupings from FSPDC are being used. Click Next. Figure 7-41 Choose a User Information Source160 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 5. The User Information Source properties are displayed on the next window, as shown in Figure 7-42. We click the Edit button to modify the Domain name.Figure 7-42 Define User Information Source Properties Chapter 7. Event source configuration 161
  • 6. We can now enter the name of the Active Directory domain. GaH has used the domain name INSIGHT to represent all of its users who are being monitored by Tivoli Compliance Insight Manager. The wizard is now advanced to the next window by clicking Next. Figure 7-43 Define User Information Source Properties162 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 7. Now we can choose a collection schedule for extracting information from the specified UIS before clicking Next to continue (refer to Figure 7-44).Figure 7-44 UIS collection schedule Chapter 7. Event source configuration 163
  • 8. The Add User Information Source completion window is displayed. We click the Finish button to complete the process, as shown in Figure 7-45. Figure 7-45 Completing the Add User Information Source Wizard 9. The new User Information Source is now displayed in the Event Source view of Management Console, as shown in Figure 7-46. Figure 7-46 Grouping Active Directory UIS is available in the Management Console Viewing the User Information Source Once the first scheduled UIS collection is complete, we can view the user information grouping definitions that have been collected. Select Policy → View Automatic Policy and choose the current time in order to get the most recent grouping definition.164 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 7.5.2 Configuring a new policy with W7 rules Policy building is a crucial part of using Tivoli Compliance Insight Manager to effectively monitor your environment. Policy building is essentially the combination of W7 groups. You can combine W7 elements to create policy and attention rules. As described in Chapter 2, “Architecture and component structure” on page 13, if the rule is added to the set of policy rules, then this rule will mark all GEM events that match it as “normal” events. Therefore, events that match policy rules will not be displayed in policy exception reports. Meanwhile, if the rule is added to the set of attention rules, then all GEM events that match the attention rule are marked as attention events. These attention events will show up in the special attention reports. The following process can be used to create a new policy for GaH that includes grouping and policy rules for the Windows event sources that are being monitored for phase 1: 1. Duplicate the latest committed policy to create a new working policy. 2. The new working policy can be used for customizing the W7 group definitions. The Group Definition Set from the UIS can be imported into this policy. 3. Create appropriate W7 policy rules and attention rules for policy building. 4. Load the database using this working policy. 5. Commit the policy when the W7 rules are producing the desired results. Each of these five steps are described in more detail in this section. Create a new working policy GaH is going to use the default committed policy that is installed with Tivoli Compliance Insight Manager as the foundation for the policy that they need to develop. Chapter 7. Event source configuration 165
  • To create a Work policy in the Management Console Policies View, we right-click the most recent committed policy and select Duplicate, as shown in Figure 7-47. Figure 7-47 Create a new working policy A new policy appears under the Work folder, as shown in Figure 7-48. Figure 7-48 Work policy Import UIS group definitions The imported group definitions from the UIS can be included into the new working policy as follows: 1. Open the working policy in the Policies window and right-click the policy name. Select Import Group Definition Set, as shown in Figure 7-49 on page 167.166 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 7-49 Import Group Definition Set2. We can use the Browse button to search for the correct configuration file, as shown in Figure 7-50.Figure 7-50 Browse for configuration file name Chapter 7. Event source configuration 167
  • 3. The imported group definitions from the UIS are stored in an automatic policy by default. The automatic policies are located at <TCIM_HOME>/Server/config/grouping/automatic, as shown in Figure 7-51. Figure 7-51 NT folder for the automatic policy contains the config file 4. As shown in Figure 7-52 on page 169, we open the FSPDC.cfg file.168 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 7-52 Select group definition file5. In Figure 7-53, we configure the group definition set name to be “FSPDC” and click OK.Figure 7-53 Name new definition set Chapter 7. Event source configuration 169
  • 6. A folder called FSPDC appears in the policy window on the right hand side. We double click this policy group and its contents are displayed in the left hand panel, as shown in Figure 7-54. Figure 7-54 Locate the new group definition set in the working policy Customize group definitions As well as the grouping definitions imported from the UIS, we also need to create some other grouping rules to describe sensitive company assets. As an example, the following figures show how GaH describe the Windows locations of their confidential financial data. Section 7.1, “Auditing” on page 122 explains that the GaH Windows file servers have a number of directories that contain sensitive corporate data. The financial data is stored within the C:Finance directory. A W7 rule needs to be created in the new Tivoli Compliance Insight Manager policy to describe this corporate asset. The default policy that has been used as the basis for this working policy already has a number of predefined groups that are initially empty. GaH has decided to use the existing Financial Data - Medium group to represent the C:Finance file share on the Windows servers. In the future, GaH may decide to have more fine-grained control of financial assets by adding rules to classify financial assets as either High, Medium, or Low. These steps illustrate how to specify a W7 Group definition to describe the Financial file share on GaH’s Windows servers: 1. Open the NT group definitions and expand the list of onWhat groups in the left hand panel. Locate the group for Financial Data - Medium, right-click it, and select New Condition, as shown in Figure 7-55 on page 171.170 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 7-55 Create new condition2. Figure 7-56 shows how to create a requirement to specify the new condition. Right-click the condition and select New Requirement.Figure 7-56 Create new requirement Chapter 7. Event source configuration 171
  • 3. As you recall, object access auditing was configured in 7.2.3, “File server settings: object access auditing” on page 129. These configured audit settings on the target machine will result in user actions on the C:Finance folder (and its contents) being logged by Windows. These logged events describe actions on the finance share. When mapped by Tivoli Compliance Insight Manager, these events will have a W7 Object Path value that starts with “C:finance”. Therefore, the requirement “Object Path starts with C:Finance” is configured, as shown in Figure 7-57. Figure 7-57 Specify condition for asset to be classified as FinancialData - Medium 4. The new requirement is now complete and can be seen in the Grouping windows shown in Figure 7-58. Figure 7-58 W7 group definition for the Windows financial data file share172 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • GaH now repeats the process of creating appropriate grouping definitions, withassociated conditions and requirements, for the rest of their Windowsenvironment. For example, they include the other confidential file shares(including C:HR, C:CustomerData and the print share) into W7 onWhat groups.Additionally, extra group conditions and requirements are added into the otherW7 groups: Who, What, When, and Where.Showing all of these grouping definitions for GaH is beyond the scope of this IBMRedbooks publication.Create W7 policy rulesThe grouping definitions that have been created can now be used to formulateW7 policy rules that describe the set of permissible W7 events.The default committed policy that was used as the basis for the current workingpolicy contains a number of predefined policy rules and attention rules. GaHanalyzed these existing policy and attention rules to ensure that they were allappropriate to their IT environment. Where appropriate, these pre-existing ruleswere edited.New rules were also created to customize the rules to meet GaH’s needs. Thissection describes the process of creating one of the policy rules GaH hasdecided to introduce to the policy. The rule is defined in Table 7-2.Table 7-2 New W7 policy rule W7 category Who What Where Value System System Operations INSIGHTFor this policy rule to be useful, GaH has ensured that the W7 Who group calledSystem effectively describes the permitted “system” users with the appropriaterequirements and conditions defined. Similarly, the W7 Where group calledINSIGHT has been created to represent all of the Windows servers beingmonitored in the INSIGHT domain. Chapter 7. Event source configuration 173
  • The following figures show the steps involved to create the new policy rule from the Policies view in the Management Console: 1. Ensure that the Policy tab is selected and right-click in the Policy Rules window. Select New Rule, as shown in Figure 7-59. Figure 7-59 Create a new policy rule 2. As you can see in Figure 7-60, an Edit Rule window appears that allows us to enter the W7 groups that specify the new rule. Click OK. Figure 7-60 Edit rule window 3. The new rule appears in the Policy Rules list, as shown in Figure 7-61 on page 175.174 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 7-61 List of policy rules4. Once the new policy rules have been defined, the working policy must be saved. The Save option is under the Policy menu (see Figure 7-62).Figure 7-62 Save working policy Chapter 7. Event source configuration 175
  • Note: For phase 1 of the implementation, GaH also created policy rules to capture the allowed operations on the confidential file shares. For example, a policy rule specifying that the W7 Who group called “Finance” can perform operations on objects in the W7 onWhat group called “FinancialData” and so on. Create W7 attention rules Attention rules also need to be created in the working policy. The W7 attention rules should represent events that GaH is interested in monitoring. After reviewing the predefined attention rules, the security IT staff at GaH proceeded to identify some more desired attention rules. For example, the security IT staff are interested in being notified whenever confidential financial data is deleted. This section outlines the configuration in Tivoli Compliance Insight Manager to configure an attention rule for these deletion events. It is important to highlight here that a W7 group has been defined to represent the deletions performed by a user in a Windows environment. Figure 7-63 shows this group definition. Figure 7-63 W7 What group: User Actions - Deletions This What group can now be used in the new Attention rule that is created.176 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Here is an outline of the steps involved in creating the new Attention rule forcapturing any deletion events on the Windows financial data file shares:1. Ensure that the Attention tab is selected and right-click in the Attention Rules window. Select the New Rule option, as shown in Figure 7-64.Figure 7-64 Create new attention rule2. Figure 7-65 on page 178 shows the Edit Rule window that appears. The new Attention Rule has been defined as: Any user performing a deletion (W7 What = “User Actions - Deletions”) on objects in the financial file shares (W7 onWhat = “Financial Data”). GaH has opted to assign an ID to this attention rule so that it can be managed easily. Tivoli Compliance Insight Manager allows these rule IDs to be used to create alerts for individual attentions. That is, an alert can be configured in the future to send an e-mail to the GaH IT security administrator when events matching this attention rule are detected by Tivoli Compliance Insight Manager. “Alerts” on page 178 describes the creation of an e-mail alert. Note: The rule ID should be a single word consisting of letters and numbers only. Chapter 7. Event source configuration 177
