SOX

[JohnWhite]

Well I knew there was a downside to our company being bought by a publicly held company. Never again when I hear the word Sox will I automatically think they must be either talking about the Red sox or the White Sox.

I have been in the IT business for the past 24 years, Much of this time handling Network communications, administration and security. Until now I thought I had a pretty good grasp of how things worked. Once again I find out that a pair of senators called Sarbane and Oxley know much more than I about my job.

I have been hit the the Sox initiative and for this past week I have been in meetings with KPMG auditors discussing all of our companys network policy's covering every aspect of every little thing I do. I now have to write all new policy's and procedures to do everything. Since IT is the core of this company, every other departments policy's and procedures will involve me. I now know how it feels to be totally drowned in the governments paperwork.

Whats worse is the draconian consequences if these policies and procedures are not followed. Ah well I knew all this fun would have to end sooner or later, Guess its time to step up my plan of self employment.

and Yea, I should not be on this site anymore during the day but until it comes to the point of actually implementing the policy's the to hell with them! for now they do not know I have ways bypassing the firewall and internet monitoring software

[dragonfyr]

While I can certainly understand your not wanting to do this, I would suggest that it is a shame that it takes SOX & HIPAA to provide the impetus for all too many companies!

If you are in the business of keeping the network 'secure', you should be one of the biggest advocates of security policies!

The reason is twofold. First a security policy acts as a roadmap to guide you in the design ands operation of the security within your network. This includes the requirements and risk as defined at the business level, but it also enables you to distill these business requirements and risks into a set of actionable items. Second, the security architect can use a security policy as a benchmark for the security system that results, Informing management that your security system implement the requirements of the policy is a much safer statement then saying that the 'network is secure' (which, in most cases is an impossible goal). It also covers your posterior in that management accepts the methods and degree of protection as adequate and removes your posterior from the final position of responsibility in the case of a security breach.

Policy is simply the rules and regulations set by an organization. Policies are laid down by management in compliance with applicable law, industry regulations, and the decisions of enterprise leaders. Policies are mandatory; they are expressed in definite language and require compliance. Failure to conform to policy can result in disciplinary action, termination of employment, &/or legal action.

And let me begin by saying the security policy goes far beyond simply the network!!! In the broadest sense the business needs and risk analysis result in Policy/Guidelines/&Standards, which combined with industry best practices result in the implementation of a Security System. And this is then augmented by the necessary Security Operations component consisting of Incident Response/System Monitoring & Maintenance and Compliance Checking - which flows back to be considered equally with Business Needs and Risk Analysis, and the cycle constantly is repeated.

Security policy governs how an enterprise's information is to be protected against breaches of security. They are the basis for security awareness, training, and education; and they are a necessary underpinning of security audits. Without policies, it is impossible to demonstrate due diligence in the protection of corporate assets. With a security policy in place you can measure the security of the network resources.

Policies are focused on the desired results, not on the means of achieving those results. The methods for achieving policies are defined in subsequent written controls, standards and procedures.

And this job should not fall solely on you! The policies come top down. And then you must work to develop the controls, standards and procedures. If this is not how it is happening, you NEED to have a meeting with the top administration in the firm!

As the security architect, your interface point with business needs is primarily as a receiver of information. Goals should be adequately communicated to you so that sound security decisions can be made. This should be more then a memo to management. The security architect must really understand the organization's goals in order to make effective security choices.

Additionally, you should not be building any of these from scratch! These should be modified from proven templates available from any of the following resources: ISO17799 (& BS7799), CoBIT, CERT-CC Documentation, NSA Security Guidelines, U.S. Federal Best Security Practices, RFC2196, IT Baseline Protection Manual, & Commercial policy guides.

A daunting task? Absolutely, especially if you are starting from scratch! But it is a shame that is taking SOX and HIPAA to get so many to finally do what should have been fundamental long ago.

And the best thing you can do when audited, is to produce volumes of COMPLETE documented policies to the auditors. Bury them in policy, and the resultant procedures. As they will bury themselves in perusing them, with spot checks to verify that the policies are being adhered to. You will soon discover that this is the KEY to surviving an audit!

And if you are a real glutton for this stuff, check out one of the several NSA graduate school centers of excellence in Information Assurance!

This is NOT meant as a lecture, as I am sure you are already buried in more then you care to hear about!!!!! But it is meant more as a clarification to the many folks who may have only heard reference to this as a result of 9/11 or because of the recent SOX & HIPAA regulations. Some fun, huh!?

