prescriptive guide to operational excellence volume 1

A TACTICAL GUIDE ENABL ING YOU TO TAKEACTION AND ACHIEVE OPERATIONAL EXCELLENCE.

PRESCRIPTIVEGUIDE SERIES

OPERATIONALEXCELLENCE:

Linking Your Business, CompLianCe,

operations and seCuritY.

PRESCRIPTIVEGUIDE SERIES

OPERATIONALEXCELLENCE:

Linking Your Business, CompLianCe,

operations and seCuritY.

INTRODUCTIONPrescriptive Guide

iv

Copyright © 2010 Tripwire, Inc. All rights reserved.

DRIVE FOR EXCELLENCE

Since Tripwire’s founding, we have seen tremendous changes in our customers’ IT infrastruc-tures. Increasing complexity, combined with new demands posed by security and compliance requirements has placed greater burdens on the IT professionals charged with ensuring opti-mized critical business processes.

Tripwire has long played an important role in monitoring IT infrastructure elements for change. Today, the ability to detect, reconcile, and report change are fundamental for high- performing IT organizations.

Please accept this Guide with our compliments, and thank you for your interest in opera-tional excellence and in Tripwire solutions.

ACKOWLDGEMENTS

Tripwire and ReymannGroup have partnered to assemble several leading compliance, busi-ness, operations, and security experts to share their thought leadership in this tactical guide on actions you can take to achieve operational excellence.

Tripwire extends a special thank you to all our contributors: Paul Reymann, CEO, ReymannGroup; George Spafford, President, Spafford Global Consulting; Barak Engel, President, Engel & Associates; Susan E. Orr, Senior Technology Risk Consultant, ReymannGroup; and Dan Swanson, President, Dan Swanson & Associates.


v

TABLE OF CONTENTSINTRODUCTIONHow To Use The Guide ......................................................................................................................... 1Background ......................................................................................................................................... 1

TRIPWIRE PERSPECTIVETripwire Perspective ............................................................................................................................ 3Common Characteristics Of High Performers ....................................................................................... 4The IT Maturity Process ....................................................................................................................... 4Enforcing A Change Policy ................................................................................................................... 6Tripwire Facilitates Change Management ........................................................................................... 7Why It’s Worth It ................................................................................................................................. 9

OPERATIONAL EXCELLENCEImportance From A Management Perspective .................................................................................. 11Enabling Compliance......................................................................................................................... 11Opportunities To Improve Operational Efficiency ............................................................................... 12Alignment ......................................................................................................................................... 12Project Management ........................................................................................................................ 13Risk Management ............................................................................................................................. 13Control Layers ................................................................................................................................... 13Policies And Procedures ..................................................................................................................... 14Training ............................................................................................................................................. 14Segregation Of Duties ....................................................................................................................... 15Change Management........................................................................................................................ 15Integration Of Change Management To Incident And Problem Management ................................... 16Network Monitoring ......................................................................................................................... 16Logical Access Controls ...................................................................................................................... 16Physical Access Controls .................................................................................................................... 17Business Continuity Planning And Disaster Recovery ........................................................................ 17Audit ................................................................................................................................................. 17IT Audit ............................................................................................................................................. 18Common Characteristics Of High-Performing Organizations ............................................................. 19Change And Patch Management Self Assessment Checklist .............................................................. 20How Tripwire Helps Organizations Achieve High-Performance Operations ........................................ 21

IT AUDITImportance From A Management Perspective .................................................................................. 23Enabling Compliance......................................................................................................................... 24An Internal Audit Plan ....................................................................................................................... 24IT Self Assessments And Other Continuous Improvement Efforts ...................................................... 25Audit Self Assessment Checklist ........................................................................................................ 26


vi

TABLE OF CONTENTS (CONTINUED)

INFORMATION SECURITYImportance From A Management Perspective .................................................................................. 27Enabling Compliance......................................................................................................................... 27Opportunities To Improve Operating Efficiency ................................................................................. 28Common Practice And Control Mandates .......................................................................................... 29IT Audit ............................................................................................................................................. 36Information Security Self Assessment Checklist ................................................................................ 38How Tripwire Enhances Security ........................................................................................................ 39

PAYMENT CARD INDUSTRYBackground ....................................................................................................................................... 41Importance From A Management Perspective .................................................................................. 41Enabling Compliance......................................................................................................................... 41Opportunities To Improve Operating Efficiency ................................................................................. 43IT Audit ............................................................................................................................................. 44PCI Audit Self Assessment Checklist .................................................................................................. 44How Tripwire Helps Meet PCI Requirements ...................................................................................... 45

COMPLIANCE RETROSPECTA Way Of Life ..................................................................................................................................... 47Compliance Applies To Most Companies ............................................................................................ 47Best Practices Enable Compliance ..................................................................................................... 47Common Compliance IT Threads ....................................................................................................... 48Audit And Technology Are Enablers ................................................................................................... 49Mandate For Compliance ................................................................................................................... 50Compliance Self Assessment Checklist .............................................................................................. 54Using Tripwire To Achieve And Maintain Compliance ......................................................................... 55

NEXT STEPSNext Steps ......................................................................................................................................... 57


1

PR

ES

CR

IP

TI

VE

G

UI

DE

HOW TO USE THE GUIDE

In the Prescriptive Guide to Achieving Operational Excellence, we bring together industry experts in, operations, IT audit, information security, payment card industry standard and compliance—combining their expertise with Tripwire’s experience to help you meet these pervasive challenges. The Guide begins with a perspective on the value of creating a culture of effective change management and concludes with a retrospect on the compliance decade.

To help you save time and quickly target the area(s) of most interest, we have focused each section of the Guide on a specific IT challenge and provided one expert’s insight into that challenge. At the end of each section, we offer a self-assessment checklist and tips for using Tripwire change auditing solutions to help meet that specific challenge. This modular ap-proach means that you don’t have to worry about missing fundamental information or related concepts if you decide to skip sections of the Guide. Our goal is to bring you useful, actionable information, in a straightforward format. We welcome your comments and feedback via email at: [email protected].

BACKGROUND

In today’s networked operating environment, all companies must be proactive in strategically managing business and IT processes, applications, information, technology, facilities, and security. Done properly, organizations will create a proactive and predictive enterprise-wide culture of operational excellence that is tuned to monitor risk, detect problems, respond, rec-oncile, report, and measure value in real-time throughout the enterprise. These companies will be able to meet compliance requirements, release capital, and leverage their risk investments for competitive advantage and superior business performance. Specifically, these changes will help your company to:

• Pass audits• Assure data integrity• Minimize fraud losses• Reduce unplanned work• Reduce operational costs• Ensure business continuity• Increase system availability

INTRODUCTION


2

• Identify and remediate information security vulnerabilities• Enable business executives to understand and take responsibility for the technology and

controls underpinning business processes• Reduce the cost of compliance by eliminating redundant and duplicate compliance efforts• Demonstrate to regulators, auditors, credit rating agencies, and customers that they are a

well-run business• Establish a proactive and predictive operational risk management methodology against

increasingly sophisticated threats and business challenges

TRIPWIRE PERSPECTIVE Prescriptive Guide

3 TRIP

WIR

E PE

RSPE

CTIV

E

PR

ES

CR

IP

TI

VE

G

UI

DE

TRIPWIREPERSPECTIVE

The Greeks knew it long ago: you can’t step into the same river twice. Change is constant. And their world was quite static compared to ours. Fast-forward to our century where technology is king, and change occurs so rapidly it is difficult to manage. To keep pace with business, IT must also continually change, sometimes in unperceivable increments, as services evolve and underlying IT infrastructure is maintained.

IT is a structure of complex systems of systems that must work together to deliver these services. A “Service” contains an inte-grated “Stack” of systems such as applications, databases, middleware, directory services, operating systems, and networks. Each system in the stack has a specific behavior and state determined by a multitude of detailed elements such as file systems and their attributes, con-figuration settings, users, and permissions.

This complexity means that changes in the IT infrastructure can impact every part of a business operation, requiring IT to respond with an array of system management techniques, tools, procedures, and policies that together help define a change management process. In many cases these processes are based on best practices frameworks such as ITIL (the IT Infra-structure Library).

Change must be controlled to mitigate the risks that change poses to IT’s compliance, service quality, and security posture. National and local laws, as well as private contractual ar-rangements, demand that organizations implement controls on their IT infrastructure.

As information management practices receive greater scrutiny within organizations of all sizes, the need to systematically evaluate and enforce IT policy has become a fact of life. Now, more than ever, change control is foundational to IT control. Without strong change controls, companies’ experience:

• Poor audit performance due to control deficiencies;• Service outages, unplanned work, and delayed delivery of strategic projects resulting from

unauthorized and undocumented changes;• Increased risk and lack of assurance surrounding system security and data integrity; and• Increased audit cost and scope.

Everything flows, nothing stands still.

- Heraclitus

TRIPWIRE PERSPECTIVEPrescriptive Guide

4

TRIPWIRE PERSPECTIVE

COMMON CHARACTERISTICS OF HIGH PERFORMERS

The Institute of Internal Auditors’ Global Technology Audit Guide “Change and Patch Man-agement Controls” poses the question, “What do all high performing IT organizations have in common?” The answer is, “They have a culture of change management that prevents and deters unauthorized change.”

Companies that have embraced change management accrue at least three tangible benefits:

• Less than 5% of time spent in unplanned work (often referred to as “fire fighting);• A low number of “emergency” changes; and• A change success rate of over 99%, as defined by no resultant outages or episodes of un-

planned work following change implementation.

High performers achieve their position because they understand that change policies must be enforced to be effective, and that change policy enforcement requires three components: Culture, Controls, and Credibility.

Culture - A change management culture means that adhering to change policies and pro-cesses are part of the IT organization’s DNA. This culture starts at the top with executives who understand that unauthorized change constitutes uncontrolled business risk. They must not only expect that policies are followed—they must inspect that policies are followed; “trust but verify” is the mantra of top performers.

Top management must provide clear, consistent communication that sets the expectation that change management must be followed, starting with ensuring that change policies are in place and that they are enforced.

Controls - The key to controlling IT is to institute effective policies, then implement robust controls to ensure all changes are auditable and authorized, and that all unauthorized changes are investigated. Organizations with weak IT controls invariably spend higher percentages of their resources on unplanned work, produce sub-standard operational results, and deliver lower quality service to their customers.

Credibility - Credibility cannot be implemented – it must be earned. IT organizations achieve credibility when they can demonstrate control of IT, and can show a history of consistent accountability, consequences, and measurable improvement. When people circumvent the proper procedures, they are held accountable and experience visible consequences for going around the system.

Organizational change is never implemented without resistance. While many IT staff members commonly protest that increased change controls will slow them down as they perform their tasks, high-performing IT organizations consistently prove that implementing good processes and controls actually increases efficiency and productivity throughout the organization.

THE IT MATURITY PROCESS

How does one know if their IT organization is a high performer or if there is room for im-provement in the change management process? The amount of time spent in “fire fighting” is one of the easiest indicators to gauge this.


5 TRIP

WIR

E PE

RSPE

CTIV

E

In the average IT organization, it is common for unplanned tactical response to take sig-nificant amounts of time away from strategic projects organizations should be implementing. This is one of the most common problems facing IT managers today. Fortunately, it is one that can be solved through the implementation and enforcement of effective change policies.

ReactiveOver 50% of time spent on unplanned work

Using Honor System35 – 50% of time spent on unplanned work

Closed-Loop Process15 – 35% of time spent on unplanned work

Continuously ImprovingUnder 5% of time spent on unplanned work

LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4

CHANGES CONTROL THE ORGANIZATION THE ORGANIZATION CONTROLS THE CHANGES

EFFE

CTIV

ENES

S

Tripwire, together with the IT Process Institute (ITPI), has been studying customers and world-class IT organizations for several years. With the twin goals of understanding the com-monalities between top-performing IT organizations and determining the steps an organiza-tion must take to improve their IT Service Management capabilities, we have found four levels of capability in Change Management processes:

1. Reactive: IT groups in this first level typically spend most of their time firefighting and have problems with poor service levels and long outage times.

At this stage, there is usually very little formal process in place, almost no systematic com-munication about changes happening in the environment, and plenty of finger-pointing about the cause of service interruptions.

2. Using the Honor System: As they begin to become dissatisfied with the thrash of life in the Reactive mode, IT organizations typically start by implementing a defined change manage-ment process.

At this stage they begin to document policies and practices, and start to put some technolo-gies in place to try to guide the change authorization process. Unfortunately, at this stage, organizations are reliant on the “Honor System” for individuals’ adherence to these new policies and procedures. It is common for organizations at this stage to become frustrated because they cannot systematically determine when people circumvent these new policies.

3. Using Closed-Loop Change Management: Significant performance gains are realized when organizations implement closed-loop change management processes. Closed-Loop Change

Figure 1: The Four Levels of IT Maturation


6


Management exists when detective controls are implemented to detect changes to produc-tion infrastructure, and all changes are reconciled with authorizations to ensure that no undocumented or unauthorized changes escape notice.

At this stage, there is typically a formal project (or at least strong executive sponsorship) to fix problems with change management and to get service levels and IT costs under control. At this level of operation, there is generally a marked improvement in service levels and a decrease in unplanned work.

4. Continuously Improving: Once they’ve experienced the benefits of Closed-Loop Change Management, companies begin to use their newly acquired control to pinpoint areas of problems and inefficiency. They are then able to systematically attack and improve weak areas, which enables continuous and ongoing improvement.

Companies at this level, while not perfect, are able to provide predictable, high quality services in a cost-effective manner.

Organizations interested in implementing a change management program must first assess where they currently stand, and where they wish to end up. Questions that can help determine the present level of IT maturity include:

• What is the overall goal of the change management process?• What percentage of their time does the IT staff spend on unplanned work?• If something changed in the IT environment, how would anyone know?• What is the volume of emergency changes in the IT environment?• Is the change audit trail properly documented?• How many failed changes have been experienced and what were their causes?

ENFORCING A CHANGE POLICY

Controlling IT depends on controlling change, which depends on enforcing change policy with effective controls to ensure that all changes are auditable and authorized, and that all unauthorized changes are investigated. For change policy enforcement to work on a practical level the following requirements must be adopted:

All changes must be auditable - All changes made within the IT infrastructure must be clearly visible and documented. IT needs to be especially aware of a high rate of change to at-risk systems and make policy changes that will reduce or eliminate episodes of unplanned work.