  • Figure 7-65 Edit attention rule window 3. After we click OK in the Edit Rule window, the new Attention rule appears in the Attention Rules window, as shown in Figure 7-66. Figure 7-66 Attention rule for deletions on FinancialData Alerts As described in the previous section, GaH want to configure an alert that sends an e-mail to the security IT administrator staff when deletions are performed on objects in the confidential file shares.178 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • The following steps describe how an e-mail alert is created for the Windowsfinance file share:1. Open the Alert Maintenance window in the Management Console. Click the New button, as shown in Figure 7-67.Figure 7-67 Alert Maintenance window Chapter 7. Event source configuration 179
  • 2. Tivoli Compliance Insight Manager creates a new alert with placeholder entries and adds it to the bottom of the existing alert list (if any). We right-click the new alert and select Edit, as shown in Figure 7-68. Figure 7-68 Edit the new alert 3. The Edit Alert window is displayed. GaH configures the alert to send an e-mail to the recipient admin@GaH.com when events matching the attention rule with ID DeleteFinancials occur (refer to Figure 7-69 on page 181). Click OK.180 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 7-69 Edit Alert options4. The alert is updated with the new configured settings. Click the Protocol Settings button shown in Figure 7-70 to configure the protocols in use. Protocol settings apply to all alerts that are sent using the same protocol.Figure 7-70 Alert Maintenance windows displays the modified alert Chapter 7. Event source configuration 181
  • 5. The Protocol Settings window is shown in Figure 7-71. GaH configures the e-mail settings for the environment and clicks OK. Figure 7-71 Protocol Settings window The alert has now been configured.7.5.3 Load the database Now that the Tivoli Compliance Insight Manager environment has been configured for the Windows event sources and a working policy has been created, GaH can collect and load data from the target systems. Once the data is loaded, iView can be used to view the data and the effect of the policy mapping process. We can wait for the next scheduled collection and load to occur. Alternatively, we can temporarily cancel the scheduled load and manually load the database instead.182 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Here is the process for manually loading the database:1. Locate the database that you plan to load in the database view of the Management Console. Right-click it and select Load, as shown in Figure 7-72.Figure 7-72 Start the Load process Chapter 7. Event source configuration 183
  • 2. The Load Database Wizard Welcome window appears, as shown in Figure 7-73. Figure 7-73 Welcome to the Load Database Wizard184 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 3. We select the GENERAL database on the next window and click Next, as shown in Figure 7-74.Figure 7-74 Choose a database to load Chapter 7. Event source configuration 185
  • 4. We specify a period of time for which collected data should be loaded, as shown in Figure 7-75, and click Next. Figure 7-75 Data collection period186 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 5. In the next window, depicted in Figure 7-76, we decide whether to perform a data collection now or whether to use the data that has already been collected through an earlier collection process.Figure 7-76 Specify whether to collect before the load Chapter 7. Event source configuration 187
  • 6. Since we are performing a manual load, the wizard prompts us to specify which policy should be used to map the data. In order to test out the policy that we have been working on, we select the Fixed policy option and navigate to the correct policy in the work folder, as shown in Figure 7-77. Click Next. Figure 7-77 Select a policy to be applied to the loaded data188 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 7. Click Finish on the completion window for the wizard, as shown in Figure 7-78.Figure 7-78 Complete the Load Database Wizard8. When we refresh the database view in the Management Console, we see that the status for that database changes to the value “Loading...” to signify that the load process has started. When the load is complete, the status will be “Loaded” and the time and date of the last load will also be updated.Commit the policyNow that the database has been loaded using the policy that we have beenworking on, GaH’s IT security team needs to review the data that has beencollected and how it is presented in iView. We describe how to navigate throughiView to view the data in 8.2, “iView: the reporting application” on page 193. Chapter 7. Event source configuration 189
  • This review of the data may lead to modifications of the groupings and rules defined in the policy. After any policy changes, the data can be re-loaded and mapped using the policy so that the new effect of the rules can be reviewed. Once the team is satisfied that the policy is configured as desired, the policy can be committed. The most recently committed policy is the policy that will automatically be applied to scheduled database loads. To commit the working policy, we simply right-click the policy (in the work folder of Management Console Policy Explorer) and select Commit. When the policy has been committed, it will appear under the Committed folder.7.6 Conclusion Event source configuration was the topic of this chapter. We showed how auditing can be configured and enabled. The next section described how to configure new Windows event sources. Without an Actuator on a target system, it is not possible to gather log data from that system, so we dedicated a section in this chapter to this topic. The last section of this chapter described how to configure the audit policy for the GaH scenario. Basically, these are the W7 groups and rules. To work with gathered data, it has to be loaded into the database, which was one of the last steps described in this chapter. We are now ready to run reports from the log data that was loaded into the database, which we discuss in Chapter 8, “Report generation” on page 191.190 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 8 Chapter 8. Report generation Now that we know how to install Tivoli Compliance Insight Manager and configure event sources, we will discuss report generation. Tivoli Compliance Insight Manager provides both standard and custom reports and enables analysis of the data in a variety of formats and levels of detail. This chapter will lead you through the navigation of iView, the reporting application of Tivoli Compliance Insight Manager, and will also show you how to generate standard reports that are provided out-of-the-box with Tivoli Compliance Insight Manager.© Copyright IBM Corp. 2008. All rights reserved. 191
  • 8.1 Reporting portal The Tivoli Compliance Insight Manager has a single logon interface for accessing all of its installed components. It is implemented as a Web application and can be opened in a Web browser. Important: Microsoft Internet Explorer® Version 6.0 or later is the Web browser that is compatible with Tivoli Compliance Insight Manager’s Web portal. In this chapter, we assume that you have already obtained a user name and password from the Tivoli Compliance Insight Manager administrator. The web portal usually is accessed through the following URL: http://webserver/Portal where webserver is the name (or the IP address) of the system where the Tivoli Compliance Insight Manager Web applications are installed. Portal is the name of the virtual directory where the portal is deployed. After having logged on, you are directed to the Portal Overview page, which contains a set of links to the available Tivoli Compliance Insight Manager components. The overview page is divided into two panes. On the left side you see the “Tivoli Compliance Insight Manager Portal” and on the right side you see the “Extra Information” pane. Figure 8-1 on page 193 shows you the reporting portal. The main pane includes sections about links to the installed components of Web applications and links to the add-on components of Tivoli Compliance Insight Manager. The “Extra Information” pane is located in the right part of the overview page. It consists of the help section, which is common to all Tivoli Compliance Insight Manager components that are manageable through the Web interface. The help section gives instructions about using the key features of the corresponding components.192 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 8-1 Tivoli Compliance Insight Manager reporting portal8.2 iView: the reporting application The main function of Tivoli Compliance Insight Manager, which is event auditing, is performed with the iView reporting application. iView can be used to view summary and detailed reports about the collected audit data. Viewing both standard and custom iView reports enables analysis of the data in a variety of formats and levels of detail. The following details are examples of what you can see: Events from one database or all loaded databases Events related to a specific platform or group of systems Only policy exception events or only events that trigger attention rules Events from a specific user or system Events for a specific time period, from minutes to years Chapter 8. Report generation 193