[JohnWhite]

Said like a true auditor!

----------------

On 5/6/2005 4:34:04 PM dragonfyr wrote:

If you are in the business of keeping the network 'secure', you should be one of the biggest advocates of security policies!

I am an advocate for security policies, but not to the extent that Sox has gone, There does come a point that policies and procedures get so restrictive that work does come to a hault. I fear this is that point.

Some policy and procedures for you, all must be signed by appropiate authority before I do it and I must sign off that I did it.

a policy and procedure for me to

change a password.

Update a antivirus definition files, for each server.

If a virus is found I must do paperwork to show that I eraticated it.

Document who had the virus and where/how they got it.

add any rules to antivirus/SMTP gatway spam server.

add a hotfix to any server. (Do you know many hotfix/updates come out for NT servers?)

Sign a form for why I entered the Server room.

backup the network.

Test the backup actually worked.

Retrieve a tape from the vault.

Send a tape to the vault.

Test tapes in the vault are still good.

make a change to the firewall.

Test the firewall change worked.

Order Cell phones.

Order software.

Order hardware.

delete an email. (yep cant just delete email anymore, if it hits my mailbox I must either keep it for 7 years or get permission to delete it.)

wipe my ***.

dispose of asswipe paper.

[JohnWhite]

for example, Earlier this week I found a potentially large "hole" in our managed firewall, I contacted sprint and made the change to the firewall rules then explained the problem and my fix to my boss who is the IT director, End of problem.

Under SOX this is what would take place.

Hole found.

Change form filled out,

Discussed by all department to make sure change will not affect them.

Form signed by IT director,

I document the call to Sprint,

sign the form that the change took place.

Then Test the rule and document I tested the rule.

This whole thing sounds like a conspirecy by the papermill companies!

[LarryC]

It's hard to believe that Sarbanes-Oxley wrote all that detail into the law! It sounds a bit like a consulting outfit has gone overboard in trying to dream up policies and procedures that will supposedly keep a company from violating the law. From newspaper and TV comments, I'd thought Sarbanes Oxley had to do with corporate financial responsibility.

Larry

[dragonfyr]

I guess that was supposed to be an insult...

Actually it's said like one who has designed and SURVIVED many audits, both US and European!

With that attitude you will have a great time!

What you have posted are procedures, not policies. Policies make no mention of what specific measures or techniques are to be done.

And I dare say they are but a drop in the bucket of what is required..

Here is a simply heirachy:

Policies: Business goals

Procedures: What will be done to address each goal (equipment/technique agnostic)

Followed by How each procedure will be implemented: Specific atomistic procedures relative to each specific appliance/behavior to be used to address each procedure. Specific to each and every peice of gear. i.e.: firewall configuration, including expert systems. Not just "configure firewalls"!

And SOX is NOT the originator of this! Neither is HIPAA!

In fact, they are simply making the firms who have been negligent get off their collective butts and do it!

MANY already have!

[garymd]

I work for a bank. SOX has been ongoing for some time now here. Not fun!

[JohnWhite]

----------------

On 5/6/2005 5:10:31 PM LarryC wrote:

It's hard to believe that Sarbanes-Oxley wrote all that detail into the law! Rather, it sounds like a consulting outfit has gone overboard in trying to dream up policies and procedures that will supposedly keep a company from violating the law. From newspaper and TV comments, I'd thought Sarbanes Oxley had to do with corporate financial responsibility.

Larry

----------------

Sarbanes Oxley does have to do with financial responsibility, but everything finance does touches IT,

File access,

Internet access,

Transmission of files

reciept of files

security of databases

passwords to the network.

file protection against disaster, virus, hackers, accidental deletion.

Which covers backup and retention policy, virus policy, network disaster recovery, firewall/network security policy.

which flows to access to Network hardware, IE computer room access.

We now have to install keycard access on doors to the server room. The doors currently have a 6" x 12" window on them, they have to be removed. (solid door)

[bkrop]

The White Sox ARE doing suprisingly well this early in the season...

you know, in a 2 channel kind of way

[dragonfyr]

SOX does not tell anyone how nor what they have to do!!

These guidelines are well established, and no, some consulting outfit did not dream them up!

Refer to:

ISO17799

COBIT

(COSO)

Orange Book

CERT

US Best Security Practices

NSA Security Guidelines

and numerous other references too numerous to mention!