Change throughout the entire service stack must be audited. A “service” contains an in-tegrated “stack” of systems including applications, databases, middleware, directory services, operating systems and networks. Each system in the stack has a specific behavior and state determined by a multitude of detailed elements including file systems, configuration settings, users, and permissions.

Someone other than the person (or technology) making the change must approve and re-cord the change. This segregation of duties prevents fraudulent change recording and mistakes made due to simple over-familiarity. Finally, a historical audit trail describing all changes, including when they were made, and by whom, must be maintained.

Basic Control Objectives • All devices in the production environment must be monitored for changes; • All changes to high-risk systems (referred to as “fragile artifacts” in the Visible

Ops methodology) need to be recorded, explained, and documented;


7 TRIP

WIR

E PE

RSPE

CTIV

E

• A baseline of configuration items is kept as a check point to return to; and • Change implementers can not authorize their own changes.Advanced Control Objectives - Includes the above, plus:

• All changes must be tested in pre-production before being implemented in the production environment;

• All production changes need to be recorded, explained, and documented; • Change verification/validation should be performed after implementation; • Emergency changes should include an adequate audit trail to allow tracking from

incident to underlying cause and back; and • The success and failure of changes should be tracked.

All changes must be authorized - Unauthorized change is the primary cause of unplanned work, unanticipated downtime, and business risk. Only authorized changes are acceptable. An authorized change that corresponds to an established change policy may require that a trusted person make the change and only during a scheduled maintenance window. It may also require that a change exactly matches both the change previously approved in the QA environment and an approved change ticket.

Basic Control Objectives • All changes must be review by the Change Advisory Board (CAB). • All devices in production must be scanned for change at pre-determined intervals. • No changes to production assets outside the maintenance window. • All changes must map to an authorization ticket.

Advanced Control Objectives - Includes the above, plus: • No changes will be made to production assets except by <specific roles / people>. • Change implementers will not authorize change requests, nor sign off on

completed changes. • No changes to production assets by pre-production personnel.

All unauthorized change must be investigated - Unauthorized changes cannot be ignored. They must be investigated to determine if they should be accepted or rolled back. It may be prudent to treat high severity unauthorized changes as a security breach until proven other-wise. Controls should be in place to make certain that unauthorized changes are resolved in a timely manner.

Each change that is detected must be mapped to authorized work or flagged for investi-gation. It may be a malicious act, but more often it may be a case of the right person doing the wrong thing or mistakes made by authorized individuals. Whatever the case, a detection system is necessary to implement an effective system of change controls.

Control Objectives • All unauthorized changes must be escalated, investigated, documented and

resolved within a specified timeframe. • No unauthorized change should remain in the environment.

TRIPWIRE FACILITATES CHANGE MANAGEMENT

Getting control of IT cannot be achieved by technology alone. Creating a solution to enforce change policy involves a combination of People, Process, and Technology. Business process owners, IT staff, Security, and Audit must all work together to enforce change policy.


8


Controlling IT also requires expert knowledge of data, devices, and an understanding of how change happens to help evaluate, define, and implement effective processes. This is where Tripwire Professional Services contributes to build a change management process that will aid in passing audits, improve service quality, and assure the integrity of the IT infrastructure.

Once the policies and processes are defined, they can be enforced with technology. Tripwire Enterprise change auditing detects all changes, reconciles detected changes with authorized changes to expose unauthorized change, and reports on policy exceptions. This is important to IT management and practitioners because change control is foundational to IT compliance, security and service quality.

Change Detection - Tripwire Enterprise is a single solution to effectively audit change across the enterprise, giving IT the ability to audit all change. Tripwire Enterprise does this with its breadth of infrastructure coverage, enhanced baseline controls, independence, and enterprise-class manageability.

Tripwire Enterprise monitors the various systems that comprise the service stack plus cov-ers the various elements contained with in each individual system operating within the service stack. These elements include file systems and their attributes, configuration settings, users, and permissions. Tripwire provides a single point of change control across a diverse service stack comprised of different systems from a wide variety of vendors.

Tripwire detects change relative to a specific designated known and trusted state known as a “baseline”. Tripwire establishes a baseline against which change is measured and provides a secure audit trail of all changes. With Tripwire, only those users specifically granted the ap-propriate permissions are able to promote detected changes to the “current baseline” in order to ensure the proper baseline is maintained.

Tripwire Enterprise is independent of the myriad of administration tools used to manage and make changes. It verifies the results of these change implementation methods to ensure all expected changes were made and only expected changes were made.

Lastly, Tripwire Enterprise enables an organization with multiple nodes to easily manage their infrastructure and reduce administrative burden by offering a scaleable architecture that supports thousands of heterogeneous devices and operating environments across the service stack. Nodes can be grouped into logical, user defined groups with configurable severity levels to denote the relative significance of a change that can trigger different response actions.

Change Reconciliation - Typical IT environments experience thousands of changes daily and looking for unauthorized changes is like looking for a needle in a haystack. This challenge re-ally is best solved by technology.

Tripwire Enterprise verifies expected, authorized change and identifies unauthorized change that must be investigated by enabling a variety of manual and automated techniques to distinguish between expected and appropriate change, and unauthorized change that may negatively impact compliance, service quality or security. This reconciliation is based on crite-ria such as:

• Who made the change;• When the change occurred relative to scheduled maintenance windows;• Whether the change matches a change previously detected and approved in a QA

environment; and• Whether the change corresponds with an approved change ticket.


9 TRIP

WIR

E PE

RSPE

CTIV

E

Tripwire’s change reconciliation is uniquely defined by its abilities to view detailed change information, promote expected changes, integrate with change ticketing systems, and trigger various actions upon detection of change. Such actions can include sending alerts and detail change information via email or SNMP as well as triggering commands that can be used to run predetermined tasks or activate third-party tools such as system backup tools.

Change Reporting - Tripwire Enterprise increases IT’s control over change by providing tools to report on change, ensuring that all changes are authorized and all unauthorized changes are investigated – two key elements in creating a culture of change management, the foundation of a high performing IT organization.

Tripwire Enterprise provides timely reports and dashboards showing change status of IT service stacks across the enterprise so that management can drill down into reports for metrics to help them improve their process as well as providing a real-time status to help with incident management and determine outage root causes. These reports and dashboards can be archived for future reference in HTML, PDF, or XML format

Report linking allows organizations to quickly drill down from overview reports to more detailed reports. For instance, a report could show the change rate of selected systems for the past year; then could drill down into a specific quarter, and then drill down to a specific month to view weekly change rates.

As change management processes become mature, IT organizations can use Tripwire to further automate processes, such as reconciling detected changes with planned, expected changes. Advanced features, when implemented, deliver even more visibility into operations and enable IT to extend change auditing capabilities to security, compliance, and system avail-ability initiatives.

WHY IT’S WORTH IT

There are numerous benefits to implementing a culture of change management with change auditing. Most importantly, enforcing a change management process will aid in passing audits, improve service quality, and assure the integrity of the IT infrastructure.

Change auditing makes it less demanding to meet and maintain regulatory requirements and pass internal and external audits. Passing an audit requires sufficient assurances that busi-ness risks are mitigated. For instance, SOX requires completeness and accuracy of financial reporting. PCI requires protection of cardholder information. If all changes to a system can be proven to be authorized, the costs of additional control testing for the system are minimized. Once configured, tested, and deployed into production, IT systems will continue to operate appropriately unless changed.

Change auditing can do much more than just help prove that controls are in place; it can also increase service quality and reduce unplanned work. Reducing unplanned changes increases availability and breaks the traditional downward spiral of unplanned work or firefighting that consumes many IT organizations. The predictability of IT increases when service availability and performance remains consistent and new services are deployed on time and within budget.

Lastly, strong internal change controls provide management and auditors the confidence and supporting evidence that security measures are effective and IT systems operate with in-tegrity. They mitigate potential risks of malicious changes and provide Security with a reliable and unbiased view of change across an enterprise.

In the 21st Century IT organization, change management is more than just a good idea; it’s a business imperative for the IT organization that wants to fulfill its business objectives suc-cessfully. By creating the culture, controls, and credibility of successful change management, today’s IT organization can finally lock down change management – and realize the benefits of being a high performing IT organization.


10


OPERATIONAL EXCELLENCEPrescriptive Guide

11 OPER

ATIO

NAL

EXCE

LLEN

CE

PR

ES

CR

IP

TI

VE

G

UI

DE

IMPORTANCE FROM A MANAGEMENT PERSPECTIVE

Information technology systems contain the data and intellectual property that constitutes the lifeblood of most organizations. In many cases, a system failure, security breach, or other problem associated with a key system can have dire consequences to an organization’s ability to attain its goals and may even result in lawsuits and regulatory enforcement actions. These systems must be properly designed, deployed, and safeguarded to ensure that organizational goals can be met and enterprise risks are managed to acceptable levels. If such safeguards are not properly designed with the risks and benefits in mind, a great deal of lost costs and frustra-tion can be added to the organization.

The design and implementation of effective controls must be integrated into the daily processes of the organization to attain operational efficiencies. If the cost of implementing con-trols outweighs the risk management or operational benefits, the overall control environment will not be sustainable. There must be measurable benefits to the organization for controls to be adopted as part of its culture. This adoption of risk management and controls into the fiber of information technology will help shift an organization’s understanding of controls from a point-in-time project implementation mindset to a sustainable approach embedded into day-to-day operational processes. The need to manage risks is real.

There are several themes that will be covered in this chapter:

1. Total elimination of risk is not possible.2. Controls must reduce risks to an acceptable level.3. Processes must embed the controls needed to mitigate risks. 4. Regulatory compliance and security concerns are risks that will exist in perpetuity. 5. Controls must be designed into the systems and applications – not simply layered

on top.6. An organization that is operationally excellent has a partnership relationship with

its auditors.

ENABLING COMPLIANCE

Many controls yield regulatory compliance benefits and very real security and operations benefits when designed properly. An analogy is the response of U.S. automakers to mid-1970s regulatory requirements for emissions. Automakers responded with emissions control systems that were layered on top of existing engine designs. As a result, horsepower, fuel efficiency, and reliability plummeted while complexity increased. Over time, new engine designs were devel-

OPERATIONALEXCELLENCE


12

OPERATIONAL EXCELLENCE

oped that met emissions regulations while improving power, reliability, and fuel efficiency to meet or exceed pre-regulatory levels.

Similar proactive compliance-enabling system designs are occurring today for information technology operations. However, rather than simply layer controls on top of existing sys-tems and processes,1 we must ensure that systems and processes internalize and adequately support the mandated and necessary controls to cost-effectively mitigate risk and achieve operational excellence.

OPPORTUNITIES TO IMPROVE OPERATIONAL EFFICIENCY

Each organization faces its own risk and resource challenges. One common theme for ev-eryone is that there will always be more risks than resources available. Investments must be made with due care to ensure the goals of the organization are safeguarded. A study from AT Kearney reports that management is concerned about information technology being too fix-ated on day-to-day operations. It found that 70 percent of business executives believe technol-ogy innovation is critical yet 80 percent of actual information technology expenditures are spent on infrastructure and core operations. Forty-five percent of business executives strongly agreed that technology groups were too focused on day-to-day requirements versus strategic goals.2 The only way information technology will get out of this low productivity rut is to vig-orously adopt process improvement and pursue defects that expose the company to risk, cause unplanned work, and misused resources.

For any organization to be successful and for the corporate culture to truly adopt a con-trol-rich environment, there must be strong and unwavering support from top management. Auditors call this the “tone from the top.” Management must say and do the right things to reinforce the need for controls to be successful.

While there are numerous elements that help create an effectively run organization, this chapter focuses on the prudent alignment, management, and system controls that are com-monly associated with regulatory compliance and process improvement efforts. These topics are a good place to start when discussing your organization’s process improvement efforts.

ALIGNMENT

Proper alignment of the information technology function is crucial to support enterprise business unit needs. Technology is an enabler for improving process productivity—but it must be embedded in each functional area’s goals and objectives. Information technology can enhance productivity, simplify collaboration among employees, partners, and customers, and aid in risk management while improving day-to-day customer service, risk management, and compliance processes. Information technology personnel must be involved in the strategic, operational, and tactical planning processes. Senior management must have transparency into the progress and problems associated with the use of information technology for daily opera-tions and management of risk within each business unit.

1 Technically, a system is a combination of people, processes and technology. For the sake of emphasis on process design, it is called out separately here.

2 AT Kearney. “Why Today’s IT Organizations Won’t Work Tomorrow”, 2005. http://www.atkearney.com/main.taf?p=5,3,1,111


13 OPER

ATIO

NAL

EXCE

LLEN

CE

PROJECT MANAGEMENT

From an operations perspective, time is money. This is why project management is an impor-tant process domain. It helps ensure that the outcomes of information technology projects are on time, within budget, and deliver the expected outcomes. In its 3Q04 CHAOS report, the Standish Group revealed that only 29 percent of information technology projects they surveyed up to that point delivered on time, within budget, and with the required feature set. Fifty-three percent of the projects were late, exceeded budget, or had a reduced feature set. The remaining 18 percent outright failed.3 Formal project management practices must be followed to reduce these risks.

Compliance efforts can be affected by project failures as well. Information technology busi-ness units must be worried about a large project failure triggering a disclosure. They must also worry about pressures associated with problem projects that cause testing, security, training, documentation, or other needed controls to be discarded or improperly executed due to short-age of time or budget.

RISK MANAGEMENT

Contrary to some beliefs, companies cannot eliminate all risks for two reasons. First, the internal and external threats that create risk are very dynamic. Second, control investments eventually result in diminishing returns. Instead of focusing time and resources on eliminating risk, a realistic goal should be to reduce risk to a level that is acceptable to senior management and the board.

Proactive risk management is a process that must be embedded in the organization’s cul-ture to reap significant benefits. It can be used to constantly “tune” the control environment to ensure that correct controls are present and mitigating risks. Without using risk data input, the organization may have the wrong controls—or no controls—in place, which could leave the organization exposed to significant threats, material findings, and excessive costs.

Information technology personnel and resources play an integral risk management role, aiding in threat prevention, detection, and reconciliation. With the help of technology re-sources, business units and senior managers can work to execute a cost-effective program that continuously identifies, prioritizes, and manages risks.

CONTROL LAYERS

All business units need to understand risk-based controls and how they should be deployed. Controls are processes that are implemented to reduce the variation around the attainment of objectives and can be grouped into three broad categories of controls—preventive, detective and corrective.