  • If a particular standard out-of-the-box report does not provide the required information to your organization, you can create as many custom reports as necessary to fit your needs. For this task you would use the built-in report wizard. After clicking iView, the application will switch to the main page of iView. The iView Navigation Bar is displayed at the top of the page as shown in Figure 8-2. Figure 8-2 The iView navigation bar We explain briefly the eight options you can choose from this menu: Dashboard This shows the compliance dashboard. The dashboard window is divided into three sections: – The enterprise view, which shows events by top event count by “Who” and “On What” – A trend graphic, showing a percentage of policy exceptions – A database overview with a list of all available databases along with brief information about a selected database Trends This shows all events of aggregated data of all databases for a specific period of time. Reports This shows the initial iView reporting page. Regulations Here management modules can be accessed and monitored. Policy Here you can set up and check Tivoli Compliance Insight Manager audit policies. Groups This gives access to the group types page of iView. This also includes group types for the selected database, the number of groups they presently contain, and the “Grouping Wizard”.194 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Distribution IBM Tivoli Compliance Insight Manager provides functionality for the automated distribution of iView reports to a predefined group of Tivoli Compliance Insight Manager users. This can be configured here. Settings This shows the user preferences, which can be configured here.8.2.1 The enterprise overview As outlined in Chapter 7, “Event source configuration” on page 121, all event sources for the organization GaH have been configured and we assume that event source collection has started and the data has been loaded into the reporting application. In this section, we show how to change the filter of the displayed data. Depending on how narrow or wide you select the filter (for example, time frame of displayed data), the information displayed might look similar to Figure 8-3 on page 196. From the enterprise overview, you can view all activities in the enterprise. The size of each circle indicates the amount of activity (logged events). Blue circles indicate compliance to the policies, and red circles indicate non-compliance to the policies. On the axes, we compare people (Who) with information (onWhat). You can open a similar view for each of the reported databases by clicking them. Chapter 8. Report generation 195
  • Figure 8-3 Enterprise overview of iView8.2.2 The trend graphic In the right hand side of this window, you see a section called “Trend graphic”. Again, as in the enterprise overview, you can select you time frame in which you want to see the compliance trend chart. In our example, shown in Figure 8-4 on page 197, we select the twelve previous months. The trend shows you the graphic for the same time frame as chosen in the enterprise overview section.196 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 8-4 Trend graphic in iView8.2.3 Database overview Within this section, you can select a particular database you want to view. After you clicked the button of the database, you will view a window similar to the one in Figure 8-5 on page 198. Chapter 8. Report generation 197
  • Figure 8-5 Summary of selected database Let us look in more detail at the mapped events, especially the policy exceptions and special attentions.8.2.4 Policy exceptions First, click the event summary. The policy exception summary window will open, as shown in Figure 8-6 on page 199. That view shows a summary of the exceptions that did occur. The last one tells you the number of exceptions for each type. To view all of the individual policy exception events, go back to the previous window (this is the database summary page) and click the link for the event list. Once you click it, it will display all individual policy exceptions, as shown in Figure 8-7 on page 199.198 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 8-6 The policy exception summary windowFigure 8-7 The policy event list Chapter 8. Report generation 199
  • To have an even more detailed look at individual events, click the link that is located in the Date/Time column. Figure 8-8 shows a selected individual event’s details. Figure 8-8 An individual event detail200 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • You can even get more information by clicking the This is a policy exception link, as shown in Figure 8-9. The exception is explained in the window that will then appear.Figure 8-9 Explanation of a policy exception8.2.5 Special attentions Special attention events can be reviewed in a similar way. Click the special attention summary link on the database overview page. A window similar to the one in Figure 8-10 on page 202 is shown. In the last column entitled “#SpecAtt” is the break down of the occurrences of that group of events. Clicking the values in this column will display a window, as shown in Figure 8-11 on page 202. For example, if you click the value “4” in the first row, it will display the special attentions for events classified as “Administration” (What) on “Sensitive Groups” (On What) by user “CRMLABADMINISTRATOR” (Who) located at “CRMLABDCSRV” (Where). Chapter 8. Report generation 201
  • Figure 8-10 Special attention summaryFigure 8-11 Special attention event of Administration202 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • You can go into more details if you click the link in the “Date/Time” column, asshown in Figure 8-12. This opens the event detail page about a particular item.Figure 8-12 Event detail for selected special attention Chapter 8. Report generation 203
  • If you click the link This is a special attention event under the Group column, you will be directed to detailed explanation of why the event has been classified as a special attention event, as shown in Figure 8-13.Figure 8-13 Explanation of special attention event8.3 Standard reports The iView reports page can be used to generate online reports. They are based on the data that you have loaded. In the database summary page, click Reports in the navigation pane. The displayed iView Reports window is divided into several main categories. For the GaH scenario, let us look at the two main report types: Configuration Tools Daily Verification Each of these categories contain predefined reports to analyze the events that have been captured.204 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 8.3.1 Configuration Tools Report Figure 8-14 shows a snapshot of the iViews Report window.Figure 8-14 Configuration tools report Clicking the link Events by rule will open another window, as shown in Figure 8-15. In the last column called Action there is a tick located. This means that in order to generate this report, you need to input some additional parameters. This applies to all reports that have this tick in the last column; all other reports can be generated by clicking the link Title.Figure 8-15 Configure the “Events by rule” report As with all reports that we will demonstrate in this chapter, you can click any of the links of the reports to get more detailed information about the event. Chapter 8. Report generation 205
  • 8.3.2 Daily verification reports This section includes a number of predefined reports to check events that have been detected on the audited systems. Figure 8-16 shows a snapshot of the predefined reports for daily verification purposes. One of the daily verification reports shows data about logon failures. This is one of the reports the security management of GaH would like to see. If you click the link Logon Failure Summary, this report will be generated, as shown in Figure 8-17 on page 207.Figure 8-16 Predefined daily verification reports206 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Figure 8-17 Logon failure summary report A complete review of all of the predefined reports is beyond the scope of this book, so we will only briefly talk about how to analyze trends with iView. Chapter 8. Report generation 207
  • Analyzing trends with iView To analyze trends with iView, click the Trends button in the navigation pane. This will give you the opportunity to review all the aggregated data from all the loaded databases. It opens All Events for the last seven days by default, as shown in Figure 8-18.Figure 8-18 Trend data view as opened by default To get data from the last four weeks, click Last Month. The drop-down menu that defaults to All Events lets you select between all events, policy exceptions, special attention events, and failures. For the latter three, you can also choose to see a percentage view. Click Previous to view the previous time period, and click Next to show the next time period. If there is no data available, the control is unavailable. Below the bar graph there are fields for each of the W7 group types. Click Go (not seen in this screen capture; it is located to the right of these seven list boxes) and iView will show you data for the previous selected groups. At the bottom of the window there is a table with a description of every bar in the figure. Again, also click the links in the table in the Day or #Events columns to see a more detailed explanation of the events.208 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • 8.4 Conclusion This concludes the last part of the GaH project. In this chapter, we gave an overview of how to navigate through the main options if the iView application. We also showed how standard reports can be generated and collected data can be trend analyzed with Tivoli Compliance Insight Manager. Chapter 8. Report generation 209
  • 210 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • A Appendix A. Statement of Work This appendix provides a sample of what you might include in your Statement of Work.© Copyright IBM Corp. 2008. All rights reserved. 211
  • Environment analysis service The environment analysis service Statement of Work can consist of the sections that we list here.Executive summary The service engagement provides a high-level assessment of your customer’s information security compliance requirements. You should provide an initial assessment of the customer’s environment and a demonstration of how to monitor the customer’s resources for compliance. You should also list the resources that are required to implement the solution.Assessment for the Statement of Work The assessment is conducted over a period of several weeks. At the end of the assessment period, you present the assessment finding, which will include the items listed in this section. Business objective What is the business objective for installing IBM Tivoli Compliance Insight Manager? This will drive the installation and determine what direction the customer wants to take in evaluating, testing, or implementing the software. Industry regulations or standards Does the customer need to comply with industry regulations or standards? Pinpoint which of the following regulations or standards are of interest to the customer: Sarbanes Oxley HIPAA GLBA ISO 27002 Basel II Other Reporting requirements Learn about the reporting requirements of the various groups and audiences that will be using Tivoli Compliance Insight Manager at the customer organization. If the customer is unable to provide their reporting requirements, but has a business or security requirement for monitoring privileged users, then recommend the top 10 Privileged User Monitoring and Audit (PUMA) reports.212 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Reporting requirements can have a big impact on the type of consulting serviceswe mention to the customer. For example, does the customer need consultancydays to build custom-made reports. During the discovery phase, it is alwaysbetter to get the customer’s policy, reporting requirements, and the current auditsettings for the different platforms that will be monitored by Tivoli ComplianceInsight Manager.Target platformsThis will help determine the customer’s focus. Some customers are moreinterested in monitoring UNIX servers while others concentrate on Windowsservers. Use an implementation pre-planning worksheet, which requires thecustomer to provide information about event sources, platforms, versions, logsizes, and so on.Kind of installation wanted by the customerThe standard approach is to combine partial installation with on-the-job trainingto make the customer self-sufficient as soon as possible. This means IBM andthe customer will install a couple of agents per platform jointly together, whileexplaining the installation procedure per platform.Tracking of progressHow is progress being tracked during this implementation project? The customermight want to have weekly status reports. The format of the report should beagreed upon by everyone involved.Change control proceduresHow will the customer’s change control procedures impact the project time line?The chronological sequence of implementing Tivoli Compliance Insight Managerneeds to be carefully incorporated in the change management process.Resources and datesAre there coordinated dates for the install and will the resources be available atboth sides? Again, take change control procedures into consideration whenagreeing on dates with the customer.Implementation teamIt is important to identify the key players at the customer site and within IBM.These typically are members of the administration and security teams. Appendix A. Statement of Work 213