And had companies not been so negligent on their own, the Congress would not have felt the need to step in! Only after debacles like MCI/Worldcom and Enron occurred did the Congress finally get off their butts to do what most others had been doing already.

Funny how everyone likes to bich and moan about companies not adequately protecting resources like personal information and fraud like Enron, but then they also complain that someone finally, as a result of the negligence, says they have to take measures to insure accountability. And that is all SOX does.

But I am sure this one will wind on based on incorrect speculation and assumption.

Gee, i wonder why there have been all these guidelines and audit verification as well as college IT programs in Information Assurance long prior to SOX and HIPAA. I guess they were just psychic to anticipate them!

Is this process a hassle and a pain? Sure, especially if it has not been implimented from the start in a rigorous fashion.

But it is silly to blame that practice on someone or something else! As many have been doing it all along!

[JohnWhite]

----------------

On 5/6/2005 5:13:25 PM dragonfyr wrote:

I guess that was supposed to be an insult...

Said like one who has designed and SURVIVED many audits, both US and European!

With that attitude you will have a great time!

What you have posted are

procedures

,

not

policies. Policies make no mention of what is to be done.

And I dare say they are but a drop in the bucket of what is required..

Here is a simply heirachy:

Policies: Business goals

Procedures:

What

will be done to address each goal (equipment/technique agnostic)

Followed by

How

each procedure will be implemented: Specific atomistic procedures relative to each specific appliance/behavior to be used to address each goal. Specific to each and every peice of gear. i.e.: firewall configuration, including expert systems. Not just "configure firewalls"!

And SOX is NOT the originator of this! Neither is HIPAA!

In fact, they are simply making the firms who have been

negligent

get off their collective buts and do it!

MANY already had!

----------------

Not intended as a insult, just sounds like what the auditors have been saying all week.

And yes SOX is the originator of this, You really should read the sox document. We will be tested several times for this.

And as far as my attitude, no problem. I will write all the procedures they want, fill any form they want, and conform to any policy they want. I just have this problem with the government sticking its *** into things they have no business getting into. and speaking of the government, Those who live in glass houses should not throw stones. Im sad to say our goverment is far more corrupt than most publically held business, Someone should write a policy to police the government,OH wait, there are policies for that, Hmm wonder why the government doesnt adhear to them.

[LarryC]

----------------

On 5/6/2005 5:16:06 PM JohnWhite wrote:

Sarbanes Oxley does have to do with financial responsibility, but everything finance does touches IT,...

----------------

I see. Laws can have surprising consequences, huh.

[dragonfyr]

SOX simply says that the CEO and CFO, etc are personally liable if due diligence in verifying all information and certifiying that all data is accurate is not followed! Surprise if a few have suddenly gotten religion and decided that their NEGLIGENT companies should get on the ball.- MANY COMPANIES AND AGENCIES HAVE BEEN DOING THIS ALL ALONG!!!!!

So I have little sympathy for a 'bank' that is suddenly burdened by the IMPOSED requirement to insure that their assets are safe! Duh!

Gee Barney...Wake Up!

[dragonfyr]

ISO17799

COBIT

(COSO)

Orange Book

CERT

US Best Security Practices

NSA Security Guidelines

and numerous other references too numerous to mention!

THEY ALL PREDATE SOX!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

oh......

[dragonfyr]

Why do those not acting according to adequate standards always seem to feel it is sufficient to point out that others are not doing things properly as a justification?

I can just see Enron saying, "but what about MCI/Worldcom!"

But of course! "OK, let's just forget Enron!"

Now That is such a convincing argument!

Oh, and the government systems ARE being audited. And most are failing as well!

So that should excuse everyone else!?

Hope to see you at the ISPC Information Security Professionals Conference in Dallas at the Adams Mark Hotel on May 18, 19, & 20th! I'll buy you a beer!

[JohnWhite]

----------------

On 5/6/2005 5:57:23 PM dragonfyr wrote:

Oh, and the government systems ARE being audited. And most are failing as well!

Hope to see you at the ISPC Information Security Professionals Conference in Dallas at the Adams Mark Hotel on May 18, 19, & 20th! I'll buy you a beer!

----------------

Hit a nerve did I? You seemed to have missed the gist of what I wrote. Up till December we were a privately held company, so SOX did not apply to us, and as I already said I had a handle on many of the issues the auditors are talking about. I now just have to have written policies and procedures to do the very thing I've been doing all along. Nothing has changed really, just a hell of a lot more paperwork. With a IT staff of 4 people (including the IT director) that makes a ton of work for a $100 plus million dollar company with 2 plants in the US, 20 sales people working remotely and a sales office in the UK.