Preventive controls are intended to proactively prevent problems. Policies and procedures are classic examples, as they are written in advance to prevent problems from happening. Detective controls are designed to identify that an event is occurring or has occurred histori-cally. The use of Tripwire Enterprise to scan and detect changes illustrates this type of control. Corrective controls are intended to return a system to its last known good state. For example, restoring a system to its stored, approved configuration image is a corrective control.

3 The Q3 2004 CHAOS Report, The Standish Group International, Inc. http://www.standishgroup.com/sample_research/PDFpages/q3-spotlight.pdf


14


When designing controls to proactively mitigate risks, consideration must be given to using tiers of controls in the same manner that a castle builder uses multiple walls to protect a fortress. Security personnel call this approach “defense in depth,” wherein layers of controls are used to protect against known and unknown threats that can originate from inside or outside of the organization. Controls must be risk-based.

In some cases, the use of several relatively inexpensive and simple controls may gener-ate more reliable outcomes than one expensive or complicated control. Layered controls also create a “safety net,” in the event that a previous control layer fails. The objective is to have sufficient capabilities to reduce risks to an acceptable level. When auditors review controls and determine that there has been a failure, they will look for compensating controls to offset the level of deficiency.4 In other words, if one layer fails, they will look to see if any other controls are present to detect or reduce the impact of the failure of the first level. If other controls are in place, the auditor can use his or her judgment to reduce the severity of the noted deficiency.

POLICIES AND PROCEDURES

Policies and procedures must be formally doc-umented and reviewed with employees. With-out documenting, communicating, enforcing, and raising awareness of corporate standards, security and process improvement efforts will not achieve the intended goals. If employees are not aware of how to properly execute their duties and responsibilities according to these standards, they will be ineffective.

When developing policies and procedures, document only what can realistically be done. This can be accomplished by involving the process owners in the generation and mainte-nance of the policies and procedures. More-over, there must be triggers in the system development life cycle and change management processes to ensure that policies and procedures are updated as the computing environment and risk environment changes. At a minimum, they should be reviewed annually.

TRAINING

For employees to reasonably perform their jobs, they must be educated about their duties and responsibilities. This entails learning the organization’s culture, policies, and procedures, in addition to learning new technology and processes. For information technology personnel to effectively identify risks and areas for improvement, his or her skills must be current. Invest-ments in training yield a more secure, effective, and efficient organization.

4 A control failure during an audit is deemed a “deficiency” by auditors. In the world of Sarbanes-Oxley, the level of severity ranges from “deficiency” at the low end, to “significant deficiency” and finally to the worst one “material weakness.” Definitions of these levels are in PCAOB Accounting Standard 2.

When designing policies and procedures for

regulatory compliance and auditors, bear in

mind that auditors will need proof of compliance

by obtaining evidence that the work was done.

Engage your Internal Audit department to

identify what controls need to be evidenced

and what means are acceptable. Based on his

or her recommendations, policies and

procedures should properly reflect

evidence/documentation requirements.


15 OPER

ATIO

NAL

EXCE

LLEN

CE

SEGREGATION OF DUTIES

All systems have critical processes that, if subverted through human error or malicious intent, will significantly impact the objectives they enable. No one person should have absolute con-trol over a critical process. Instead, processes should be segregated into discrete sub-processes that can then be assigned to parties who do not have a conflict of interest with safeguarding the sub-process. For example, a developer should not have sufficient access to directly update production applications. He or she should develop the application and a separate group should test the application. Once tested, the findings should be presented to the system owner who should review the test results and approve the application for use before it is copied into production. Through segregation of duties, a developer cannot readily disrupt production by mistake or intent.

CHANGE MANAGEMENT

Once a system is deployed, its integrity cannot be maintained without a prudent change management program. Change management is a fundamental ongoing control for security, compliance, and operational efficiency of systems and business processes. Statistics show that human error accounts for 80 percent of network availability issues5 and 79.3 percent of security incidents.6 Even if we assume these statistics are high and cut them in half, the human error rate still represents a significant percentage of incidents. Effective change management is the most important process improvement area to manage risks and improve efficiency.

As the number of uncontrolled changes increases, so do problematic changes7—those that result in incidents, which then result in unplanned work, or “firefighting.” Firefighting wastes resources that could otherwise be dedicated to operational improvement and organizational goals.

The solution is to implement formal change management processes that formalize and standardize change requests, review, approval, development, testing, and implementation. To enforce change management policies and detect changes that occur, a change auditing solution such as Tripwire, can be used. By detecting, reporting, and including the ability to reconcile changes, the IT organization can enforce zero tolerance for unauthorized changes and substantiate processes for handling changes.

In order to manage risks and gain operational efficiencies, the change success rate— the changes that can be implemented according to plan and within the allotted timeframe—must improve. The Institute of Internal Auditors identifies five ways to reduce change management risk:

1. Establish a strong tone from the top that stresses the need for change management and zero tolerance for unauthorized changes.

2. Continuously monitor for unplanned outages. Decreased unplanned outages indicate ef-fective change management.

3. Work with the business to identify when the systems can afford to be down for mainte-nance and limit changes to those defined periods. For example, from 2a.m. to 7a.m. on Sunday.

5 Stephen Elliott, Senior Analyst, Network and Service Management. IDC, 2004.6 Comp TIA, 2005. http://www.comptia.org/about/pressroom/get_pr.aspx?prid=6117 Here, “problem change” refers to both failed changes that do not install according to plan and to changes that install

according to plan but are flawed and result in incident and problem management activity.


16


4. Use the change success rate metric as a key indicator. Unmanaged change environments typically see change success rates near 30 percent. The organization must recognize that failures represent risks to availability, security, compliance, and more.

5. Measure and report all resource commitments that are allocated to unplanned work. This is another indicator of the effectiveness of the change management environment. A high-performing IT organization spends less than 5 percent of its time on unplanned work, compared to the average IT organization that spends 45-55 percent.8

INTEGRATE CHANGE MANAGEMENT TO INCIDENT AND PROBLEM MANAGEMENT

One of the first questions that should be asked when a system-related issue arises is “what changed?” A great deal of the time is spent trying to track down people to find out if they are aware of any changes to the system. Such ad hoc discovery activity increases the Mean Time To Repair (MTTR) and decreases the availability of systems and valuable resources. Alterna-tively, if data from the change auditing system is shared with incident and problem manage-ment teams, you can immediately identify what changed and begin tracking down why. This will dramatically drive down the MTTR and improve availability.9

Another method that will enhance change and incident management capabilities is the use of standardized and repeatable builds. The goal is to reduce configuration variations in production and have as few builds as possible. Once standard builds are in place, the change auditing system should be used to routinely verify that builds are not “drifting” from their standard baseline. You want to monitor the builds in production to ensure that unauthorized changes are not made.

As change and configuration management processes mature, it also becomes possible to gain efficiencies through the use of repeatable builds. The goal is to make it faster and cheaper to simply restore a build or image, than to try and determine why a previously reliable build is having problems. The stored builds and the production environments must mirror one an-other. This is managed through policies and procedures and the use of an automated change auditing application like Tripwire Enterprise.

NETWORK MONITORING

As information technology and networks are pervasive and mission-critical, they must be more scrupulously monitored to detect performance anomalies and threats. High traffic volumes are also associated with higher threat levels, making automated network monitor-ing, alerting, and response indispensable. Automated monitoring improves system security, performance, and availability by allowing management by fact. Automation also frees the IT team to focus on exceptions, which in turn simplifies managing large amounts of event data.

LOGICAL ACCESS CONTROLS

All access to systems and data must be limited on a need-to-know basis. As job descriptions are understood, system roles must be documented and excess permissions removed. This reduces the potential for unauthorized persons to overstep their roles and make malicious or

8 Jay Taylor, Julia H. Allen, Glenn L. Hyatt and Gene H. Kim. “Change and Patch Management Controls: Critical for Organizational Success.” The Institute of Internal Auditors. 2005.

http://www.theiia.org/index.cfm?doc_id=5167 9 More information is online at http://www.itpi.org/visibleops.


17 OPER

ATIO

NAL

EXCE

LLEN

CE

erroneous changes. For example, only a few qualified individuals should have system admin-istrator privileges. System roles and privileges must be routinely audited to ensure employees comply with intended use policies and that privileges are not altered without proper authority.

PHYSICAL ACCESS CONTROLS

Once a person gains physical access to a host, he or she can gain control of the host. To guard against malicious acts and unintentional accidents, access to data centers, wiring closets, server closets, and other centers of information, activity should be limited to those individuals with a business need. Ideally, door locks should be digital with an audit log that can be rou-tinely reviewed by security personnel. At the same time, all access to the data center should be recorded on a log sheet with the date, time, name, and reason. The access log should corre-late with the door lock log. All visitors, including vendors, guests and contractors, should be escorted at all times. There are many different access controls available and the organization should select and implement them such that the level of residual risk is acceptable to manage-ment.

BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY

The job of disaster recovery (DR) is to recover an asset or process from a disaster. Business continuity planning (BCP) on the other hand, is tasked with ensuring the organization’s func-tioning after the occurrence of one or more risk events. By pre-planning response to business-disrupting events, organizations can respond with relative ease. For example, changing from primary to backup systems can happen with virtually no impact to the business. If the risks of power failure are significant enough, the BCP plan will include the installation of appropriate-ly sized uninterruptible power supplies and generators. When the power does fail, the systems remain online supporting the business.

Each organization must define its own acceptable, risk-based level of fault tolerance. The level of investment in BCP and DR systems must be commensurate with the risks to the orga-nization. For example, if a data center averages power outages of a few seconds each hour on an average of 3-4 times per year and the systems are not essential, then a generator may not be needed. On the other hand, even though the historical outage frequency is low, if the systems are mission-critical, even the threat of an outage lasting longer than the life of the UPS batter-ies may warrant a generator with the appropriate capacity. The probability of the risk and the impact to the organization must drive the investment.

AUDIT

Operationally excellent IT organizations have a partnership relationship with their auditors that create new value for the organization. Auditors provide at least three benefits that enable organizations to identify and design the necessary risk-based controls to ensure IT continuity. Audit can:

1. Verify that employees are following established policies and procedures. 2. Provide an opportunity for a third party to review activities and make impartial

recommendations.3. Provide opinions about the regulatory environment, the direction of the firm’s audit

department and, if applicable, expectations from external auditors.


18


IT AUDIT

In addition to meeting unrelenting demands for increased efficiency, technology must also address the challenges of security, regulatory compliance, and enable many business goals and objectives. Operational excellence provides the means to contribute to the organization’s success.

Within the realm of technology operations, repeatable and reliable information technol-ogy management processes are vital to success. A growing body of research is confirming that

operations and information security are closely linked—that is, best-in-class technology opera-tions also deliver best-in-class security.

Based on a variety of research efforts, the Information Technology Process Institute (ITPI) produced the landmark guidance paper “The Visible Ops Handbook: Implementing ITIL in 4 Practical and Auditable Steps” (www.itpi.org). This handbook provides succinct guidance on implementing ITIL in four practi-cal and auditable steps. Its conclusions indicate that technology operations need to focus on process improvement, work closely with secu-rity (to deliver requirements), and operate in a “repeatable” and controlled manner. Research indicates that inappropriate changes to produc-tion operations are one of the highest informa-tion technology risks facing an organization.

All changes to production must be authorized, tested prior to implementation, and auditable. The Institute of Internal Auditors (IIA) has also produced guidance regarding the critical

issue of Patch and Change Management. “Change and Patch Management Controls: Criti-cal for Organizational Success” is part of The IIA’s long-term initiative to develop global technology audit guidance (GTAG – www.theiia.org/technology). This guide helps chief audit executives (CAEs) counsel their peers and staff on IT governance for effectively manag-ing technology risk. Based on the IIA’s research, the top five risk indicators of poor change management are:

1. Unauthorized changes (any number above zero is unacceptable).2. Unplanned outages.3. Low change success rates.4. High number of emergency changes.5. Delayed project implementations.

Stable, well-managed production environments require that implemented changes be predict-able and repeatable and that they follow a controlled process that is defined, monitored, and enforced. The necessary controls to achieve this are analogous to the controls used in financial processes to reduce the risk of fraud and errors—segregation of duty controls and supervisory controls. High-performing organizations have reached this same conclusion, further support-ed by the extensive work performed by ITPI, the Software Engineering Institute (http://www.sei.cmu.edu/), and others.

For more information on how to begin a process

improvement journey by holistically addressing

change, release, configuration, incident and

problem management, be sure to read the IT

Process Institute’s “The Visible Ops Handbook:

Implementing ITIL in 4 Practical and Auditable

Steps.” It is comprised of three focused projects

followed by a continual improvement process.

More information is online at:

http://www.itpi.org/visibleops.


19 OPER

ATIO

NAL

EXCE

LLEN

CE

COMMON CHARACTERISTICS OF HIGH-PERFORMING ORGANIZATIONS

Extensive research by SEI, ITPI, IIA, and others has shown that high-performing organiza-tions share the following operational characteristics:

• High service levels and availability—mea-sured by mean time between failures (MTBF) and mean time to repair (MTTR).

• High throughput of effective change— sus-taining change success rates of over 99 percent.

• Greater investment early in the information technology lifecycle—as measured by staff deployed on non-operational and pre-pro-duction activities.

• Early and consistent process integration be-tween information technology operations and security—integrating security into require-ments rather than adding it afterward.

• Posture of compliance—a trusted relationship among all stakeholders.• Collaborative working relationship between functions—working together to solve

common objectives.• Low amount of unplanned work—spending less than five percent of their time on

unscheduled activities.• Server to system administrator ratios greater than 100:1—in addition to being highly

effective, high-performing operations are also highly efficient.

The audit committee and the board want to ensure that management has identified and as-sessed risks that could affect the achievement of organizational objectives. Internal auditors can serve as the eyes and ears of management and the board, seeking out areas of improve-ment. The importance of an effective patch and change management process to a stable IT environment and overall operational excellence cannot be overstated.

For most organizations, any breakdown in IT systems can bring business to a halt. As a result, attention to operational excellence is critical to prevent major business losses and po-tential stock price declines with consequent loss of market capitalization. IT operations must ensure reliable IT systems, and to be successful, they must be supported by management, and monitored and evaluated by internal audit functions. Tripwire encourages management to perform periodic self-assessments of its change and patch management practices.

Two quotes by W. Edwards Deming are particularly

relevant to Operations: “If you can’t describe

what you are doing as a process, you don’t

know what you are doing” and “It is not enough

to do your best; you must know what to do and

then do your best.”