  • Technology certification Is there a technology certification process that must be satisfied before installing the product? Some customers require a committee to evaluate the software in a test or acceptance environment first or to present the architecture in detail to various departments with a vested interest. Procedures and standards What are the procedures and standards for security auditing and event management of the target servers and applications to define the initial solution requirements, constraints, and critical success factors?Project scope The Statement of Work also describes the project scope. This description should include (but not be limited to) the following items: IBM will assess the customer’s computing environment to prepare for the implementation of Tivoli Compliance Insight Manager. Install and configure Tivoli Compliance Insight Manager Standard Server in a test environment. Implement security event collection and loading from target systems. Assist the customer with the definition and creation of Tivoli Compliance Insight Manager groups and policies. Generate the customer required reports (or the top 10 PUMA reports). Provide (remote) guidance to the customer project team during intermediate deployment. Provide product training. Add here whatever is offered to the customer. In addition, the Statement of Work could include a description of the different phases of the implementation project. A good scenario would be to install Tivoli Compliance Insight Manager Standard Server and some workstation agents in a test environment. During the second phase, Tivoli Compliance Insight Manager should be installed on an intermediate environment using tailored documentation out of phase 1 as a guide. The objective of this phase is to help the customer to ensure that the product installs as demonstrated in the test environment and allows the customer resources to gain additional Tivoli Compliance Insight Manager implementation experience before attempting a production deployment. During phase 3, a formal product training session should be provided. This session will cover Tivoli Compliance Insight Manager administration, reporting, and maintenance.214 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Key assumptions This paragraph of the Statement of Work will contain an estimation based on key assumptions. Deviations that might arise during the proposed project should be covered in a separate appendix of the Statement of Work and may result in adjustments to the project scope, estimated schedules, charges, and other terms. Examples of assumptions could be: Custom development is not included as part of the Statement of Work. Work under the Statement of Work will be performed at the customer facility, except for any project related activity, which would be best performed on IBM premises in order to complete the obligations and responsibilities under the Statement of Work. IBM will not be engaged to assist with the production deployment. This process will be fully owned and executed by the customer. IBM will provide the services under this Statement of Work during normal business hours.IBM responsibilities In this part of the Statement of Work, IBM responsibilities should be documented. It can be divided into six different sections. Project management The purpose of project management is to provide technical direction and control of IBM project personnel and to provide a framework for project planning, communications, reporting, procedural, and contractual activity. This activity is composed of the following tasks. Planning The contractual responsibilities of both parties with the customer’s project manager will be reviewed. Also, project communications through the customer’s project manager will be maintained. Project tracking and reporting In the Statement of Work document, project tasks, schedules, resources, and assistance with any changes or additions will be reviewed. Deviations from the project plan or project scope will be addressed with the customer’s project manager. Coordination and management of technical activities also should be addressed in this part. Appendix A. Statement of Work 215
  • Environment analysis Under this activity, three services will be documented: Work with the customer project team to assess and document the target Tivoli Compliance Insight Manager environment. Determine and document the recommended system audit settings. Design the Tivoli Compliance Insight Manager implementation architecture for the customer’s production computing environment Deliverables Audit setting recommendations Tivoli Compliance Insight Manager system requirements Port and protocol details for the customer’s change management Tivoli Compliance Insight Manager environment design diagram for the customer’s production environment based on information gathered and defined in Phase 1 of the project Installation and configuration of Tivoli Compliance Insight Manager Standard Server(s) In this activity, IBM will perform services that include the installation and configuration of one or more Tivoli Compliance Insight Manager Standard Servers determined by the activities in “Environment analysis service” on page 212. Implement security event collection and loading This part will describe the following tasks: Implementation of security event log collection from each specified system target machine Configuration of depot loads and W7 mapping for the customer’s event sources Definition and creation of iView groups and polices The objective of this activity is to assist the customer with the following tasks: Work with the customer’s project team to define and create baseline iView groups and policies. Provide knowledge transfer to the customer’s project team members.216 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Implement and configure top 10 PUMA reports In this activity, the following services will be addressed: Implement PUMA reports. Assist the customer in configuring report distribution to a specified distribution list.Customer responsibilities The successful completion of the implementation also depends on the customer’s participation and his full commitment. This section therefore should include customer responsibilities as precisely as possible. A successful implementation project is predicated upon the following customer responsibilities: Project manager Prior to the start of a Statement of Work, a designated person from the customer must be assigned. This person will be the focal point for all communication relative to the project. This person’s responsibilities include: Manage the customer’s personnel and responsibilities for the project. Serve as the interface between IBM and all customer departments participating in the project. Participate in project status meetings. Obtain and provide information, data, and decisions. Resolve deviations from the estimated schedule, project plan, or Statement of Work. Help resolve project issues and escalate issues within the customer’s organization as necessary. Other responsibilities Within this section of the Statement of Work, you should document that the customer’s staff is available at the agreed time. Also, the customer needs to ensure that the staff has the appropriate skills and experience. In addition, it could be stated that suitable additional or alternative staff will be provided. Accurate information is key for such projects. It should be agreed that all information disclosed to IBM will be true, accurate, and not misleading in any material respect. It also has to be the customer’s responsibility to make the final selection of the solution and technical architecture. Given this, all prerequisite hardware and software to be used during the project should be supplied by the customer. Appendix A. Statement of Work 217
  • Laws, regulations, and statutes The customer is responsible for the identification of, interpretation of, and compliance with any applicable laws, regulations, and statutes that affect the customer’s applications or business. Data file content and security The customer must be responsible for the actual content of any data file, selection and implementation of controls on its access and use, and security of the stored data. Facilities If the project is implemented on the customer’s premises, it should be the customer’s responsibility to provide the appropriate facilities, such as supplies, furniture, computer facilities, telephone/fax communications, analog lines and broadband access through network connectivity capability, and other facilities while working on the project. Last but not least, the customer should ensure the appropriate backup, security, and virus checking procedures are in place for any computer facilities the customer provides or that may be affected by the services.Deliverables The following deliverables will be provided to the customer throughout the project: Implementation information This specifies the installation prerequisites and contains the system requirements, as well as the ports and protocols needed to install Tivoli Compliance Insight Manager. Tivoli Compliance Insight Manager Security Manager installation This delivered document provides detailed instructions on installing the Tivoli Compliance Insight Manager Server. It will show installation steps and screen captures where applicable. By following these instructions, a customer’s administrator will be able to perform a default installation of Tivoli Compliance Insight Manager, including the embedded Oracle 10g database component. Additionally, the document includes instructions for installing the applicable hot fixes and platform plugs. System agent installation This document provides installation steps and screen captures, where applicable, to install the agents of the operating system, that were projected.218 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • By following these instructions, a customer’s administrator will be able to install the agent to collect audit data from the target machines.Completion criteria You need to list the completion criteria here. You have to engage the customer to get a proper sign off of the project with an appropriate completion criteria, for example, the customer’s acceptance of the findings and recommendations. Also take into consideration that our project team or the customer might cancel the project. You can include specific issues and resolutions explicitly in the completion criteria. You have to be aware of these additional specific completion criteria for the customer.Estimated schedule Define an agreed start and end date of the implementation project here. Be sure to keep the time frame up as accurately as possible. Underestimation will lead to additional effort.Charges Be sure to add this part to the Statement of Work. The project can be charged at a fixed price or at any other convenient charging method. Payment can be provided at the end of the project or after each successfully completed phase of the project.Additional terms and conditions As in any other contract, mandatory legal terms and conditions should be placed here. Appendix A. Statement of Work 219
