3. 3
Increased Focus on Security and
Controls
• Fraud (Barings Bank,WorldCom,
Enron,...)
• Security Breaches (UCs, BC, Stanford...)
• Regulatory Compliance
• Sarbanes-Oxley (SOX)
• Family Educational Rights and Privacy Act
(FERPA)
• Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and
Accountability Act (HIPAA)
4. 4
Security Risks
• Access Control
• Do some users have too much access?
• Sufficient access restrictions to private
information?
• Segregation of Duties (SoD)
5. 5
Security Compliance Tools –
Internal Controls
• “Internal Controls are processes designed by
management to provide reasonable assurance
that the Institute will achieve its objectives”
(From MIT’s Guidelines For Financial Review and Control)
• Cost of implementing control should not
exceed the expected benefit of the control
• “Security is a process
not a product”
6. 6
Security Compliance Tools
Who has access to
sensitive transactions?
Are there any
SoD violations?
• Real-Time Monitoring
• Remove access or assign mitigating controls
• Reduce time and effort when providing
information to auditors
7. 7
SoD Rules Matrix
• Predefined SoD Rule Set
• Can Add Custom Transactions to Rule Set
12. 12
Benefits of Security Compliance
Tools - Summary
• Run with SAP R/3
• Automate SoD analysis
• Automate monitoring of critical
transactions
• Quick assessment of authorization
compliance for business users, auditors,
and IT security staff
• Used during development/project efforts
• Avoid manual analysis and false positives
Barings Bank (UK's oldest merchant bank) represented a segregation of duties issue (mid 90’s)
Rogue trader Nick Leeson was general manager, head trader and back office manager(segregation of duties conflict) in Singapore
Leeson effectively controlled the front and back offices
WorldCom
Cooked the books to overstate revenues, e.g. CFO told key staff members to mark operating costs as long term investments
WorldCom filed for bankruptcy in July 2002., which was the largest bankruptcy in American History
SEC has accused the company of misrepresented earnings to the tune of $11 billion
Investors lost billions of dollars as a direct result of the bankruptcy
Former WorldCom CEO sentenced to 25 years
Enron
Inflated their profits, since many of the losses that Enron suffered were not reported in its financial statements
Bankruptcy resulted in thousands of employees being laid off, loss of retirement benefits and savings for thousands more, and substantial losses for shareholders, creditors, and suppliers
Fall of Arthur Andersen, which at the time was the largest accounting firm in the world
Security Breaches
Data breaches include data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers
Several University of California Universities have had their systems hacked into
Boston College there was a hacking incident in which 120,000 records were compromised
ChoicePoint where Bogus accounts were established by ID thieves, and records on thousands of Americans were sold to identity thieves. In particular, it sold significant amounts of personal information on 145,000 consumers to a group of identity thieves in California, resulting in at least 700 known cases of fraud and identity theft. The information turned over to the thieves included names, addresses, Social Security numbers and credit reports.
Regulations
Sarbanes-Oxley: signed into law shortly after Enron’s collapse and basically requires publicly traded companies to assess the effectiveness of their controls, and have those controls attested by an outside auditor. SOX 404 requires management to evaluate the effectiveness of internal controls on a quarterly basis.
FERPA: is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds from the U.S. Department of Education
Since 2003, California Security Breach Notification Law, which requires state government agencies as well as companies and nonprofit organizations regardless of geographic location to notify California customers if their personal information maintained in computerized data files have been compromised by unauthorized access. California consumers must be notified when their name is illegitimately obtained from a server or database with other personal information such as their Social Security number, driver's license number, account number, credit or debit card number, or security code or password for accessing their financial account
HIPPA: Since we have a medical center on campus this law applies to us, and in general the provisions address the security and privacy of health data.
Gramm-Leach-Bliley Act (GLB): requires financial institutions to take steps to ensure the security and confidentiality of customer records such as names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers. MIT is considered a financial institution since it participates in financial activities, such as making Federal Perkins Loans, and FTC regulations consider MIT financial institutions for GLB Act purposes. FTC has indicated that colleges and universities will be deemed to be in compliance with the privacy provisions of GLBA if they are in compliance with FERPA.
California Security Breach Notification Law-Requires organizations that have had a breach of security related to personal information to inform the people who’s personal information may have been compromised.
Keep in mind that there are also penalties for violations regarding each of these laws:
FERPA: violations can lead to the termination of federal funding
GLP: violations can lead to civil penalties of more than 100,000 for each violation
There are several access-related factors that auditors must be aware of during an application audit. First, is the varying levels of user access and their respective responsibilities. There are system administrators with significant privileges, and it is important that they not be given access to transactional processes. Next are super-users with a high degree of access to their particular module and the ability to over-ride controls, and finally standard users with control over specific functions. For the latter two user types, it is important to ensure adequate segregation of duties and that there are no conflicts. For example, no one person must have the ability to both raise a purchase order and to approve an invoice. One problem with such analysis of access is that it is usually done on a ‘point in time’ basis. If possible, organizations should put in place a system to monitor these functions continuously.
Security often implemented as an afterthought with few SOD rules/controls
External/internal auditors report SOD issues with false positives (SUIM)
Security team may spend a lot of time proving that reported SOD violations do not exist after drilling down at object level
Users
“I need access to XK01 (create vendor)”
External Auditors
“Show me evidence that segregation of duties issues do not exist or have been mitigated”
Management
“Who has access to sensitive data?”
Goal is to achieve an appropriate balance between cost and control
Products provide some protection, but the only way to effectively do business is an insecure world is to put processes in place that recognize the inherent insecurity in the products. The trick is to reduce our risk of exposure regardless of the products.
Run with SAP R/3
Automated SOD analysis and monitoring of critical transactions
Quick assessment of authorization compliance for business users, auditors, and IT security staff
Blocking of violations before committing to production
Avoidance of manual analysis and false positives
Can be used with SAP R/3, Oracle, Peoplesoft, and Hyperion
In March of last year Virsa signed a 3 year deal with SAP which will exclusively resell the SAP version of Compliance Calibrator.
Compliance Calibrator run on the same servers that run SAP, and access the most current data with hopefully no performance issues.
In March of last year Virsa signed a 3 year deal with SAP which will exclusively resell the SAP version of Compliance Calibrator.
Prevent Segregation of duties issues
Define set of SOD rules - include "Z" transactions
Create SOD rules at object level
Define mitigating controls and approvals
Involvement from security team, primary authorizers, auditors
Identify users with access to sensitive data
Define classification of sensitive data
Determination of sensitive data within R/3
Identification of user access to sensitive data/critical transactions