20


CHANGE AND PATCH MANAGEMENT SELF ASSESSMENT CHECKLIST

Questions

1. Do you believe the organization has an effective change management process? - Is the process mature?

2. Does your organization exceed an acceptable number of unauthorized changes?

17. Is the current percentage of the IT budget used to fund operations appropriate?

18. Is the percentage of the budget for operations used to fund unplanned work excessive?

11. Do you have a percentage of change requests established?

- Is this level appropriate?

12. Are the development, testing, quality assurance, and production environments adequately segregated?

13. In practice, do you perform quality system testing prior to implementation?

- Are you improving these processes?

14. Is the emergency change management process robust?

15. Do you have an appropriate level of compliance testing? – (to confirm all changes are approved)

16. Is the change success rate as a percent of total changes acceptable?

7. Are your problem solving processes robust? – (Re: Operational Problems)

8. Is the overall health of your IT operations monitored?

9. Is the goal of your change management processes to provide a secure and stable IT Operations?

10. Is the organization’s patching process disruptive?

3. Is your tolerance level for unauthorized changes established and clearly communicated?

- Is it improving?

4. Are the controls within your change management program comprehensive and effective?

- Do they reflect the need for preventive, detective, and corrective controls?

5. Has the organization seen benefits from the change management process and efforts to make it best-in-class?

6. During your last major outage, did you exceed your unauthorized change level? - Does this reflect fundamental weaknesses?

Rate Your Company’s Ops Readiness

No/RarelyYes/SometimesNeeds

Improvement


21 OPER

ATIO

NAL

EXCE

LLEN

CE

HOW TRIPWIRE HELPS ORGANIZATIONS ACHIEVE HIGH-PERFORMANCE OPERATIONS

The purpose of improving IT operations is to ensure that critical business services are always available to an organization’s employees, partners, and customers. As enterprise IT infrastructures have become highly complex, any unplanned change to even one network element can result in costly consequences. When an IT organization is able to detect change across the enterprise infrastructure, it has taken a significant step to achieving high-perfor-mance processes.

Many IT organizations currently devote 35 percent of their time to handling unplanned work. Unplanned outages and repairs create internal chaos, result in long mean times to re-pair, raise IT costs, and delay delivery of new services. In contrast, high-performing organiza-tions experience only five to ten percent unplanned work.

Tripwire change auditing solutions institute independent change detection capabilities. As a fundamental component of well-defined change and configuration management programs, Tripwire provides visibility into changes occurring on file servers, middleware, desktops, net-work devices, and directory servers across the enterprise.

A Best Practice. Tripwire is a recognized leader in change monitoring and auditing solutions. Tripwire change audit data can be integrated with management consoles and reporting pack-ages such as Remedy AR System, HP OpenView, and similar systems, for a comprehensive view of change across the infrastructure.

Document and Implement Preventative Controls. Tripwire validates that all changes to in-frastructure elements are tracked, synchronized with documentation, and applied consistently across the appropriate systems.

Avoid Moving Targets. Tripwire ensures that no changes are made to infrastructure while staff is inventorying assets, mapping services, calculating change rates and change success rates, and determining typical MTTR. With Tripwire software, you can avoid “moving targets” as you establish a known good baseline database for all production assets.

Enforce Change Management Policies. Tripwire alerts you to change and it becomes a vital tool for enforcing change management policies and processes. Nothing can change without you knowing what, when, and who. Tripwire assures that no changes are made outside of maintenance windows and all changes can be mapped to authorized work orders.

Accelerate Network Troubleshooting. Tripwire immediately notifies designated staff mem-bers of changes that occur, enabling them to pinpoint the change and determine its potential impact. Organizations that have integrated Tripwire change auditing software into change management processes have reduced mean time to repair (MTTR) significantly. If the change is not desired, Tripwire software enables rapid restoration of files to a known good state. Trip-wire can also automatically direct third-party tools to restore systems to their expected state.

Integration with Change Management Processes. Reconciliation capabilities enable you to quickly align detected changes with change approval and release management processes. Many organizations integrate Tripwire change auditing solutions with trouble ticketing and mainte-nance systems to close the loop on change management.

Verify Desired Changes. Detecting unwanted change is only half the battle. The other half is verifying that changes you want to occur, actually do occur. Tripwire also verifies that autho-


22


rized changes were successfully made, provides documentation of planned changes, and stores “before and after” system snapshots. Assuring that patches or new configurations are rolled out correctly is now as simple as viewing the changes reported by Tripwire.

Reporting. Independent reporting of changes enables you to provide auditors with verifiable logs, document compliance, accelerate troubleshooting, determine corrective action, and enforce change management policies. Detailed reports and audit logs of every change are provided.

Security. Tripwire monitors the configuration, applications, and underlying operating systems of security software and devices to detect and report change. In this way, Tripwire pro-vides independent validation that security applications and their configurations have not been compromised or changed without authorization. Tripwire also monitors and cryptographically protects its own files to protect itself from compromise.

IT AUDITPrescriptive Guide

23 IT A

UDIT

PR

ES

CR

IP

TI

VE

G

UI

DE


Continuous and proactive risk assessments and risk management is quickly becoming the norm. Auditing is management’s tool to make sure the entire organization has the resources, systems, and processes for delivering efficient, effective, and secure operations. Audits also are designed to identify key goals, issues, and challenges facing an organization and evaluate its progress against important initiatives. In leading organizations, internal auditors provide independent assurance to key stakeholders while identifying any areas for improvement that management should consider.

For each organization there are different goals and objectives, and certainly different issues and challenges. Therefore, there is no one-size-fits-all audit process, nor one audit approach that fits all situations. There are, however, some common and strategic audit-focused questions that must be addressed in most organizations:

• Is your organization addressing regulatory compliance requirements adequately?• Is your organization investing in operational excellence? • Has continuous improvement been studied for applicability and implemented in some

form in your IT function? In your various business units? In audit?• Do your governance and risk management practices reflect today’s operating climate? • Is your performance meeting the needs of your customers and potential future customers? • Is your management forward looking? Or are they just investing in solving past problems?

In general, a proactive technology function, compliance function, business unit, and man-agement team will study and learn the strategic direction of the organization and implement plans to contribute to the achievement of the organizational goals. A proactive internal audit function assesses the plans of management to achieve the long term strategic direction of the organization. Therefore, in preparing for audits, management needs to define and implement plans to meet the long-term goals of the organization and continually communicate progress toward the stated goals with the auditors.

An effective internal audit activity understands the organization, its culture, operations, and risk profile. This makes audit a valuable resource for management, the board, and its designated audit committee. The objectivity, skills, and knowledge of competent internal audi-tors can significantly add value to an organization’s internal control, risk management, and governance processes.

Internal auditors need to take a risk-based approach in planning information technology audit activities. With limited resources, auditors must focus on the highest-risk project areas

IT AUDIT


24

IT AUDIT

and add value to the organization. Audit best practices also suggest internal auditors should be involved throughout a project’s life cycle, not just in post-implementation evaluations.

ENABLING COMPLIANCE

Compliance ensures that an organization’s governance processes are effective and its primary risks are being managed. Compliance is founded on effective controls— those structures, ac-tivities, processes, and systems that help management effectively mitigate risk. A dedicated, in-dependent, and effective internal audit brings a systematic, disciplined approach to assessing the effectiveness of internal controls and risk management processes. Because internal audi-tors are experts in understanding organiza-tional risks and the internal controls available to mitigate these risks, they assist management in understanding these topics and provide rec-ommendations for improvements. At the same time, data gathered from an audit can also help an organization improve its operations across the enterprise.

A formal audit or even a series of audits by internal audit provides management and the board with an increased level of assurance that compliance efforts are meeting the needs of the organization. Each audit presents an opportunity to promote the sharing of lessons learned and best practices with all of the stakeholders involved in compliance efforts.

As detailed in the Compliance chapter of this guide, an organization needs an effec-tive audit program to protect against regulatory and reputation risk. The Compliance self-assessment audit questionnaire provides an approach to assess your current baseline for compliance.

OPPORTUNITIES TO IMPROVE OPERATING EFFICIENCIES

The internal audit plan provides a roadmap for internal auditors to assess the organization’s operations systematically. The audit plan is based on internal audit’s on-going risk assessment of the organization. Technology initiatives and processes that should have some level of audit involvement include:

• Most major system application initiatives—typically involves major operational change and supports organizational goals.

• Any significant changes to the technology infrastructure—involves key aspects of reliabil-ity and security.

• Patch and change management processes—involves control of all organizational change and contributes greatly to the reliability of technology operations and security.

• Information security efforts—as a primary element of information protection.• Important technology management processes, such as the system development life

cycle—supports and encourages the continuous improvement of information technology.• Disaster recovery and business continuity program efforts—protects organizations long-

term survivability.

The internal audit’s assurance role supports

senior management, the audit committee and

board of directors, and other stakeholders by

providing independent opinions on various

technology efforts and activities (i.e., to

improve the organization’s operations and

help achieve its goals and objectives).


25 IT A

UDIT

• Any other technology effort that involves major change to the organization’s business op-erations or control environment.

There are numerous benefits of having information technology personnel work closely with internal auditors. For some technology personnel, the entire audit function may have a mys-terious and misunderstood role, particularly when working in certain industries. Too often, auditing is viewed as a necessary evil, and therefore, will involve confrontational relationships.

In high-performing organizations, there is a mutual respect and trust between the technol-ogy teams and the internal and external audit teams. In these situations, technology teams view the auditors as additional consultative resources to ensure appropriate controls are in place and effective. Just as the manufacturing world realized the need for quality control pro-cesses, technology departments are finally recognizing that processes and controls to ensure the quality of information technology services must be implemented.

When IT processes are well documented and operating reliably, IT audits confirm the positive efforts of IT. Where they are not, IT audits report the gaps and numerous opportuni-ties for improvement. The level of documentation for IT processes should reflect the risks associated with the IT processes. IT audits will provide an independent assessment of the appropriateness of the IT efforts to be efficient, effective, and responsive to the needs of the organization.

IT SELF ASSESSMENTS AND OTHER CONTINUOUS IMPROVEMENT EFFORTS

Processes can always be improved and should be, based on review and analysis of performance and detailed process information. IT managers also are responsible for identifying improve-ment opportunities. A culture of continuous improvement encourages proactive change to operations, and internal self-assessments are an effective means of achieving this goal.

The various self-assessment question-naires provided in this guide are designed to help you identify improvement opportunities. Other self-assessment questionnaires may also be relevant to your organization’s operating environment:

• “Six Sigma” and other leading-edge quality improvement practices.

• The Canadian Institute of Chartered Ac-countants’ 20 Questions for Directors to Ask regarding IT & IT outsourcing.

• Your board of director’s meeting minutes (such insights can help you to understand management’s priorities and take steps to imple-ment quality practices in these critical areas).

• A quality improvement program you initiate within your business unit, division, function, and entire organization.

Questions to help determine your readiness to implement a culture of continuous improvement and increase auditing efforts are provided below. The following questions are based on research completed by Tripwire and other recognized leaders in internal and IT auditing and continuous improvement. This self assessment can be used in context of the IT function, the internal audit function, and at the enterprise level.

The main aim of internal auditing is to assist

the organization to achieve its objectives. A

key purpose of internal audit and IT audits is

to identify operational efficiency opportunities

and support management’s efforts to be

cost effective.


26

IT AUDIT

AUDIT SELF ASSESSMENT

Questions

1. Is a strategic plan in place (for the organization and information technology) and does it reflect quality principles and incorporate improvement objectives?

- Have we communicated to all levels?

2. Have key performance indicators been identified? Are the trends positive?

7. Do we identify, prioritize, and measure issues, and set improvement goals to address them? 8. Do we conduct formal quality assessments periodically?

9. Are systems in place to recruit, develop, recognize and assess people, and do we take steps to minimize the effects of any restructuring initiatives? 10. Do we identify training and development needed to meet the goals in our improvement and strategic plans, and do we respond to these needs?

3. Do we gather, analyze, and evaluate information on a continuous basis to determine the needs of clients and stakeholders?

4. Do we have full agreement at all levels on the importance of client and stakeholder satisfaction?

5. Is it easy for clients to provide input on their needs, to seek assistance, and to complain?

6. Are the levels and trends in client and stakeholder satisfaction positive?



Improvement

INFORMATION SECURITYPrescriptive Guide

27 INFO

RMAT

ION

SECU

RITY

PR

ES

CR

IP

TI

VE

G

UI

DE


Security is everyone’s responsibility. However, to be effective it must begin in the boardroom. The rank and file within an organization takes cues from management. Therefore, the “tone at the top” and the message communicated throughout the organization must support the imple-mentation of security controls and adherence to policies and procedures. A proactive security infrastructure is important to IT governance and to successful implementation of business objectives, in addition to protecting valuable information assets – customer, partner, patient data, intellectual data, financial data, and sales data. When it comes to effective IT governance, the board and senior management must be engaged with a current and working knowledge of IT and enterprise security practices.

The security of the IT infrastructure is paramount to the safe, sound, and secure use of technology business tools that yield cost savings, productivity improvement, and revenue enhancement throughout the organization. In short, a well-defined and validated informa-tion security program should be the foundation upon which all companies launch a corporate strategy of operational excellence.

High-performing organizations go beyond establishing the tone at the top and com-municating the strategic vision for security culture throughout the organization. They also assign responsibility for validating and enforcing compliance of enterprise-wide security. The responsibility for validating adoption of the information security culture is typically assigned to audit. The responsibility for enforcing compliance resides with each business unit’s manage-ment team. High-performing organizations effectively leverage internal audit personnel and automated audit tools to provide management, the oversight body, and external stakeholders with continuous and independent assurances that the organization’s information and technol-ogy infrastructure are secure.

ENABLING COMPLIANCE

As vulnerabilities, threats, and security breaches take center stage in the news, traditional security best practices are being incorporated into laws and regulations. Organizations are now mandated to implement security best practices to comply with GLBA, Sarbanes-Oxley, the USA Patriot Act, FISMA, HIPAA, SEC 17a3 and 4, and many others. Noncompliance with these mandates and a weak security program carries significant risks to networks, sensitive informa-tion, reputation, business continuity, and continued growth. It also exposes an organization to risk of enforcement action, class action law suits, civil money penalties, and other fines.