  • 220 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Glossary 8-bit UCS/Unicode Transformation Format A Aggregation database Data and statistics,variable-length character encoding for Unicode. It is spanning a longer period, are maintained by aable to represent any character in the Unicode process called aggregation. The aggregationstandard, yet the initial encoding of byte codes and process builds a special database called thecharacter assignments for UTF-8 is consistent with aggregation database, which is used for trend andASCII. summary reports.Access management A discipline that focuses on Alerts Messages that Tivoli Compliance Insightensuring that only approved roles are able to create, Manager sends when a serious or potentiallyread, update, or delete data, and only using harmful security event has occurred. Alerts allow forappropriate and controlled methods. Data a fast response to the event by a systems managergovernance programs often focus on supporting or system administrator.access management by aligning the requirementsand constraints posed by governance, risk Assurance Activities designed to reach a measuremanagement, compliance, security, and privacy of confidence. Assurance is different from audit,efforts. which is more concerned with compliance to formal standards or requirements.Actuator A piece of software that automates thecollection of logs from event sources and transmits Audit An independent examination of an effort tothe logs to the Depot. Each Actuator consists of an determine its compliance with a set of requirements.Agent and numerous Actuator Scripts. The server An audit may be carried out by internal or externalwhere the Actuator is installed is referred to as the groups.Point of Presence. Audit report A report that shows infrastructureActuator scripts The Actuator Scripts are invoked changes that are made to hardware and softwareby the Agent (at the request of the Tivoli Compliance and who is responsible for the changes.Insight Manager Server) to collect the log for aparticular event source. There is a different script for Audit trail A record that can be interpreted byevery supported event type. auditors to establish that an activity has taken place. Often, a chronological record of system activities toAgent The Agent is a component of the Actuator. It enable the reconstruction and examination of thelistens for collection requests from the Tivoli sequence of events or changes in an event. An auditCompliance Insight Manager Server, invokes the trail of system resource usage may include userappropriate Actuator Script, compresses the login, file access, and triggers that indicate whetherretrieved logs, and maintains an encrypted channel any actual or attempted security violations occurred.for communication with the Tivoli Compliance InsightManager Server in order to securely deliver the Audited system A system on which events occurrequested logs. and are recorded in logs that provide the audit data for Tivoli Compliance Insight Manager.© Copyright IBM Corp. 2008. All rights reserved. 221
  • Authentication In computer security, verification Certified Server Validation (CSV) A technicalof the identity of a user or process and the method of e-mail authentication intended to fightconstruction of a data structure that contains the spam. Its focus is the SMTP HELO-identity of Mailprivileges that were granted to the user or process. transfer agents.Contrast with authorization. Change control A formal process used to ensureAuthorization The process of granting a user that a process, product, service, or technologicaleither complete or restricted access to an object, component is modified only in accordance withresource, or function. Contrast with authentication. agreed-upon rules. Many organizations have formal Change Control Boards that review and approveBasel II A round of deliberations by central bankers proposed modifications to technologyfrom around the world, under the auspices of the infrastructures, systems, and applications. DataBasel Committee on Banking Supervision (BCBS) in governance programs often strive to extend theBasel, Switzerland, aimed at producing uniformity in scope of change control to include additions,the way banks and banking regulators approach risk modifications, or deletions to data models andmanagement across national borders. The Basel II values for reference and master data.deliberations began in January 2001, driven largelyby concern about the arbitrage issues that develop Chief Compliance Officer (CCO) The officerwhen regulatory capital requirements diverge from primarily responsible for overseeing and managingaccurate economic capital calculations. Basel II compliance issues within an organization. The CCOrecommends three pillars: risk appraisal and control, typically reports to the Chief Executive Officer. Thesupervision of the assets, and monitoring of the role has long existed at companies that operate infinancial market, to bring stability to the financial heavily regulated industries such as financialsystem. services and health care. For other companies, the rash of recent accounting scandals, theBatch collect Mechanism for retrieving security Sarbanes-Oxley Act, and the recommendations oflog data. the U.S. Federal Sentencing Guidelines have led to additional CCO appointments.British Standard 7799 A standard code ofpractice and provides guidance on how to secure an Chunk Data structure of the archived log files ininformation system. It includes the management the Depot. A chunk consists of a header file and oneframework, objectives, and control requirements for or more data files.information security management systems. Client A system entity that requests and uses aCan Spam Act of 2003 A commonly used name service provided by another system entity, called afor the United States Federal law more formally server. In some cases, the server may itself be aknown as S. 877 or the Controlling the Assault of client of some other server. A system entity thatNon-Solicited Pornography and Marketing Act of requests and uses a service provided by another2003. The law took effect on January 1, 2004. The system entity is called a server. In some cases, theCan Spam Act allows courts to set damages of up to server may itself be a client of some other server.$2 million when spammers break the law. Federaldistrict courts are allowed to send spammers to jail Cluster (Tivoli Compliance Insightor triple the damages if the violation is found to be Manager) The combination of a Enterprise Serverwillful. and one or more Standard Servers.CCO See Chief Compliance Officer. COBIT See Control Objectives for Information and related Technology.CERT See Computer Emergency Response Team.222 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Collect History Report Tivoli Compliance Insight Compliance Either a state of being in accordanceManager report that documents log collection with established guidelines, specifications, orevents. legislation or the process of becoming so. Software, for example, may be developed in compliance withCollector A software module that runs on a client specifications created by some standards body,system and gathers data. This data is subsequently such as the Institute of Electrical and Electronicssent to a server. Engineers (IEEE), and may be distributed in compliance with the vendors licensing agreement.Committee of Sponsoring Organizations of the In the legal system, compliance usually refers toTreadway Commission (COSO) A U.S. behavior in accordance with legislation, such as theprivate-sector initiative, formed in 1985. Its major United States Can Spam Act of 2003, theobjective is to identify the factors that cause Sarbanes-Oxley Act (SOX) of 2002, or the Unitedfraudulent financial reporting and to make States Health Insurance Portability andrecommendations to reduce its incidence. COSO Accountability Act (HIPAA) of 1996.has established a common definition of internalcontrols, standards, and criteria against which Compliance check A set of rules used tocompanies and organizations can assess their determine whether a computer or group ofcontrol systems. computers is compliant or not. There are two types of compliance checks: software and security.Common Criteria The Common Criteria is theresult of the integration of information technology Compliance dashboard Available in iView. Itand computer security criteria. In 1983, the US displays an easy-to-understand, color-coded matrixissued the Trusted Computer Security Evaluation that highlights degrees and level of complianceCriteria (TCSEC), which became a standard in based on user behavior and data access.1985. Criteria developments in Canada andEuropean ITSEC countries followed the original US Compliance Management Module A TivoliTCSEC work. The US Federal Criteria development Compliance Insight Manager regulation-specificwas an early attempt to combine these other criteria reporting interface.with the TCSEC, and eventually led to the currentpooling of resources towards production of the Compliance report A report that providesCommon Criteria. The Common Criteria is information about the patch compliance status of allcomposed of three parts: the Introduction and selected target computers.General Model (Part 1), the Security FunctionalRequirements (Part 2), and the Security Assurance Compliant state The state that a user wants anRequirements (Part 3). While Part 3 specifies the object to have.actions that must be performed to gained assurance,it does not specify how those actions are to beconducted; to address this issue, the CommonEvaluation Methodology (CEM) was created for thelower levels of assurance. Glossary 223