Ha, doesn't suprise me that the Gov is failing their audits, gives me renewed faith that the system works.. or doesn't work which ever the case maybe

I doubt I'll be in Dallas anytime soon. Besides SOX I still have a network to upgrade and the UK office moves into a new facility in a month.

[Croc]

he he - i signed for SOX for my company at October.

and in our case becuase of corporate requirements we had to do it completely internaly without any external help.

can you imagine creating all the procedures and writing all those policies...........

but this was an easy part - now the real fun had started - to follow up all this stuff and path audit's tests...........

[dragonfyr]

Just a couple of thoughts...

Regarding SOX and publicly held companies... While a privately held company exposes only a relatively small number of stakeholders, a publicly traded company has a much greater range of potential stakeholders, and it make sense that it be subject to accounting and reporting regulations requiring standardized accountability.

And while we tend to focus on the risk associated with externally sourced breaches of confidence, the MUCH larger and MUCH more common issue is from internal compromise of business data.

With the increasingly complex interrelated and connected systems within the enterprise, the potential for the compromise of customer data, employee data, business critical data, financial and strategic data, etc., has increased geometrically.

The irony is that that companies in their attempt to move forward have in far too many cases not valued the role that defined business practices have upon the success or failure of an enterprise. And these systems, properly defined and utilized, serve not only as a defensive tool, but they provide a very valuable tool for strategic management if properly utilized.

Unfortunately too many have failed to understand this process and either are simply trying to play catch-up by filling some binders with 'rules' adequate to simply pass auditors inspections and will, in the end, simply have expended a lot of money and run around frenetically while making little or no real contribution to the strategic management of their company.

On the other hand, a systematic and responsible approach that flows from a thorough multi-faceted analysis of the business model and then works to define the role based trust systems within the enterprise can significantly add to the strategic advantage of the company while minimizing risk.

Unfortunately this process is too often considered an IT function, and dumped on IT. If done in this manner, the process simply becomes but one more busy work task with little chance of offering any real comprehensive benefits. As simply defining a process does not make the process better. But by involving upper management in defining the strategic goals along with management and IT in the process of understanding business processes based upon a thorough understanding of an enterprise and its strategic goals, coupled with a continuing focus on improving the functional trust relationships focused upon achieving these business goals, real benefit can be achieved!

Once the process has been put into place! But starting from scratch and having the task 'dropped' on you can be a pain! And I fear that from what you have described John, that this is what is happening to you! Perhaps you should speak to the auditors and enlist their help by having them sit down with your upper management so that they can explain exactly what the role of upper management is in defining the strategic goals of the company in a fashion that can be implemented on a functional level. It is for them to develop policy, albeit with the input of all areas of the organization.

As once that is done, 3/4 of what you have to do is done. At that point, you can focus on simply qualifying the trust relationships and the procedures necessary to implement said policies.

But, if management want YOU to develop the policies without contributing their necessary 'part', you are simply having to do allot of work without any real benefit or return to the company. And it is little more than ALLOT of busy work!

(In this case the process becomes akin to ISO certification without integrated quality improvement! ISO too is the documetation of process, and Only process! All ISO does by defiinition without the addition of quality improvement, is to very anally document your process to insure repeatability! So, in that case, if you are manufacturing a product with 95% failure, you can reliable duplicate the process with the same 95% failure as before you documented it! Ironically, the goal of ISO is NOT in quality improvement and this aspect is ironically NOT required by ISO! But a smart 'operator' would be wise to use the resultant understanding of process to improve the quality!) Oh well...

John, I sure hope that you don't become a victim of this same approach to policy and procedure!

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

Good luck!

[Marvel]

We still have our HR department keeping far too much data in spreadsheet form instead of in the database where it belongs. This means double or triple entry and a greater chance for error. And the information isn't available when we run reports. Yup. Internal policies are as big a problem (greater probably) than regular network security.

We still have trouble getting staff to understand why they must lock their computers when they trot away from their desks. And why they shouldn't give their passwords to a student working in their office.

Marvel

[dragonfyr]

Believe me when I say that I can understand the fun you are going through!

Part of the process is that policy and procedure need to co-opt everyone, so they not only buy in, but so they understand that THEY are, in large measure, the security system. After all, over 80% of the breaches are INTERNAL!