INFORMATIONSECURITY


28

INFORMATION SECURITY

Although these mandates are separate and distinct, they offer a common framework for specific security practices and controls to protect information assets. This chapter provides an overview of the common practice and control mandates that will help you establish prudent information security measures to create a safe, sound, secure and operationally excellent environment. Futhermore, enabling your organization to meet information security and technology risk management regulatory compliance. High-performing organizations realize that compliance is achieved as a by-product of executing prudent business, technology, and information security best practices – not a separate initiative or project.

OPPORTUNITIES TO IMPROVE OPERATING EFFICIENCY

Any decision to invest capital in security should not be based only on compliance needs. There are other clear business benefits to be gained. As you implement best practices and effec-tive controls to reduce risks and safeguard assets, you will also increase overall productivity through efficient operations. For example, automated monitoring and logging functions will enable forensic capabilities that help you to rapidly identify security violations and respond quickly and appropriately. You will find that employee productivity will increase as they devote more time to daily operations instead of reviewing logs, verifying users and access, manually monitoring for vulnerabilities, or manually researching data on problem events. By imple-menting the right preventive, detective, and corrective controls, you can also help ensure operational continuity. Continuity ensures employees and customers have access to necessary information and resources when needed—helping increase revenue and improve profitability. Continuity also helps reduce costs associated with unplanned outages. Implementing a pru-dent security infrastructure will help ensure data integrity and provide management with the confidence that strategic decisions are based on accurate and reliable information.

Sensitive information is a frequent target of hackers, organized crime, corporate espionage, and terrorists, regardless of industry. The definition of sensitive information is also expanding to include much of the customer data that companies collect and retain. Identity and intel-lectual property theft is rampant with no signs of decreasing. Network vulnerabilities and malicious code attacks are increasing at an alarming rate, and they are more sophisticated, de-ploying damaging payloads. Statistics show that security breaches resulting in system repairs, operations and data reconstruction, and as a result lost customers can cost businesses millions of dollars.

Threats to your organization and its information can originate from activities such as:

• Disgruntled employees• Poor business practices• Stolen laptops and PCs• Hackers and crackers• Stolen storage devices and backup media• Natural disasters• Security control failures• Sabotage, vandalism, terrorism, malicious code, trojans, and viruses• Pretext phone calling, phishing, and dumpster diving

There is no silver security bullet. But there is an approach that incorporates people, processes, systems, and technology which will enable organizations to meet business objectives, mitigate risk, protect information assets, and comply—by adopting a well defined security plan.


29 INFO

RMAT

ION

SECU

RITY

COMMON PRACTICE AND CONTROL MANDATES

While many companies are realizing the importance of establishing a prudent information security program, they frequently struggle with “how to begin.” A strong security program begins with identifying relevant risk events that can threaten your organization. This is ac-complished with a comprehensive assessment of risks that also quantifies the economic affect of such risk events to the organization. An effective risk assessment must be:

• Enterprise-wide and encompass the physical and networked environment.• Identify and classify all information system assets (data, systems, applications,

and hardware).• Identify all threats to those assets (internal and external unauthorized access, malicious or

unintentional damage, and environmental events such as fire, flood, power outages, etc.).• Identify vulnerabilities that could jeopardize corporate or customer information and assets.

Vulnerabilities may include the lack of specific controls, training deficiencies, unsecured remote access, policies, or procedures.

• Review the adequacy of all current policies, procedures, and risk mitigation controls.• Analyze the probability of each identified threat.• Evaluate compliance with all applicable laws and rules.• Identify additional risk-based controls appropriate to the identified threats.• Continuously and proactively adjust the risk assessment to respond to changes in threats,

controls, and your organizational activities, including employee turnover, new product and service introductions, mergers and acquisitions, new applications, etc.

The risk assessment initiative cannot be taken lightly. The validity of the assessment drives the success or failure of the organization’s strategy for the subsequent security policies, procedures, controls, and its long-term success.

Once a comprehensive risk assessment is completed, a security strategy to mitigate the identified risks, protect the organization’s assets and customers, and comply with laws and rules should be developed. A security strategy consists of the following steps:

• Develop policies that specify:—Security responsibilities.—Guidance for acquiring, implementing, and auditing controls and systems.—Enforcement policies and sanctions for non-compliance.

• Select specific controls based on your risk and a cost benefit analysis.• Implement defense in depth-layered controls and testing to establish multiple lines

of protection.• Train all staff on his or her duties and responsibilities for ensuring security throughout the

organization.

While these security strategy steps may be common among companies, the identified risks and subsequent controls that are implemented can vary greatly among companies - a “one size fits all” approach to information security is not realistic. However, there are several key control categories that all organizations should consider as they align those controls that meet their respective risk profile. At a minimum, each organization should consider the following key control categories and practices and implement those that align with its risk-profile to improve its security posture:

Control access. Controls to restrict access—both within the networked environment and the physical environment—are imperative. Today’s ubiquitous access to information and the


30


facilities and equipment that store sensitive information requires all companies to establish access controls that extend throughout operating systems, applications, remote use, and physi-cal locations. All access should be provided on a “least privileged” or “need-to-know” basis. This means that a user’s access to system resources should be assigned based only on what is needed to perform his or her specific job function. Prior to assigning rights, there must be a formal and documented user registration process to ensure that unique user IDs are assigned, redundant IDs are not issued, employees are aware of their access rights, and a formal record of all assignments maintained. Management of this formal registration process should also include regular monitoring of access logs for suspicious activity and to ensure unauthorized privileges have not been obtained. In general, assignment of user rights should be reviewed no less than every six months and special privilege user rights every three months. High-performing organizations have found that automated log management and reporting tools can enhance and streamline this monitoring process and reduce errors, false positives, and resource commitments.

Many companies are finding remote and wireless access can provide significant productiv-ity benefits and convenience for employees, contractors, and vendors. However, these forms of access also create an exposure for remote and wireless attacks to the network that must be monitored and mitigated. Remote access should always be restricted and granted only with management approval. There also should be formally documented procedures governing the use of remote access, and access should be monitored and logged. All forms of remote access must be deployed securely and access monitored closely.1 Wireless access, while adding convenience and increasing productivity, also increases security risks if not deployed properly and securely. However, security concerns are not just limited to the planned deployment of a wireless network. With the ease of setup and the proliferation of devices that are wireless en-abled, monitoring for ad hoc networks is also a prudent practice. Whether the threat is from a well intentioned employee setting up an access point in his or her office in order to be more productive, or from a malicious person attempting to provide an unauthorized entry point into the network, the threat is real. All forms of remote access must be deployed securely and access monitored closely.

Similarly, access to storage facilities, computer rooms, network closets and other physi-cal locations that may contain sensitive information or equipment must be protected from unauthorized physical access. User rights and physical and logical access must be continuously monitored and security controls must be in place to guard against unwarranted access.

Such physical locations and assets must also be protected from the risk of environmental damage or contaminants. In addition to restricting access to data storage locations— vaults, file cabinets, and offsite storage –these locations must be protected from fire, smoke, chemical contaminants, and water. The same rules apply to computer operations areas, server rooms, and wiring closets. Best practices require the use of fire detection and suppression equipment, quick availability of plastic tarps for covering computer equipment in the event water sprin-klers are activated, restricting access through the use of cipher locks and card key controls, in addition to clean desk and clear screen policies.

Authenticate. System users must be authenticated or verified based on unique credentials and the risks associated with the application or service. This includes external and internal connections. Similarly, physical access to sensitive control areas must also be authenticated or verified. Typically, these credentials consist of something the user knows, the user has, the user

1 Download paper at www.rymangroup.com/lib2.htm learn more about how to secure wireless.


31 INFO

RMAT

ION

SECU

RITY

is, and the user does. Many systems today require only single factor authentication—usually a user ID and a password, which when used as the only control for protecting access to sensi-tive or confidential information and information systems has been found to be inadequate. The use of single factor authentication alone can result in unauthorized access to systems and information, account fraud, and identity theft.

In environments of high-risk systems and transactions, a stronger security approach such as multi-factor authentication is essential. All high-risk systems and transactions should be identified during the comprehensive risk assessment. Multifactor authentication expands beyond something the user knows (i.e., a traditional user ID and password) to also consist of something the user has, is, and does. Something the user has employs the use of a token system where the user is issued a one-time use password-generating device such as a smart card, key fob, or a scratch off card much like a lottery card. Something the user is refers to biometrics and verifies the user based on unique physical or behavioral characteristics. Biometrics also requires an enrollment process where the physical characteristic is recorded and stored. The use of biometrics, while effective, can be expensive and require extensive storage capabilities to meet record retention mandates. There are numerous forms of biometrics used today. Fin-gerprint recognition is the most common and is the least expensive and least invasive. Other forms include:

• Retinal, iris, palm, and hand geometry scans• Voice, face, handwriting recognition

In addition, there are other authentication technologies that are available such as plug and play applications and supplemental hardware and software appliances. Out-of-band authentication is a technique that has been used for many years in the financial services industry for verifying the identity of the individual originating a transaction. Out-of-band authentication involves the use of call backs (telephone call, email, or text message) generated by a network server and a predetermined shared secret to verify identity. Geographical location uses a baseline deter-mined by the amount of time required for traffic to move across the Internet and compares it that length of time to a known user location. If the distance is out of sync, access is denied. While reliable, this technology restricts users to a specific location and is not adaptable for wireless communications. There is also authentication based on IP address location, which is easy to implement; however, it is not a reliable method due to the ease of IP address spoofing.

Each organization must perform a cost-benefit analysis that is an extension of its formal risk assessment findings to decide which authentication techniques and technologies are ap-propriate to its risk profile. Risk-based authentication measures should also be implemented for sensitive electronic messages to prevent or detect unauthorized changes or corruption of the data. Typically, message authentication should be considered for confidential and sensitive content like electronic funds transfers, corporate financial data or proprietary information, security information, and contract specifications.

Encrypt. As customer, corporate, partner and other sensitive information is stored or trans-ferred on the network, it must be protected from access and use by unintended recipients. Sensitive data in transit or in storage should be encrypted to mitigate the risk of disclosure or alteration. The required level of encryption and a determination of information requiring encryption should be based on the organization’s formal risk assessment. As a general rule, any sensitive or confidential information that is being electronically transmitted via email, instant message, as an attachment to an electronic message, or maintained electronically in storage should be encrypted to mitigate the risk of disclosures or alteration. Sensitive or confidential


32


information may include customer personally identifiable information, account numbers, customer or corporate financial information, corporate intellectual property, or proprietary information.

Employees should be provided with the means to encrypt any electronic communica-tion that leaves the secure network infrastructure, if it contains sensitive data. Furthermore, company policy should prohibit the transfer of any sensitive information outside of the secure network unless it is encrypted.

Encrypting data can protect it from disclosure to unauthorized parties and allow discovery if unauthorized changes are made. Encryption is an important control for ensuring data con-fidentiality and integrity, as well as accountability and authentication. While it will strengthen security, encryption does not guarantee security – it is one of several controls that must be considered to establish a risk based defense-in-depth posture.

Install firewalls. Any organization with access to external sources through the Internet must have a firewall. However, the use of firewalls should not be limited to external connectivity. Firewalls may also be used to segment the internal network, adding an additional layer of pro-tection from unauthorized access. When configured properly, a firewall will inspect all traffic coming into the network and either allow the traffic to pass, or block it, based upon the organization’s specific security policy. Firewall selection should be based on the organization’s security needs, extent of Internet access, and complexity of network structure. Once imple-mented, the firewall should be configured with a set of rules for incoming and outgoing traffic, which should be based on management’s ex-pectations, the formal risk assessment, and the overall corporate security policy.

While firewalls are essential and do play a key role in protecting the network, a firewall’s role is limited. Firewalls are typically consid-ered a “choke point” where security and audit converge. When set up properly, they can help protect the internal network from unauthorized traffic and provide a logging and automated audit function that collects information about the traffic that is allowed through as well as attempts to circumvent security. However, firewalls cannot protect against attacks that do not pass through it or provide protection from viruses. For example, a firewall cannot prevent the leakage of sensitive information via email, or the unauthorized copying to disks, or external drives, or social engineering attacks. Firewalls are also frequently vulnerable to denial of service attacks, data sniffing, IP address spoofing, and malicious code attacks embedded in legitimate traffic. Additional security measures such as strong security policies, intrusion monitoring, virus and spy ware protection, logging, and automated auditing tools should be implemented to complement the firewall and provide a deeper scope of protection.

Protect against malicious code. Malicious code, such as viruses, Trojans, worms, key log-gers, and spyware is typically transmitted through email, instant messaging, and peer to peer (P2P) applications, as well as in active content attached to web sites. Such code can be used to change or delete files, allow unauthorized access, transmit data outside of the network, and insert back doors into the network. Creating malicious code is not difficult, it can be as simple

Security is essential since the fate of most

organizations rests on the integrity of their

digital information. Auditing is the mechanism

that management and the board can use to

ensure that the company’s information is

adequately protected, that employees adhere

to policies and procedures, and new products

and services meet security requirements.


33 INFO

RMAT

ION

SECU

RITY

as writing a program, or downloading a set of configurations. While some code is written to announce its presence, most remains hidden to conduct nefarious activity undetected. Mali-cious code is designed to circumvent security controls and hide inside innocuous objects, such as web pages and email messages.

Primary controls for protecting against and detecting malicious code include technology, policies and procedures, and security awareness training. Prevention and detection technolo-gies include anti-virus and anti-spyware tools. Firewalls and gateways should be configured to scan and analyze files and reject executable code before it enters the network. The use of intrusion detection tools should also be considered. Automated logging, monitoring, and reporting of security events, network activities including program changes and user activities is imperative. Policies and procedures also need to be developed, communicated, and enforced throughout the organization. At a minimum, policies and procedures should address accepted and unaccepted use of:

• Software• Computer equipment• Network devices• Instant messaging• Email and attachments• Internet and file transfers

Security awareness training should be provided to employees and customers. Training should include information on latest threats, methods used to transmit malicious code and techniques to counteract them—such as not opening unexpected messages, not opening attachments from unknown sources, and not allowing or accepting file transfers in P2P communications.

Collect and log data. Security-related data must be collected and maintained in secure log files in order to identify unauthorized access attempts and security violations. Once collected, the log files should be reviewed and analyzed on a regular basis. Done properly, log data man-agement and reporting can provide staff and senior management with timely information to make informed just-in-time decisions that will positively affect the organization’s operational efficiency. Done improperly, log management will drain valuable staff time and corporate capi-tal and expose the organization to compliance and operational risk. Logging can produce an excessive amount of data. Many companies have found that managing and using such volumes of data is difficult and time consuming. Therefore, decisions regarding which information to log should be based on a corporate risk assessment that has identified relevant threats to your network. In addition, many companies are deploying security event management appliances to streamline and consolidate log data collection, analysis, and reporting. Such appliances can help create an enterprise risk management strategy and deliver meaningful and actionable metrics to management.