  • Computer Emergency Response Team CSV See Certified Server Validation.(CERT) The CERT/CC is a major reporting centerfor Internet security problems. Staff members Data aggregation The ability to get a moreprovide technical advice and coordinate responses complete picture of information by analyzing severalto security compromises, identify trends in intruder different types of records at once.activity, work with other security experts to identifysolutions to security problems, and disseminate Data governance The exercise ofinformation to the broad community. The CERT/CC decision-making and authority for data-relatedalso analyzes product vulnerabilities, publishes matters. The organizational bodies, rules, decisiontechnical documents, and presents training courses. rights, and accountabilities of people andThe CERT/CC is located at the Software information systems as they performEngineering Institute (SEI), a federally funded information-related processes. Data governanceresearch and development center (FFRDC) determines how an organization makes decisions.operated by Carnegie Mellon University (CMU). Data mapping The discipline, process, andConfiguration Compliance The comparison of a organizational group that conducts analysis of dataknown state to a compliant state that may include objects used in a business or other context,automated actions. After discovery or scanning is identifies the relationships among these dataperformed, devices are said to be either compliant or objects, and creates models that depict thosenoncompliant. relationships.Consolidation database An Enterprise Server Data privacy The assurance that a persons ordatabase that delivers enterprise-wide trend and organizations personal and private information issummary reports. not inappropriately disclosed. Ensuring data privacy requires access management, security, and otherControl A means of managing a risk or ensuring data protection efforts.that an objective is achieved. Controls can bepreventative, detective, or corrective, and can be Delta table A database table used for savingfully automated, procedural, or technology-assisted changed data from subsequent runs of a collector.human-initiated activities. They can include actions,devices, procedures, techniques, or other Deployment The process of reconfiguring andmeasures. reallocating resources in the managed environment. Deployment occurs in response to deploymentControl Objectives for Information and related requests, created manually by administrators orTechnology (COBIT) A set of best practices automatically by the system.(framework) for information technology (IT)management created by the Information Systems, Depot Tivoli Compliance Insight Manager secureAudit and Control Association (ISACA), and the IT storage facility for storing and archiving logs.Governance Institute (ITGI) in 1992. COBITprovides managers, auditors, and IT users with a set Depot server The component that stores files forof generally accepted measures, indicators, distribution. Files are uploaded to a Depot serverprocesses, and best practices to assist them in using a client and stored in a directory that ismaximizing the benefits derived through the use of specified when the Depot server is installed. Depotinformation technology and developing appropriate servers can replicate files to other Depot serversIT governance and control in a company. and download files to clients.COSO See Committee of Sponsoring Domain A logical grouping of resources in aOrganizations of the Treadway Commission. network for the purpose of common management and administration.224 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Enterprise server A server that provides Governance, risk, and compliance (GRC) Ancentralized log management, performs forensic acronym often used by management in financialsearches of the GEM log archives, and creates institutions to acknowledge the interdependencies ofreports. these three disciplines in setting policy.Event An observable occurrence in a system or Gramm-Leach-Bliley Act An Act of the Unitednetwork. States Congress that repealed the Glass-Steagall Act, opening up competition among banks, securityEvent source Each operating system or companies, and insurance companies. Theapplication from which Tivoli Compliance Insight Glass-Steagall Act prohibited a bank from offeringManager collects log files (also called audit trails). investment, commercial banking, and insurance services.Extensible Markup Language (XML) Ageneral-purpose markup language. It is classified as GRC See Governance, risk, and compliance.an extensible language because it allows its users todefine their own tags. XML is recommended by the GSL See Generic Scanning Language.World Wide Web Consortium. The W3Crecommendation specifies both the lexical grammar Health Insurance Portability and Accountabilityand the requirements for parsing. Act (HIPAA) The United States Health Insurance Portability and Accountability Act of 1996. There areFile Transfer Protocol (FTP) Used to transfer two sections to the Act. HIPAA Title I deals withdata from one computer to another over the Internet, protecting health insurance coverage for people whoor through a network. lose or change jobs. HIPAA Title II includes an administrative simplification section that deals withForensic analysis Used to follow up on security the standardization of health care-relatedincidents and behavioral trends. information systems. In the information technology industries, this section is what most people meanFTP See File Transfer Protocol. when they refer to HIPAA. HIPAA establishes mandatory regulations that require extensiveGeneric Scanning Language (GSL) A scripting changes to the way that health providers conductlanguage that enables you to describe the structure business.and label the attributes contained in the log files ofubiquitous collection event sources. The GSL Toolkit HIPAA See Health Insurance Portability andeases the forensic analysis of log data by enabling Accountability Act.you to define attributes contained in the log data andto describe the structure of log files. IETF See Internet Engineering Task Force.GEM See Generic Event Module. Incident An incident is an adverse network event in an information system or network or the threat ofGeneral Scanning Language (GSL) A scripting the occurrence of such an event.language that enables someone to describe thestructure and label the attributes contained in the logfiles of ubiquitous collect event sources.Generic Event Module (GEM)databases Reporting databases that contain thelogs from different event sources. Glossary 225
  • Information Quality Management An ISO 27002 See SO/IEC 17799.information technology (IT) management discipline,which encompasses the COBIT Information Criteria ISO/IEC17799 An information security standardof efficiency, effectiveness, confidentiality, integrity, published by the International Organization foravailability, compliance, and reliability. The idea is for Standardization (ISO) and the Internationalcompanies to have the risks of using a program Electrotechnical Commission (IEC) as ISO/IECdiminished to protect private and sensitive 17799:2005 and subsequently renumbered ISO/IECinformation definition. 27002:2005 in July 2007, bringing it into line with the other ISO/IEC 27000-series standards. It is entitledInformation Systems Audit and Control Information technology - Security techniques - CodeAssociation (ISACA) An international association of practice for information security management.for the support and improvement of professionals The current standard is a revision of the version firstwhose jobs involve the auditing of corporate and published by ISO/IEC in 2000, which was asystem controls. word-for-word copy of the British Standard (BS) 7799-1:1999.Information Technology Governance A subsetdiscipline of Corporate Governance focused on IT Governance Institute (ITGI) Exists to assistinformation technology (IT) systems and their enterprise leaders in their responsibility to ensureperformance and risk management. The rising that IT goals align with those of the business. Itinterest in IT governance is partly due to compliance delivers value, its performance is measured, itsinitiatives (for example, Sarbanes-Oxley (USA) and resources properly allocated, and its risks mitigated.Basel II (Europe)), as well as the acknowledgement Through original research, symposia, and electronicthat IT projects can easily get out of control and resources, the ITGI helps ensure that boards andprofoundly affect the performance of an executive management have the tools andorganization. information they need for IT to deliver against expectations.International Compliance The InternationalStandards Organization (ISO) produces iView Tivoli Compliance Insight Manager Webinternational standards such as ISO 27002. user interface for compliance reporting.Internet Engineering Task Force (IETF) This JAAS See Java™ Authentication andorganization develops and promotes Internet Authorization Service.standards, cooperating closely with the W3C andISO/IEC standard bodies, and deals in particular Java Authentication and Authorization Servicewith the standards of the TCP/IP and Internet (JAAS) A set of APIs that enable services toprotocol suite. authenticate and enforce access controls upon users. It implements a Java technology version ofISACA See Information Systems Audit and Control the standard Pluggable Authentication ModuleAssociation. (PAM) framework, and supports user-based authorization.ISO The name generally applied to quality systemstandards published by the International Log chunk The set of events placed in the DepotOrganization for Standardization. ISO certification is by the collect mechanism.provided, on a fee basis, by third-party assessors orregistrars through an on-site, in-depth audit to Log collection event Each instance of collectingdetermine that a companys quality system meets an audit trail, or log chunk, from an audited machinethe requirements of the standard. is called a log collection event.226 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Log continuity report A Tivoli Compliance Insight Payment Card Industry Data Security StandardManager report that documents log continuity (PCI DSS) . Developed by the major credit cardstatus. companies as a guideline to help organizations that process card payments prevent credit card fraud,Log Manager Tivoli Compliance Insight Manager hacking, and various other security issues. Acentralized log collection, management, and company processing, storing, or transmitting creditreporting interface. The Log Manager is only card numbers must be PCI DSS compliant or theyavailable on the Enterprise Server. risk losing the ability to process credit card payments.Logs and audit trails The system records thatdocument all activity that occurred on the audited PCI DSS See Payment Card Industry Datamachine. Security Standard.Management console Enables you to load data Point of Presence The server where the actuatorinto the databases, add new audited machines and is installed is referred to as a Point of Presenceevent sources, configure collection and reporting (POP).schedules, and add and configure users. Policy A set of one or more compliance queriesMetadata Information about a particular data set used to demonstrate the level of adherence tothat may describe, for example, how, when, and by specific security requirements.whom it was received, created, accessed, ormodified and how it is formatted. Some metadata, Policy bundle A file containing the informationsuch as file dates and sizes, can easily be seen by associated with a policy, such as the complianceusers; other metadata can be hidden or embedded queries, the collectors, and the associatedand unavailable to computer users who are not schedules. A policy bundle permits the policy to betechnically adept. Metadata is generally not saved and subsequently applied to other servers.reproduced in full form when a document is printed. Policy exceptions Actions or network activity thatNational Institute of Standards and Technology violate company policy.(NIST) A unit of the US Commerce Department.Formerly known as the National Bureau of Policy Generator Tivoli Compliance InsightStandards, NIST promotes and maintains Manager tool that can be used to create policiesmeasurement standards. It also has active programs using existing logs to set a baseline for acceptablefor encouraging and assisting industry and science network activity.to develop and use these standards. Policy Rules A Tivoli Compliance Insight ManagerNIST See National Institute of Standards and tool that helps a user to generate automatically a setTechnology. of policy rules or extend an existing policy rule set.Normalization The process of standardizing log PoP See Point of Presence.data by describing them in a single, uniformlanguage. Proxy relay A special pull client that acts as a relay between the server and one or more clients. A proxy relay is used to reach a limited number of clients that are located behind a firewall, or that are in an IP address range that is not directly addressable by the server. Glossary 227