And that includes the clerks who want to share passwords to the even MORE common issue of CEOs who wants some 'simple' convenience because, well because they are the CEO, and why shouldn't he be able to use the wireless access point his daughter bought him or why can't he simply log in remotely without having to deal with all of that weird authentication! And besides, the CEO's laptop - with all the critical data is probably the least tightly administered unit in the company. And I can tell you who will be held accountable when it mysteriously disappears! Been there! (Think 802.11i-AES!, VPNs, ssh, tripwire, encrypted data, encrypted communications (802.11i-AES), robust authentication, etc., etc., etc.!)

But one thing policy and the subsequent procedures do afford you, assuming that the company is smart enough to require that each employees read the policies and procedures and then not only sign an acknowledgment of such (with routine updates to the policies and the repeated non-repudiable acknowledgement by each person), but that they also sign separately that they UNDERSTAND them and that they did not sign until all of their questions have been addressed.

Then, and ONLY then, is there legal precedent to take prescribed action against the employees if they violate the procedures.

And while the primary goal is not discipline (rather is to educate all on why the process is important and to bring them all into the loop!), but without the policies, you can/will be sued by an employee who commits a violation of the policy/procedures and you will LOSE! Lots of precedent here!

This just a small part of the issue and a LARGE part of the crash course to try to implement a program simply in response to a law and an artificially imposed deadline! What a mess!

But a systematic process where each trust area is able to meet and even to help develop ideas where they suggest the means to meet the potential problems and where they have a hand in specifying the solutions can help make IT's job A LOT easier and then enforcement becomes an 'US' with each area assuming a responsibility for the propositions rather then an 'us vs. them' imposed solution where the employees see it as an imposition.

I'll tell you what....if upper management is not involved in this project and seen as willing to take off their jackets and to literally sit down with folks at all levels, where the commitment to developing and communicating the goals and developing the policies is bought into by all, it will simply become another imposed mess, similar to the so called 'flattened hierarchies' of the inception of the ISO certification days of the late 80's and early/mid 90's where memos sought to replace real actions, and there were some spectacularly expensive failures. (Many of those 'imposed' solutions always appeared to me to be similar to how Communism was 'imposed'. The 'powers that be' sent out memos saying that the lowest employee was equal to the CEO, and that everyone shared an equal responsibility for the company welfare! And that sounded great until one of those silly employees ever wanted to act upon the concept and suddenly everyone found out just how '(un)equal' those upper management folks were! So much for memos!...).

And we are still seeing many of the same issues with implementations of such technologies as CRM and SCM systems.

Again, if the system is simply mandated by memo and developed 'externally' to the stakeholders' involvement, I wish you luck! You're going to need it! But if the company takes the time to do it right, they have the opportunity to use the process as a tool to 'reinvent' the company, and to bring employees into the process in a highly vested manner.

This process is both deceptively simple and deceptively difficult, depending upon how it is genuinely approached.

But implemented under the gun in a few months....I fear it will be an imposed train wreck waiting to happen. And instead of the burden for responsibility distributed throughout the enterprise, it will be seen to fall simply on a few, and they will also be seen as the enemy of the people as well as the scapegoats by management in the event of a breach! All in all, a precarious balance!

All in all, it would be wise NOT to reinvent the wheel regarding policy and procedure. Only the foolhardy do this! In fact, the certifying agencies do not suggest that you do that! For about $800 a company can by the templates for legally tested templates that can provide an general framework to be modified. Or membership in ISACA can bring you their online toolkit and ISO17799 and CoBIT resources. (And while I am not a fan of ISACA, some of their absurdly priced resources can be valuable tools). But there are many ins and outs of the process, and as so often happens, you become aware of the pitfalls, not by avoiding them, but by 're-inventing' them and suffering the pain of experiencing them!

So, for all who are facing the prospects of this! Please don't re-invent the wheel! Use the object oriented approach and reuse and modify proven components! And make sure your legal department peruses each one!

And if you can, get the company to spring for sending you to the SANS classes! http://www.sans.org/ At the very least get on their mailing list! They are an incredible balance between theory and hands on lab! I can't recommend them too highly!

So much fun!

And to think that some can't seem to appreciate a 'slightly' sardonic sense of humor! You just don't spend your time doing the 'right' things! I mean, when reality is always a case of being up to your eyeballs in alligators in the swamp, you find unique ways to maintain your sanity!