In general, organizations should consider logging the following information:

• Firewall events• Intrusion attempts• Internal network traffic• Network performance


34


• Program changes• Inbound and outbound Internet traffic• Operating system, application, and remote access

Logging all activities can generate copious amounts of information, some relevant and some not so relevant. It is important to distinguish low risk activities from higher risk activities that warrant logging and reporting. For example, a high risk activity that should be logged and monitored for an operating system would be all high level administrative or root access; for application systems users and objects with write and execute privileges, disabled or deleted accounts, and log file modifications should be logged and monitored as well as any successful and failed remote login attempts. All intrusion attempts – successful and unsuccessful - should be logged and reviewed. Logging and monitoring network performance is essential. Key areas to log include system uptime and downtime, system capacity, and response times.

Log files contain sensitive information and are critical to investigating and prosecuting se-curity incidents. Therefore it is imperative that the integrity of the files is maintained through encryption, restricted access, and monitoring.

Detect and prevent intrusions. Systems fail and intrusions occur. Therefore, detection is imperative. The earlier an intrusion is detected, the greater the ability of the organization to mitigate the risk. Intrusion detection is considered the second line of perimeter defense, after the firewall. Intrusions can lead to malicious acts such as: identity theft; compromise of confi-dential information; and unauthorized changes in files, systems, and device configurations. An organization’s ability to detect and prevent intrusions adds more depth to its defensive security posture.

Detecting and preventing intrusions can be done in several different ways. Robust log-ging and monitoring is one important piece of any intrusion detection process. There are also hardware and software based appliances, intrusion detection systems (IDS) detect the presence of attack definitions that have penetrated the firewall or circumvented other security controls, and identify policy violations and policy misconfigurations. While IDS may be effective at identifying intrusions, they do not protect against or block the attack. Intrusion prevention systems (IPS) are considered the second generation of IDS and proactively block attacks by identifying unique characteristics or signatures or abnormal traffic behaviors.

Organizations must be aware that intrusion detection alone will not mitigate the risk of an intrusion. Mitigation can only occur with a timely and appropriate response. A prudent response program incorporates people and processes in addition to technology, and starts with the creation of a computer security incident response team (CIRT) that will be the initial responder when an incident is identified. In addition to the CIRT, policies must be developed to guide the organization and team in responding to an event. Types of events and the specific procedures to be followed also need to be defined. The development of an incident response program is mandated by regulation. The timely detection of intrusion coupled with being pre-pared to respond is vital to minimizing financial, production, and operational losses. Specific actions and responsibilities need to be pre-assigned and the appropriate training provided. In addition, containment and restoration strategies need to be outlined that address the: isolation of the compromised system; increased, monitoring, collection and preservation of evidence; and notification to law enforcement, regulators, and other affected parties.

Dispose of information and media. Federal and state laws mandate that all entities who col-lect and maintain confidential consumer data must properly dispose of the information when it is no longer needed. Best practices also dictate that any confidential and sensitive informa-


35 INFO

RMAT

ION

SECU

RITY

tion, such as customer, financial, or corporate data, must be properly disposed of regardless of form (electronic or paper). This requirement also extends to disposal of the media that is used to collect or store data—hard drive, USB device, optical disk, tape, or CD. The primary and most accepted method of disposing of paper documents is shredding with an automated shredding device.

All companies should have a formal policy for disposing of sensitive information. Employ-ees should know that it is not acceptable to simply dispose of sensitive materials in open trash bins. If this includes the use of shredders, shredder bins that are used to collect paperwork should be locked. Contractors that pick up these bins and dispose of the materials must pro-vide a valid audit trail that shows all materials were properly destroyed.

When disposing of electronic records, erasing the data that is maintained on hard drives, CDs, memory sticks, and other devices is not sufficient. Unless the information is completely overwritten, hidden files and data will remain on the device. There are a number of software products available that wipe devices clean of pre-existing data. Other methods involve the complete destruction of the device or media prior to disposal.

Monitor and update. Monitoring and updating the security program is essential to maintain-ing the effectiveness of the program. A static program will be ineffective over time and can leave the organization with a false sense of security. Monitoring should include both non-tech-nical as well as technical issues. Non-technical issues would include changes in business pro-cesses, policies and procedures, locations, sensitivity of data, key personnel, and organizational changes. Technical issues include monitoring for vulnerabilities, changes in systems, service providers, configuration, users, products, and services. When changes do occur, it is impera-tive that they are reviewed for accuracy and legitimacy and the program is adjusted to reflect the changes and ensure continued security and operational success. Accidental changes can be just as damaging as malicious or fraudulent change activities - resulting in increased costs for remediation and potential losses or negative affect on the organization’s top-line revenue. Best practices mandate the monitoring of all changes, intended and unintended, that will create an audit trail that details when, what, and how the change occurred. The use of automated change control and audit tools will also enhance operational efficiency by increasing the ef-fectiveness and productivity of your security personnel.

Each change can potentially create a vulnerability or weakness in the security program if not properly evaluated, tested, and deployed. Therefore, strong change control procedures and monitoring are critical to reduce the exposure to financial losses, reputation damage, and loss of productivity

Test security. To assure that its security strategies are adequate, each organization must test its controls against the risks events that were identified through its formal assessment of risks. The higher the probability and negative affect of a risk event, the greater the need to validate the effectiveness of the security controls. The type of test to perform and the frequency should also be based on risk.

Prior to testing, detailed test plans need to be developed to ensure testing is appropriate and controls are established to reduce the risk to data integrity, confidentiality, and ensure availability. Test results need to be measurable and traceable to provide assurances that the security strategy is meeting security objectives.

There are a variety of testing methodologies and tools available, many of which can be automated to improve efficiency and enable independence. Independent diagnostic tests include penetration tests, audits, and gap assessments that are performed by credible individu-


36


als who are considered independent of the design, installation, maintenance, and operation of the test subject area. Examples of resources that will help support and streamline the testing efforts include: log and audit files generated via security event management systems, change management reports, automated audit tools coupled with penetration testing, prior security gap assessments findings and recommendations, and internal IT audit findings and recom-mendations from prior audits.

No one control or solution can guarantee 100 percent security. High-performing organi-zations understand that business and technology risk management best practices mandate a defense-in-depth security approach that includes multiple controls and can be validated with internal and external audit resources. When properly aligned with the organization’s risk pro-file, all of the controls discussed above help to establish a prudent risk-based security posture. When properly aligned with the organizations’ business goals, audit personnel and tools can validate the appropriateness of these controls and help to ensure operational excellence and a secure infrastructure.

IT AUDIT

An overall risk management policy, including a user conduct policy, will help ensure individu-al accountability and contribute greatly to information security. However, organizations must also audit their systems and personnel compliance. Routine, independent reviews of security systems and procedures will ensure the organization has adequate protection in place, confirm they are working as designed, and that employees are using them effectively. Audits will high-light an organization’s strengths and weakness, and make recommendations for improvement.

While auditing is an evaluation of compliance with established standards, auditors’ stan-dards can vary and there is no one-size-fits-all method for conducting security assessments. In fact, a variety of approaches are recommended and commonly used.

The four main approaches to security auditing are organizational audit, results-based audit, point-in-time audit, and an extended-period audit. Each method focuses on different func-tions and scope to produce assessment reports ranging from a snapshot of specific application performance to an enterprise-wide evaluation of overall security effectiveness.

An organizational audit reviews the organization’s security management processes and func-tions. Its focus is to ensure that a management function is in place and that security managers and IT managers are using best practices to keep systems operating effectively.

A results-based audit is an approach where an auditor reviews the security practices within the individual business units and assesses the security understanding of managers and staff. In an effective security program, operating management and staff take responsibility for protect-ing the organization’s assets. A results-based audit confirms that this is occurring.

The point-in-time systems audit employs various diagnostic tools to gauge the effectiveness of a security maintenance program and probe for weaknesses in the organization’s defenses. An auditor should not find many gaps in an organization that has an enthusiastic and professional security staff on board. After all, information security professionals understand the necessity of continuously monitoring for new and emerging threats to the organization. What the auditor brings to the table is that fresh perspective in judging security performance.

An extended-period audit assesses the security program’s performance over a period of time. It leverages the efforts of all the previously mentioned audit approaches and results, and it provides an overall assessment of the information security program. This type of audit is also


37 INFO

RMAT

ION

SECU

RITY

useful for reviewing new products, services, or IT initiatives over time. For example, eCom-merce initiatives should be audited throughout their development life cycles.

Audit can provide strategic, operational, and tactical value to an organization’s information security program. Auditing is:

• Management’s tool for ensuring that the organization has the proper resources, systems, and processes for maintaining efficient and effective security. Audits will tell management and the board that business units understand the importance of security and adhere to policies, critical systems are secure, and if programs are in place for continually updating and strengthening safeguards against threats.

• An important resource for the board and senior executives to help them understand secu-rity details and the role of information technology in successful operations.

• An assurance tool for management and the board to know all that should be done, is being done. By ensuring qualified professional reviews and tests are performed, the board and management can advance its goal of overseeing information security and ensuring its con-tinuous improvement and effectiveness.

• An independent validation resource that the organization’s security efforts are proactive and effective against current and emerging threats.


38


INFORMATION SECURITY SELF ASSESSMENT CHECKLIST

Questions Rate Your Company’s Ops Readiness


Improvement

1. Do you believe the organization has an effective security management program?

2. Is information security a regular agenda item at your board meetings?

17. Are operational roles, responsibilities, and services documented, in place, and appropriately resourced, and are they current and being followed?

18. Have business impact assessment (BIA) and business continuity plan (BCP) processes been implemented?

- Are they consistent with the risk management and IT security policies and procedures, and are they operating effectively?

19. Is there a documented and implemented operational certification and accreditation process of any new system as part of a change management process?

20. Is there an approved incident response process that allows for a timely response to threat events?

11. Is there a robust awareness and motivational program regarding information security?

12. Does management and staff understand the current business environment regarding privacy and security requirements & the challenges regarding privacy of client information and security of corporate informational assets?

13. Is there an IT security management framework that is documented, in place, and appropriately resourced to meet the needs of the organization?

14. Does an IT security policy exist and does it include appropriate security management directives, including a life cycle that adequately addresses the approval, review, and update of the IT security policy on an ongoing and as-required basis?

15. Is there a risk management process as a formal component of the IT security policy?

16. Is compliance with the IT security policy confirmed through a formal audit process?

7. Are self assessments by line management and the security function performed regularly, and are lessons learned from these efforts used to strengthen information security practices?

8. Have information security policies and procedures been established and are they well understood?

9. Has a formal IT risk assessment process been implemented to facilitate the proactive identification of issues and risks that need to be addressed?

- Is it working well?

10. Has the resourcing of the information security program efforts kept up with the demands and needs of the organization?

- Are there any significant gaps in resources? (e.g. skill sets, manpower, tools, other resources)

3. Does management report regularly to the board on the state of information security?

4. Is information security included in the board’s risk management discussions?

5. Has responsibility for information security been assigned to a senior executive and does that person have the needed organizational status and resources required to deliver the results needed?

6. Does the internal audit function include information security in its audit plan? - Do the audit results indicate a positive trend?


39 INFO

RMAT

ION

SECU

RITY

HOW TRIPWIRE ENHANCES SECURITY

Assuring IT security—protecting data and network infrastructure systems—is one of the enterprise’s most important objectives. In addition to protecting against external threats, a layered security strategy is fundamental to achieving compliance and ensuring high-availability operations.

Recommended as a security best practice by SANS and CERT, Tripwire change auditing software has long been recognized as a leading intrusion detection solution and is featured in the National Security Administration’s 60-Minute Security Guide. Tripwire completes a com-prehensive, layered security strategy by providing change reporting, system state recovery, and forensics.

Change and Intrusion Detection. Tripwire change auditing software establishes a system baseline and immediately detects changes to the baseline for any monitored IT infrastructure systems, including servers, desktops, switches, routers, firewalls, load balancers, directory ser-vices, and other devices. Regardless of whether the change originated internally or externally, or was authorized, accidental, or malicious – Tripwire detects change and notifies staff immedi-ately. Immediate detection and rapid notification minimize enterprise risk, decrease exposure, and enable rapid recovery.

Accurate, Independent Change Reporting. Any change to file systems and other critical sys-tem configurations are reported with 100 percent accuracy. Tripwire software provides an in-dependent detection control, separating those individuals who are authorized to make changes from those authorized to validate changes – an important requirement of many security and compliance regulations.

Maximize Enterprise Network Security. Tripwire can be deployed enterprise-wide, comple-menting existing security solutions and network management systems, to improve the organi-zation’s overall security posture. If unauthorized or unplanned change occurs, Tripwire reports exactly what changed, when it changed, and who changed it.

Enforce Security Policies. Having the ability to enforce infrastructure change management and security policies provides a powerful deterrent to malicious activity.

Minimize the Consequences of Exposure. With rapid notification, Tripwire software acceler-ates troubleshooting. IT staff can quickly identify what changed and establish the impact of the change, returning systems to normal as quickly as possible and mitigating potential harm to the enterprise and its systems. Tripwire can also enable automatic remediation to a known trusted state.

Guard the Guard. Tripwire software can be used with measures such as personnel policies, change and configuration management, identity management, and perimeter security products to control change across the enterprise, as well as to verify the integrity of other security prod-ucts. It enables you to verify that servers and network devices remain in a known and trusted state – even protecting the systems designed to protect the enterprise.

Forensic Documentation. If a breach occurs, Tripwire is the most powerful tool you can own. It provides a system baseline for comparison and rapid recovery and can also be used to verify the authenticity of evidence files and the system used to examine the related fraud or security breach events.

PAYMENT CARD INDUSTRY DATA SECURITYPrescriptive Guide

41 PAYM

ENT

CARD

DAT

A SE

CURI

TY

PR

ES

CR

IP

TI

VE

G

UI

DE

BACKGROUND

In 1999, Visa International developed and approved the Cardholder Information Security Program (CISP)—a data security standard for the protection of credit card data. CISP focuses primarily on the protection of credit card account information and became mandatory in June 2001. Most of the other credit card associations created similar programs, including Master-card’s Site Data Protection (SDP), American Express’ Data Security Operating Policy (DSOP), and Discover’s Discover Information Security and Compliance (DISC).