  • Proxy server A server that acts as an intermediary Risk management In a broad sense, to assess,between a workstation user and the Internet so that minimize, and prevent negative consequencesthe enterprise can ensure security, administrative posed by a potential threat. The term riskcontrol, and caching service. A proxy server is management has significantly different meaningsassociated with or part of a gateway server that that can affect data governance programs. At anseparates the enterprise network from the outside enterprise level, risk refers to many types of risknetwork and a firewall server that protects the (operational, financial, compliance, and so on);enterprise network from outside intrusion. managing risk is a key responsibility of Corporate Boards and Executive Teams. Within financialPull client A client that permits communication institutions (or in the context of a GRC program), riskwith the server to be initiated by only the server. management may be a boundary-spanning department that focuses on risk to investments,Push client A client that permits communication loans, or mortgages. At a project level, riskwith the server to be initiated by either the client or management is an effort that should be undertakenthe server. as part of project management, focusing on risks to the successful completion of the project. From aPuTTY A free software SSH, Telnet, rlogin, and compliance, auditing, and controls perspective, riskraw TCP client. It was originally available only for assessments and risk management are high-effortWindows, but is now also available on various UNIX activities included in the COSO and COBITplatforms. frameworks, and are required by Sarbanes-Oxley and other compliance efforts. Data governanceRegulatory compliance Refers to systems or programs may be asked to support any of these riskdepartments at corporations and public agencies to management efforts, and may need input from theseensure that personnel are aware of and take steps to efforts to resolve data-related issues.comply with relevant laws and regulations. Role Based Access Control Assigns users toRemote collect Agentless log collection facilitated roles based on their organizational functions andby SSH or by NetBIOS for Windows. determines authorization based on those roles.Risk The product of the level of threat plus the levelof vulnerability. It establishes the likelihood of asuccessful attack.Risk assessment The process by which risks areidentified and the impact of those risks aredetermined.228 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Sarbanes-Oxley Act (SOX) Legislation enacted in Security audit A systematic evaluation of theresponse to the high-profile Enron and WorldCom security of a companys information system byfinancial scandals to protect shareholders and the measuring how well it conforms to a set ofgeneral public from accounting errors and fraudulent established criteria. A thorough audit typicallypractices in the enterprise. The act is administered assesses the security of the systems physicalby the Securities and Exchange Commission (SEC), configuration and environment, software,which sets deadlines for compliance and publishes information handling processes, and user practices.rules on requirements. Sarbanes-Oxley is not a set Security audits are often used to determineof business practices and does not specify how a regulatory compliance, in the wake of legislationbusiness should store records; rather, it defines (such as HIPAA, the Sarbanes-Oxley Act, and thewhich records are to be stored and for how long. The California Security Breach Information Act) thatlegislation not only affects the financial side of specifies how organizations must deal withcorporations, but also affects the IT departments information.whose job it is to store a corporations electronicrecords. The Sarbanes-Oxley Act states that all Security controls Individual securitybusiness records, including electronic records and requirements that are categorized intoelectronic messages, must be saved for not less security-related areas. Different organizations mustthan five years. The consequences for demonstrate the implementation of the securitynon-compliance are fines, imprisonment, or both. IT controls through a formal audit process to achievedepartments are increasingly faced with the the respective certification required.challenge of creating and maintaining a corporaterecords archive in a cost-effective fashion that Sensitive data Data that is private, personal, orsatisfies the requirements put forth by the proprietary and must be protected fromlegislation. unauthorized access.Scoping Enables you to define limited access for Sensitive information As defined by the federalcertain users or for certain groups of users. government, any unclassified information that, if compromised, could adversely affect the nationalSecure shell (SSH) A network protocol that allows interest or conduct of federal initiatives.data to be exchanged over a secure channelbetween two computers. Encryption provides Server A system where audit data is collected andconfidentiality and integrity of data. SSH uses investigated using Tivoli Compliance Insightpublic-key cryptography to authenticate the remote Manager.computer and allow the remote computer toauthenticate the user, if necessary. Shell A UNIX term for the interactive user interface within an operating system. The shell is the layer of programming that understands and executes the commands a user enters. In some systems, the shell is called a command interpreter. Simple Mail Transfer Protocol (SMTP) The de facto standard for e-mail transmissions across the Internet. Glossary 229
  • Simple Network Management Protocol Tivoli Compliance Insight Manager Cluster The(SNMP) Defined by the Internet Engineering Task combination of a Enterprise Server, one of theForce (IETF). SNMP is used by network Standard Servers, and a collector in a networkmanagement systems to monitor network-attached deployment.devices for conditions that warrant administrativeattention. Tivoli Compliance Insight Manager Server A generic term referring to the Tivoli ComplianceSMTP See Simple Mail Transfer Protocol. Insight Manager engine that collects and normalizes log data using the W7 methodology. There are twoSnapshot™ The result of running all of the types of Tivoli Compliance Insight Manger servers:compliance queries in a policy against a set of Enterprise and Standard.clients. A snapshot shows the number of violationsand indicates what clients are not adhering to the Tivoli Compliance Insight Manager Suite. Referssecurity requirements being tested by the to the entire Tivoli Compliance Insight Managercompliance queries. application. This includes the Tivoli Compliance Insight Manager server, Point of Presence, AnalysisSNMP See Simple Network Management Engine, Web Portal, iView, Log Manager, and theProtocol. Compliance Modules.SOX See Sarbanes-Oxley Act. Tivoli Compliance Insight Manager Web Portal Tivoli Compliance Insight Manager singleSpecial attentions Actions or network activities sign-on interface provides access to iView, thethat may not violate company policy but are Policy Generator, Log Manager (only on thesuspicious and require additional attention. Enterprise Server), Scoping, and Compliance Modules.SSH See Secure Shell. UTF-8 See 8-bit UCS/Unicode TransformationStandard Server The Tivoli Compliance Insight Format.Manager server that collects, archives andnormalizes log data and generates reports. Vulnerability A flaw or weakness in a systems design, implementation, or operation andSyslog Often used for both the actual syslog management that could be exploited to violate theprotocol, as well as the application or library sending systems security policy.syslog messages. Syslog is typically used forcomputer system management and security W7 Attributes The following list shows the basicauditing. W7 attributes: Who Which user or application initiated the event?Target system A system to which Tivoli What What kind of action does the event represent?Compliance Insight Manager receives access to the When When did the event occur?audit data. Where On which system did the event happen? OnWhat What was the object (file, database,Threat A potential for violation of security, which printer) involved?exists when there is a circumstance, capability, Wherefrom From which system did the eventaction, or event that could breach security and cause originate?harm. WhereTo Which system is the target or destination of the event?Threat assessment The identification of types ofthreats to which an organization might be exposed.230 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • W7 Methodology Tivoli Compliance InsightManager patent-pending normalizationmethodology, which translates log files into anEnglish-based language of who, what, on what,when, where, where from, and where to.World Wide Web Consortium (W3C) The maininternational standards organization for the WorldWide Web (W3).XML See Extensible Markup Language. Glossary 231
  • 232 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Related publications The publications listed in this section are considered particularly suitable for a more detailed discussion of the topics covered in this book.IBM Redbooks publications For information about ordering these publications, see “How to get IBM Redbooks publications” on page 235. Note that some of the documents referenced here may be available in softcopy only. Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager, SG24-7530 Deployment Guide Series: IBM Tivoli Identity Manager Express 4.6, SG24-7233 Deployment Guide Series: IBM Tivoli Security Compliance Manager, SG24-6450 Enterprise Business Portals with IBM Tivoli Access Manager, SG24-6556 Enterprise Business Portals II with IBM Tivoli Access Manager, SG24-6885 Enterprise Security Architecture Using IBM Tivoli Security Solutions, SG24-6014 Identity Management Design Guide with IBM Tivoli Identity Manager, SG24-6996 Understanding SOA Security Design and Implementation, SG24-7310Other publications These publications are also relevant as further information sources: IBM Tivoli Compliance Insight Manager Installation Guide Version 8.0, GI11-8176 IBM Tivoli Compliance Insight Manager User Guide Version 8.0, SC23-6544 IBM Tivoli Compliance Insight Manager User Reference Guide Version 8.0, SC23-6545© Copyright IBM Corp. 2008. All rights reserved. 233