In December 2004, as a result of increased public scrutiny, previous measures taken to protect the privacy and security of personal information fueled a new standard - the Payment Card Industry (PCI) Standard. It was published as a joint effort between all major credit card associations. The PCI Standard presents a unified approach to safeguarding credit cardholder data that is agreed upon between the associations.

The PCI Standard has also been adopted as the baseline for the Visa International Account Information Security (AIS) program, affecting organizations outside the United States. The PCI Standard, in conjunction with Mastercard’s March 2005 network-scanning requirements, are recognized as a best practice for protecting credit card information. All merchants and service providers that store, process, or transmit credit card data must comply with these mandates.


Merchants and service providers realize that credit card associations are enforcing the PCI Standard and that the fines and penalties for noncompliance are real. The PCI Standard can also serve as a starting point for organizations seeking prudent IT controls for handling all types of sensitive information—not just cardholder data. The standard offers excellent ideas for approach-ing this sometimes overwhelming task.

ENABLING COMPLIANCE

The PCI Standard is based on Visa’s original CISP requirements. It combines technical, physi-cal, and administrative controls; educational requirements; policies; and regular audits to cre-ate a strong basis for cardholder data security. The PCI criteria, nicknamed the “Digital Dozen,” covers six general categories comprised of the following 12 major requirements. Each require-

PAYMENT CARDINDUSTRY (PCI)


42

PAYMENT CARD DATA SECURITY

ment is further supported by 175 sub-requirements that provide detailed information on the steps necessary to comply with the Digital Dozen.1

Build and Maintain a Secure Network

• Requirement 1: Install and maintain a firewall configuration to protect data.• Requirement 2: Do not use vendor-supplied defaults for system passwords and other

security parameters.

Protect Cardholder Data

• Requirement 3: Protect stored data.• Requirement 4: Encrypt transmission of cardholder data and sensitive information across

public networks.

Maintain a Vulnerability Management Program

• Requirement 5: Use and regularly update anti-virus software.• Requirement 6: Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

• Requirement 7: Restrict access to data by business need-to-know.• Requirement 8: Assign a unique ID to each person with computer access.• Requirement 9: Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

• Requirement 10: Track and monitor all access to network resources and cardholder data.• Requirement 11: Regularly test security systems and processes.

Maintain an Information Security Policy

• Requirement 12: Maintain a policy that addresses information security.

For organizations that handle cardholder data, PCI Standard compliance is as mandatory as the Sarbanes-Oxley Act and Gramm-Leach-Bliley legislation. However, there are some major differences when comparing the audit and enforcement implications. For example, the PCI Standard is published and enforced by the credit card associations through their respective programs. Non-compliance is not punishable by law and is not enforced by the state’s attorney general or federal agencies. Alternatively, auditors from the respective credit card associations determine an organization’s compliance. Unlike cases of federal enforcement, the “waiting to see what the courts say” strategy is irrelevant. A judge does not determine associated fines and penalties. The credit card associations can levy fines and penalties for PCI non-compliance im-mediately and arbitrarily. Action can be quick and painful, such as in the case of CardSystems Solutions.2

That said, many companies that must comply with the PCI Standard are also subject to other regulatory requirements. By implementing effective security controls to comply with the PCI Standard, an organization can apply the same safeguards throughout the enterprise to all

1 Additional information on the 175 sub-requirements is available at http://usa.visa.com/download/business/accept-ing_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf

2 Visa and AMEX terminated relationships with CardSystems Solutions within 2 months of an announced data leak by CardSystems. Following a review that was triggered by the data leak, Visa and Amex found that CardSystems processing practices were in violation of the PCI Standard and did not have the appropriate controls to protect cardholder data.


43 PAYM

ENT

CARD

DAT

A SE

CURI

TY

types of classified data. It only makes sense to do so, since a significant effort and investment already goes into the application of the PCI Standard within the organization.

OPPORTUNITIES TO IMPROVE OPERATING EFFICIENCY

Establishing and following proper change control and auditing procedures is a crucial aspect of a sound information security strategy. Without strong change control processes, the company’s ability to identify, investigate, and roll back unwanted changes is almost non-existent. The organization’s technology infrastructure’s availability, stability, and reliability also are at risk.

The PCI “Digital Dozen” focuses on change control and auditing in several requirements:

• Requirement 1 – install and maintain a firewall configuration to protect data - 1.1.1 – establish firewall configuration standards that include a formal process for approving and testing all external network connections and changes to the firewall configuration• Requirement 6 – develop and maintain secure systems and applications - 6.4 – follow change control procedures for all system and software configuration changes• Requirement 10 – regularly monitor and test networks - 10.2 – implement automated audit trails to reconstruct…events for all systems components - 10.3 – record…audit trail entries for each event for all systems components - 10.5 – secure audit trails so they cannot be altered. Tripwire is mentioned by name in section 10.5.5: “use file integrity monitoring/change detection software (such as Tripwire)”

SPECIFIC PCI MANDATES ADDED OPPORTUNITIES TO IMPROVE OPERATIONS

Encryption and Hashing – PCI 3.4 demands that credit card numbers, at a minimum, are protected through the use of encryption, hashing, truncation or index tokens.

Of course, a solution deployed to handle the encryption of credit card numbers can also be used to encrypt other forms of sensitive information at no additional cost. Altering search algorithms to use hashed values instead of real values is a good risk mitigation strategy, which could be implemented just as easily for other records as for credit card numbers.

Vulnerability Handling – PCI 6.2 requires a process to identify new vulnerabilities being published for systems that handle cardholder data.

This process could easily be expanded to all systems containing sensitive data at a trivial cost. Continuously improving the readiness of mission-critical systems against newly discovered vulnerabilities provides a big benefit to availability.

Incident Response Plan (IRP) – PCI 12.9 discusses the requirement for a comprehensive IRP, a cornerstone of a good security strategy.

Of course, developing and implementing one just for potential breaches of cardholder data simply makes no sense; instead, using the plan to respond to any incident yields a significant additional benefit for the organization.

Authentication– PCI 8.1-8.5 provides a solid guideline for implementing a strong authentication strategy.

Implementing the same strategy to all mission-critical systemsin the organization would take almost as much effort as applying them to just those systems that handle cardholder data.


44

PAYMENT CARD DATA SECURITY

• Requirement 11 – regularly test security systems and processes - 11.5 – deploy file integrity monitoring to alert personnel to unauthorized modifications of critical system or content files, and perform critical file comparisons at least daily

PCI Standard change control requirements affect all systems and network components, underlining the importance of related processes and procedures. This requires more than just change control—reporting, monitoring, and auditing are also required.

IT AUDIT

Once you have completed the self assessment questionnaire, it is recommended that you also review the more comprehensive PCI questionnaire supplied by Visa. The PCI Standards are documented at: http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf

PCI AUDIT SELF ASSESSMENT CHECKLISTQuestions

1. Do you have an enterprise-class firewall, configured together with your network devices to limit traffic to just that which is required to conduct business?

3. Do you store cardholder information to the minimum necessary to conduct business? - Do you employ a comprehensive protection strategy to protect such data wherever it is stored?

2. Do you always change the vendor defaults on all devices - network, security, systems - attached to your corporate network?

- Do you harden your production systems?

5. Do you have an enterprise anti-virus solution resident and current on all your systems?

9. Do you have strong controls surrounding physical access to the cardholder environment?

4. Do you protect, through the use of established cryptographic techniques, cardholder data whenever it is being transmitted?

7. Do you utilize strictly defined role-based access restrictions for access to cardholder information?

6. Do you continually update your systems for security?

- When developing web applications, do you employ established coding best practices?

- Do you have a change control process?

11. Do you regularly and rigorously test the security status of all devices within the cardholder environment?

10. Do you continually track, monitor and audit all access to network and systems within the cardholder environment?

12. Do you have a comprehensive security policy that addresses all components of your organization's security program?

8. Is your authentication system designed to at all times identify the specific user accessing data, and prevent impersonation and misuse?



Improvement


45 PAYM

ENT

CARD

DAT

A SE

CURI

TY

HOW TRIPWIRE HELPS MEET PCI REQUIREMENTS

Tripwire solutions can help organizations achieve PCI compliance, specifically by providing file integrity monitoring, firewall and router security compliance monitoring, and IT change controls. Tripwire detective controls alert IT staff when critical files are modified and enable them to perform critical file checks whenever necessary.

Comprehensive Control. Tripwire enables IT teams to gain more control over infrastruc-ture change by providing:

• Automated change control that isn’t susceptible to human error or lapses in judgment.• Broad infrastructure coverage of changes on servers, workstations, directory services, and

network devices, including changes made both manually or by automated tools.• Independent controls, by segregating the individuals or tools that make changes from those

that are used to validate changes.• Data and reporting capabilities that prove controls are in place and effective, simplifying

audit readiness.• A record of all integrity checks and detected violations for use in audits, investigations, and

historical reference.

Achieve PCI Compliance More Quickly. Tripwire change auditing solutions help organiza-tions meet 7 out of 12 PCI requirements:

Req. 1 Install and maintain a working firewall to protect data. Tripwire detects and responds to any unauthorized changes to firewall rules.

Req. 2 Don’t use vendor-supplied defaults for passwords and security parameters. Tripwire can detect any systems or network devices that are out of compliance

with established standards.

Req. 5 Use and regularly update anti-virus software. Tripwire detects systems with out-of-compliance signatures and can alert when

the service is shut down.

Req. 6 Keep security patches current. Tripwire validates that rolled out patches are actually deployed properly and

identifies any systems that are not correctly or fully patched.

Req. 8 Assign a unique ID to each person with computer access. Tripwire can detect new user IDs, as well as the modification or deletion of

existing user IDs.

Req. 10 Track all access to data by unique ID. Tripwire can associate system changes to individual user accounts. This

information is written to a Tripwire report file that cannot be altered.

Req. 11 Regularly test security systems and processes. Tripwire solutions monitor file integrity across the entire enterprise as frequently

as desired and provide robust, flexible reporting.

Improved Operations and Security. While helping you meet PCI compliance requirements, Tripwire solutions also deliver greater visibility into enterprise-wide infrastructure change. More visibility results in greater control, enabling you to improve the organization’s overall security posture and operational performance.

COMPLIANCE RETROSPECTPrescriptive Guide

47 COM

PLIA

NCE

RETR

OSPE

CT

PR

ES

CR

IP

TI

VE

G

UI

DE

A WAY OF LIFE

With increased privacy and security awareness among consumers, businesses, and elected officials, best practices are being incorporated into new laws and regulations that mandate higher operations, security, and risk management standards. Today’s organizations must be able to prove that their corporate governance, internal controls, network infrastructure, busi-ness processes, and operations are safe, sound, and secure. New laws and rules now dictate how businesses must govern, work, communicate, and securely interact throughout the internal corporate structure and with external parties such as customers and strategic resource partners. Such mandates impose obligations on directors and senior executives to ensure that effective controls are established throughout the organization. Operational excellence is no longer a prudent business decision—it is a way of life.

COMPLIANCE APPLIES TO MOST COMPANIES

For companies that are publicly traded, financial service providers, health care providers, gov-ernment agencies, and others, noncompliance with new rules carries significant risk and sanc-tions. Common among these laws and rules are requirements that all companies be proactive in strategically managing business and IT processes, applications, information, technology, facilities, and security. A company’s ability to comply with these mandates will materially affect its day-to-day success and long-term performance. Figure 1 identifies the most important laws and aligns them to the applicable covered entities within respective industries.

Figure 2 summarizes the number of laws that have been passed requiring corporations to adopt a culture of compliance accountability. Management is now accountable for creating a risk management environment that recognizes the bonds between technology infrastructure, business processes, reputation, compliance, and effective internal controls.

BEST PRACTICES ENABLE COMPLIANCE

Compliance requirements frequently offer a high-level process and risk-focused framework for achieving compliance—not detailed, actionable practices. Therefore, chief information of-ficers, compliance officers, and other senior executives must rely on industry-recognized best practices and internal control methodologies to help them identify appropriate steps to enable compliance. Standards that are commonly referenced include those issued by The Committee of Sponsoring Organizations (COSO) or defined in the Control Objectives for Information and Related Technology (CobiT). Payment Card Industry (PCI) Data Security standards have

COMPLIANCERETROSPECT


48

COMPLIANCE RETROSPECT

1 Section 4(k) of the Bank Holding company Act and 12 CFR 211.5(d), 12 CFR 225.28, 12 CFR 225.86(a) and (b) define “financial institution” broadly to include not only depository institutions such as banks, thrifts, and credit unions, but also numerous types of non-depository institutions.

2 Hospitals, Clinics, Physicians Groups, Independent Physicians, Chiropractic Offices, Pharmacies, Rehab Centers, Home Health Agencies, Durable Medical Equipment Suppliers, Nursing Homes, Sub Acute Facilities, Assisted Liv-ing Facilities, Third Party Payers, and Dental Offices.

Figure 1

LAWS & REGULATIONS COVERED ENTITIESINDUSTRY

Sarbanes-Oxley Act (SOX)

USA PATRIOT Act

BASEL II

All publicly traded companies and banks with assets over $500MM

• Internationally active banks• Holding company that is a parent of a banking group• Insurance subsidiary owned by a bank that is internationally active

All Industries

All Industries

Federal Information Security Management Act (FISMA)

All government agenciesGovernment

State Data Security Laws Any company that retains personal information on a resident of the State

All Industries

Gramm-Leach-Bliley (GLBA)Data Protection Rule

All financial institutionsFinancial Services 1

Health Insurance Portability and Accountability Act (HIPAA) Security Rule

All covered healthcare providers

All companies and individuals

Healthcare 2

SEC 17a 3 & 4 Storage of Broker Records;NASD 3010 Broker Dealer Rules

SEC regulated brokers, dealers, andtransfer agents

SEC regulated financial services

Banks

been defined to help establish effective controls throughout merchant networks. These and other standards create new operations, technology, and information security mandates—as well as new challenges.

COMMON COMPLIANCE IT THREADS

Figure 3, the Compliance Requirements Detail chart, identifies those practices that are mandated across multiple laws and adopted industry initiatives like PCI. Each compliance re-quirement carries associated costs; companies that are subject to multiple requirements must find ways to reduce their compliance costs. By focusing on the common aspects of these laws, organizations can avoid duplicate efforts and streamline their compliance program.