  • Additional IBM Tivoli Compliance Insight Manager related manuals: IBM Tivoli Basel II Management Module Installation Guide Version 8.0, GI11-8177 IBM Tivoli GLBA Management Module Installation Guide Version 8.0, GI11-8178 IBM Tivoli HIPAA Management Module Installation Guide Version 8.0, GI11-8179 IBM Tivoli ISO17799 Management Module Installation Guide Version 8.0, GI11-8181 IBM Tivoli Sarbanes-Oxley Management Module Installation Guide Version 8.0, GI11-8180 IBM Tivoli Security Operations Manager related manuals: IBM Tivoli Security Operations Manager 3.1 Installation Guide IBM Tivoli Security Operations Manager 3.1 Administration Guide IBM Tivoli Security Operations Manager 3.1 User GuideOnline resources These Web sites are also relevant as further information sources: IBM Education Services http://www.ibm.com IBM Redbooks http://www.redbooks.ibm.com IBM Software support Web site http://www.ibm.com/software/support IBM Tivoli Access Manager for Enterprise Single Sign-On http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliCompli anceInsightManager.html IBM Training and certification Web site http://www-306.ibm.com/software/sw-training/234 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • How to get IBM Redbooks publications You can search for, view, or download IBM Redbooks publications, Redpapers, Technotes, draft publications and Additional materials, as well as order hardcopy IBM Redbooks publications, at this Web site: ibm.com/redbooksHelp from IBM IBM Support and downloads ibm.com/support IBM Global Services ibm.com/services Related publications 235
  • 236 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Index W7 information translation 34A auditedaccess machine 28, 37 control measures 97 data collection 25 control systems 97 system 18, 26access rights 20 auditing 94Active Directory 73, 83 authentication 80Actuator 14, 46, 138, 147 automated processes 23 data collection 26 awareness programs 42 script 18, 26, 28 software 18Agent 18 B activation 20 Basel II 4, 6, 67 collection mechanism 28 basic offering 61 encrypted communication 27 batch collect 25agentless business collect 26 case assessment 64 collection for UNIX 30 conduct guidelines 4 collection for Windows 30 context 3 collection mechanism 29 requirements 89aggregated data 21 vision 87aggregated information 62aggregation database 21, 24, 44 C cardholder data 96 process 21, 24, 44 central dashboard 14AIX 73 centralizedalert 42 forensics 17antivirus log management 16 service 5 change management 94 software 96 activities 40arbitrary log data 31 chip card 80, 85attention chunk 25, 28 event 42 archiving 29 report 34 GEM data translation 34 rule 20, 39 indexing 32audit CIO 90 data storage 21 circle 195 logs 70 COBIT 44 policy 124–125, 190 collect requirements 14 manual command 28 setting 68, 172 process 23, 25 trail 5, 20 schedule 28, 163 collect command 28 collection trail data 34 depot 21© Copyright IBM Corp. 2008. All rights reserved. 237
  • Commercial Laws 6 collection methods 25communication consolidation 44 chunk data 28 investigation 25 encrypted channel 27 longterm storage 22 encryption 18 Data Privacy Act 85, 89company assets 170 databasecompliance store 21 criteria 10 database overview 197 initiative 82 DB2 83 maintenance 10 system 98 management 4 define users 20 business drivers 5 demonstration system 65 challenges 10 denied attempt 95 criteria 8 deployment tasks 70 module 45 Depot 21, 23 management solution 92 collection 25 scope of checking 8 indexing 32Compliance Insight Manager depth of reporting 8 architecture 14, 22 design approach 89, 93 cluster 16 disk space 71 components 13 distribution 195component architecture 22 distribution of reports 45components 13 DNS 72configuration duration check 8 data 22 database 22consolidated E encrypted channel 27 data 21 encrypted communication 18 log management 16 Enterprise Server 14, 16, 65, 99, 118, 120 viewing 14 forensic tools 32consolidation event database 22 attributes 47 process 24 detail report 38continuous source 26, 69, 94, 134, 190 collection of logs 25 exception report 34cost exceptions 21 pressure 11 executive assessment 64credit card 81 externalcross-sell opportunities 61 auditors 86CSV log files 46 external APIcustom alerts 42 event collection 26customer engagement 59, 75 FD failures 21dashboard 14, 22, 44, 194 file baseddata collection of log data 31 aggregation 44 filter 34, 43 center 81 financial data 85238 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • fingerprint 80–81 67, 85, 97forensic HIPAA 6, 45, 67, 85, 89–90, 93, 97 analysis 25 historical log data 90 capability 32 HP-UX 73–74 function 16 investigation 43 review 14 I implementation tools 32 approach 89, 95Format Verification tools 57 plan 94four eyes principle 5 spreadsheet 75frequency of checks 8 tasks 94FTP 72 indexingfunctional requirements 89 process 24 Industry Regulation 6G information security policy 97GaH 79 iSeries 73–74GEM 14 ISO 27002 67 data normalization 34 ISO17799 44–45 database 21, 23, 73, 134, 145 iView 14, 18, 20, 193 event 165 event detail report 38 grouping events 37 report generation 20 loading the database 35 records 34 tables 34 L legal obligations 9Generic level Event Model 73 of automation 9Generic Event Model of reporting 8 see GEM Linux 73Generic Mapping Language 34 logGeneric Scanning Language 32, 34 continuity 16GLBA 44, 67 continuous collection 25GML data 70 see Generic Mapping Language event collection 26Gramm-Leach-Bliley Act 67 history 16Group Policy Objects 70 management 16groups 37 log repository 70GSL logging see Generic Scanning Language mechanism 90, 122Gym and Health Incorporation 79, 89 requirements 14, 95 logonH attempt 95harmful security event 42 logon policies 42health longterm storage 22 care system 85 care transactions 85 data 81, 85 M maintain compliance 45 insurance plans 85 maintenanceHealth Insurance Portability and Accountability Act Index 239
  • compliance 10 Payment Card Industry Data Security Standard 85management charts 21 PCI 6, 85, 89–90, 93Management Console 14, 18–19, 22, 99, 117, 133, regulations 91153, 183, 189 performance efficiency 11manual personal collect command 28 data 81, 85mapper 37, 42 information 81mapping POC 63 process 23, 33 Point of Presence 19, 26, 99, 139meta policies and standards 10 information 35 policy 194Microsoft Excel 75 attention report 34monitor compliance 45 exception 193, 198monitoring requirements 94 exception report 34MS Windows XP 83 framework 4 generation tool 43 management 39N rule 39NetBIOS 74 rules 69 agentless collection 29–30 POP event collection 26 see Point of Presencenormalization portal 192 W7 data 37 practices 4normalized audit data 21 preparation of reports 20normalized log data 14 privileged user 92, 95normalizing procedures 4 GEM data 34 processnotebook 65 aggregation 24, 44Novell collect 23, 25 agentless collection 29 consolidation 24NT 73 indexing 24 level security control 5O mapping 23, 33ODBC reporting 44 event collection 26 processing credit card information 6OnWhat 35 proof of concept 63Oracle 72 PUMA reports 68 data collection 26 PuTTY engine 72 SSH for Windows 31organizational complexity 9 level security control 5 R RACF 73 RAID 70P rawpartial install 62 event datapassword mapping 36 length 5 log data 32Payment Card Industry 95 logs 91240 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • traces 17 staff 92record oriented standards 4, 81, 86 collection of log data 31 SEM 61, 72Redbooks Web site 235 sensitive data 124 Contact us xii separation of duty 5regulations 194 service engagement 63, 69regulatory service-oriented architecture obligations 9 see SOA requirements 89 settings 195remote setup program 104 data collection 29 severity level 42report SIEM 61 policy exception 34 SMTP 116reporting 72 alerting 42 database 21 SNMP process 44 alerting 42reporting requirements 68, 94 collection of log data 32reports 191 event collection 26risk SOA management 6 compliance challenge 10 Solaris 73–74 solution task 69S SOW 66sales cycle 64 specialSarbanes-Oxley 4, 44–45, 67 attentions 201scope of compliance checking 8 spot check 8secure connection SSH SSH 29 agentless collection 29–30Security event collection 26 Event Management 61 standard reports 204 Event Manager 72 Standard Server 14, 16, 18, 65, 100, 107, 118, 120, Information and Event Management 61 153security Configuration Database 22 clearance 42 forensic tools 32 compliance 5 standardized format 91 compliance solution 87 Statement of Work 63, 66, 211 controls 4–5, 8 statistical log 25 database 21 Oracle log 26 overview 44 parameters 96 Sun Solaris policies 5, 86, 91, 93 data collection 26 policy 20 event source 26 policy exception 42 syslog policy framework 4, 10 collection of log data 32 policy rules 42 event collection 26 practices 4 procedures 4 risk 4 T settings 126 target Index 241
  • platforms 68 model 33, 35 system 94 policies 34technical rule 156, 170, 190 security control 5 W7LogSDK 46technical assessment 64 collect custom log data 31technological complexity 9 CSV format 53text based Format Verification tools 57 collection of log data 31 toolkit 13time zone 114 XML format 54Tivoli Compliance Insight Manager 44 Web portal 14trend graphic 196 Web-based reporting application 18trending information 21 What 35trends 194 When 35turnkey install 62 Where 35 WhereFrom 35 WhereTo 35U Who 35ubiquitous log collection 31 WindowsUNIX 68 agentless collection 29 agentless collection 29–30 Windows 2000 GEM database 73 Advanced Server 71up-sell opportunities 61 Server 71user information source 157 Windows 2003UTF-8 encoding 53 Enterprise Edition 71 Standard Edition 71V Wintel 82virtual private network 18VMWare 65 X XMLW log file 46, 56W7 analysis 33 attributes 34 categories 44 category 44 classification scheme 34 data store 21 dimension 47 elements 165 format 44, 46 grammar 37 group 156, 173, 176, 190, 208 grouping functions 34 groups 37, 39 language 14 log event format 46 log event sources 46 methodology 57242 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
  • Deployment Guide Series: IBM Tivoli Compliance Insight Manager (0.2”spine) 0.17”<->0.473” 90<->249 pages
  • Back cover ®Deployment Guide Series:IBM Tivoli ComplianceInsight Manager ®Planning for an In order to comply with government and industry regulations,enterprise such as Sarbanes-Oxley, Gramm-Leach-Bliley, and COBIT, INTERNATIONALcompliance enterprises have to constantly detect, validate, and report TECHNICALmanagement unauthorized change and out-of-compliance actions on their SUPPORTdeployment IT infrastructure. ORGANIZATION The Tivoli Compliance Insight Manager solution allowsInstallation and organizations to improve the security of their informationconfiguration of systems by capturing comprehensive log data, correlating BUILDING TECHNICALmajor components this data through sophisticated log interpretation and INFORMATION BASED ON normalization, and communicating results through a PRACTICAL EXPERIENCE dashboard and a full set of audit and compliance reporting.Best practices andtroubleshooting We discuss the business context of security audit and IBM Redbooks are developed by compliance software for organizations, and we show a the IBM International Technical typical deployment within a business scenario. Support Organization. Experts from IBM, Customers and This IBM Redbooks publication is a valuable resource for Partners from around the world security officers, administrators, and architects who wish to create timely technical understand and deploy a centralized security audit and information based on realistic compliance solution. scenarios. Specific recommendations are provided to help you implement IT solutions more effectively in your environment. For more information: ibm.com/redbooks SG24-7531-00 ISBN 0738485705