49 COM

PLIA

NCE

RETR

OSPE

CT

For example, common among many of today’s compliance mandates is the need for tech-nology solutions that help enable a company to:

• Pass audits• Proactively comply• Assure data integrity• Continuously manage risk• Ensure business continuity• Improve operating efficiency• Collect, store, and archive data• Monitor, audit, and adjust as needed• Detect, reconcile, and report material events• Protect sensitive customer and corporate assets• Prevent or respond rapidly to fraudulent activities

AUDIT AND TECHNOLOGY ARE ENABLERS

Achieving compliance begins with commitment from the organization’s top executives, and achieving IT control begins with the chief information officer (CIO). When the CIO insists on defining processes and instituting a culture of effective controls and accountability, an orga-nization will be able to achieve its compliance goals, as well as attain new levels of operational excellence. Auditors call this the “tone from the top.” Management must say and do the right things to reinforce the need for controls to be successful.

With a culture of accountability established, organizations can then optimize their use of internal audit resources, in addition to trusted partners and technologies. Auditors and audit technology can provide early insights into areas of strength. They can also help identify weak-nesses that create a competitive disadvantage and potential noncompliance. And they can highlight other risks to daily operations. Organizations of all sizes are discovering that material audit findings and problems increase their audit costs, expose them to higher reputation and compliance risk, and can even lead to financial reporting errors and delays.

Adopting a “no-surprise” stance, many companies now perform pre-audit reviews to help

1996 1998 2000 2002 2004 2006 2008

Back OfficeAccountability

Board RoomAccountability

F ACT

C heck 21

C A SB1950

B asel II Op. Risk

Sabanes-Oxley Act

CA SB1386

USA PATRIOT Act

SEC 17a-4

GLBA

EU Directive

Pretexting

Identity Theft

Reactive

Real-Time

Proactive

Boar

d an

d Ex

ecut

ive Fo

cus

RISK MANAGEMENT

THE COMPLIANCE DECADE

Continuous

Project Based

Figure 2–The Compliance Decade


50


identify problems and weaknesses early and allow sufficient time to correct problems. Many of these pre-audit reviews focus on the information technology infrastructure and use audit technology solutions to quickly identify the areas of most concern and prioritize remediation resources. While internal and external audits will always find some area of improvement, pre-audit reviews will help effectively manage formal audits and limit material findings.

MANDATE FOR COMPLIANCE

Over the past few years, organizations have undertaken massive efforts to implement Sar-banes-Oxley Act Sections 302 and 404 requirements. Yet many organizations face other compliance requirements in addition to Sarbanes-Oxley—HIPPA, GLBA, FISMA, environ-mental, and others among them. Having to comply with multiple regulations simultaneously creates process challenges—overlap of compliance efforts between multiple groups; differing audit perspectives and requirements; priority setting; and potential confusion resulting from implementing overlapping controls. As a result, an organization’s compliance program must be robust and coordinated.

LAWS & RULES OPERATIONAL MANDATE

Gramm-Leach-BlileyAct Data Protection

• Protect security and confidentiality of customers’ non-public personal information• Institute administrative, technical, & physical safeguards• Protect against anticipated threats and hazards to information security• Protect against unauthorized access to or use of information• Establish a continuous risk-based information security program with: - Board oversight - Assessment of threats and vulnerabilities - Risk management and controls - Training, testing, and vendor oversight - Monitoring, auditing, reporting, and adjusting

BASEL II – Operational Risk

• Board oversight• Monitor• Controls

Identity Theft ActPretext Phone CallingPhishing

• Protect personally identifiable information• Monitor for exposure• Rapid and comprehensive response program• Report suspicious activity

Sarbanes-Oxley Act Section 302

• CEOs and CFOs certify financials• Improve the transparency and reliability of audited financials• Disclose any internal fraud• Disclose deficiencies and corrective actions

Section 409 • Disclose material changes in financial condition or operations on a rapid and current basis

Section 404

Section 802 • Registered public accounting firms prepare and maintain, for at least seven years, audit documentation• Document with sufficient detail to support auditor conclusions

• Internal control report stating that management is responsible for an adequate internal control structure• Assessment by management on the effectiveness of the controls• External auditor attestation to the accuracy of management’s assertion that internal controls are in place and are effective

Figure 3- Compliance Requirements Detail


51 COM

PLIA

NCE

RETR

OSPE

CT

Figure 3- Compliance Requirements Detail (continued)

LAWS & RULES OPERATIONAL MANDATE

BEST PRACTICE STANDARDS

SEC 17a 3 & 4 • Retain books and records for no less than 3 years• Establish written and enforceable policies• Store data on indelible, non-rewriteable media• Create a searchable index of all stored data• Maintain readily retrievable and viewable data• Store data offsite• Third party provider ability to access and download data on demand

USA PATRIOT Act • Risk-based systems and monitoring• Report suspicious activity

NASD 3010 • Maintain a supervisory system over the activities of each registered representative • Establish a formal review process for incoming and outgoing electronic correspondence that relate to investment banking or securities business

FISMA • Assess risk of potential harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems• Determine levels of appropriate information security • Implement policies and procedures to cost effectively reduce risks• Periodically test and evaluate information security controls • Develop adequate information security for networks, facilities, and systems• Develop procedures to detect, report, and respond to security incidents• Develop plans and procedures to ensure continuity of operations

• Verify customer identity• Keep good records

HIPAA Security Rule • Access control• Audit control• Integrity• Person or entity authentication• Transmission security• Security management process• Assigned security responsibility• Workforce security• Information access management

State Security Laws (e.g., California, New York, Georgia, Arkansas, Montana, Washington, North Dakota, and Indiana)

• Establish security procedures and practices • Disclose any breach of data security• Establish monitoring and reporting systems to identify security breaches• Encrypt personal data

• Security awareness training• Security incident procedures• Contingency plan• Evaluation• Business Associate contracts • Facility access controls• Workstation use and security• Device and media controls

Payment Card Industry (PCI) Data Security

• Install firewall• Reset default passwords• Protect stored data• Encrypt data in transmission• Use anti-virus software• Maintain secure systems

CoBIT 34 high-level control objectives, organized into 4 domains:• IT Planning • Acquisition & Implementation• Computer Operations & Access Support • Monitoring

• Restrict logical access• Use unique ID per person• Restrict physical access• Track and monitor all network access• Regularly test systems

COSO • Risk assessment• Control environment and activities

• Information and communication monitoring


52


It is imperative to develop a centralized, analytical oversight function for evaluating IT controls within all compliance arenas, interfacing with auditors for each area, and providing direction on the most cost-effective controls that provide the maximum simultaneous compli-ance benefit. Working with the CIO and other senior managers, such a resource (whether internal or outsourced) can significantly shorten compliance attainment times, enhance the organization’s overall compliance posture, and minimize business disruption.

In 1991, the United States Sentencing Commission (USSC) established the organizational sentencing guidelines (www.ussc.gov) to assist the courts in determining due diligence versus negligence and culpability of organizations in matters of compliance. The original guidelines were revised beginning in 2001, were passed by Congress, and went into effect in November 2004. They are applicable to all regulatory laws. The USSC guidelines provide a common-sense framework to assist organizations in their compliance efforts. According to the USSC guide-lines an effective compliance program includes the following:

1. Standards and procedures to prevent and detect criminal conduct.2. Responsibilities at all levels and adequate resources, and authority for the program.3. Personnel screening related to program goals.4. Training at all levels.5. Auditing, monitoring, and evaluating program effectiveness.6. Non-retaliatory internal reporting systems.7. Incentives and discipline to promote compliance.8. Reasonable steps to respond to and prevent further similar offenses upon detection

of a violation.

COSO has also released draft guidance for smaller companies. It provides extensive guidance regarding the use of COSO’s Internal Control Framework as required by the SEC’s 404 guid-ance and is available at their web site (www.coso.org). An extensive collection of approaches,

techniques, and varied controls will assist each business in reviewing its controls and determining what it should focus on from a documentation standpoint.

Tripwire has issued a variety of leading re-search papers regarding compliance in general and Sarbanes-Oxley compliance in particular. The “Darning SOX – Technology and Corpo-rate Governance Elements of Sarbanes-Oxley” paper concludes: “Companies faced with SOX clearly need to adopt a compliance process that addresses the control, evaluation and disclo-sure elements of Sections 302, 404, and 409. Because information is crucial to support and enable financial reporting and other company

operations, information security technologies and measures must be adapted to meet these requirements. Because the law and a company’s operations will clearly change over time, companies that adapt a change auditing approach that includes strong information technol-ogy governance measures are best positioned to equip the principal executive and principal financial officer with the tools needed to fulfill his or her duties to implement and certify the existence of internal financial controls.”

Broadly understood, compliance is the

mechanism that makes governance work. It is

compliance with the organization’s own required

procedures that enables management of the

risks that endangers the entity. Monitoring and

supporting compliance is not just a matter of

keeping the regulators happy; it is the way an

organization monitors and maintains its health.


53 COM

PLIA

NCE

RETR

OSPE

CT

3 These questions were published in the Open Compliance and Ethics Group (OCEG) paper: “Does the Company get IT? - 20 Questions to Ask (And Have Answered) Regarding Compliance, Ethics, and Risk Management” – (visit www.oceg.org to download the 15 page OCEG paper. It provides further information and guidance, e.g. why the questions are being asked, some potential answers, and red flags (conditions) to watch for.

When considering its compliance program efforts, an organization also needs an effective audit solution to protect against regulatory, reputation, and other risks. We have prepared a self-assessment audit questionnaire to help you assess your audit preparedness. The 20 questions in the self-assessment tool are organized around six facets of an effective compliance program:3

1. Organizational culture2. Scope and strategy 3. Structure and dedicated resources 4. Policy management and training5. Internal enforcement6. Evaluation and continual improvement

Tripwire encourages management to perform a periodic compliance self-assessment. A Compliance Self Assessment Checklist is provided below to help you assess your organization’s compliance readiness and opportunities for improvement.


54


COMPLIANCE SELF ASSESSMENT CHECKLISTQuestions

1. Does your organization discuss compliance, ethics, and values in its formal mission and vision statements and are IT risks considered?

2. Does your Board, and management, set the “tone at the top” and communicate compliance and ethics values, mission, and vision to all staff effectively?

17. Has the organization been consistent when taking action against violators of the Code and Program?

18. Is there a process for determining which issues are escalated to the Board and for informing the Board when issues are resolved?

19. Is there an ongoing process in place to monitor the effectiveness of the compliance and ethics program?

20. Does the organization engage an external law firm or consultant to audit compliance and ethics program elements?

11. Is your process for updating policies and procedures effective?

12. Can any requirements established by the Code of Conduct and other policies be waived or overridden and, if so, is there a formal and transparent process for doing so?

13. Does your management communicate the values, mission, and vision of the compliance and ethics program to employees and other stakeholders?

- With the appropriate frequency?

14. Do you provide comprehensive training and conduct performance evaluations for each job role to ensure compliance and ethics responsibilities are understood and adhered to, and that necessary skills are learned and employed?

15. Are employees, agents, and other stakeholders able to safely raise issues regarding compliance and ethics-related matters?

16. Do you scrutinize the sources of compliance failures?

7. Is there a formal organizational structure for your compliance and ethics management team and is it appropriate to the needs of the organization?

8. Are resources allocated for compliance and ethics management activities, both routinely and to address significant issues that arise?

9. Does your Code of Conduct address the organization’s needs?

10. Do you distribute your Code of Conduct and confirm that employees both receive it and understand the Code and other policies?

3. Are you able to determine if your employees and other stakeholders are “convinced” that the organization is serious about its compliance and ethics responsibilities?

4. Is the scope of your compliance and ethics programs appropriate and does it integrate with your overall business strategy?

5. Do you assess compliance and ethics risks and does this process integrate with your enterprise risk management (ERM) efforts?

6. Is there a senior position in the organization, which provides oversight and leadership for the compliance and ethics efforts and does this position have sufficient organizational status to be effective?



Improvement


55 COM

PLIA

NCE

RETR

OSPE

CT

USING TRIPWIRE TO ACHIEVE AND MAINTAIN COMPLIANCE

Common to all regulations are requirements to assure security, prove effectiveness and separation of controls, document changes, and be able to provide underlying detail. An IT best practices approach for responding to audits and proving compliance is a good start. An effective change auditing solution instills the independent detection, reconciliation, and reporting functionality you need to meet regulatory control, evaluation, and disclosure requirements.

Tripwire change auditing software ensures effective controls and proves ongoing compli-ance by detecting, reconciling, and reporting all changes—planned and unplanned—through-out your enterprise. Tripwire solutions deliver independent change-auditing capabilities that simplify audit preparation:

Detection. Tripwire separates change detection from the people and technologies that initiate change, providing an independent detective control for all automated and manual changes across file servers, network devices, desktops, directory services, databases, and other devices.

Reconciliation. By accessing information in leading change management tools, Tripwire solutions enable rapid reconciliation to quickly determine which changes were authorized and which weren’t.

Reporting. Through independent, verifiable audit logs of all actual change activity, Tripwire documents compliance and enforces change management policies and accountability. Tripwire helps you build an audit trail that demonstrates control over data and systems.

A Vital Best Practice. Tripwire change auditing solutions are a vital component of IT best practices, enabling you to institute, sustain, and document effective change audit practices. No matter which government regulation, corporate audit, or IT reporting requirements you must meet today, Tripwire can greatly simplify readiness.

NEXT STEPSPrescriptive Guide

57 NEXT

STE

PS

PR

ES

CR

IP

TI

VE

G

UI

DE

When working to achieve regulatory compliance, improve your organization’s security pos-ture, or become a high-performing organization, working from a common set of requirements and best practices will enable your organization to succeed at any—and all—of these initia-tives. All of these initiatives require an ability to audit change within the IT infrastructure. Change auditing demands the ability to immediately detect change when it occurs, report the changes with actionable data, and reconcile changes with other control measures. And to the degree that these tasks can be automated, the more trustworthy and effective change auditing controls become.

Tripwire change auditing solutions, including enterprise software and professional ser-vices, are used by more than 5000 customers around the world. More than simply a software vendor, Tripwire advocates practical ways to instill IT infrastructure controls and best prac-tices. The company is recognized as an industry thought leader, and auditors and compliance experts recognize Tripwire software as a standard in change auditing.

LEARNING FROM OTHERS

Extensive information and other resources for helping you achieve your compliance, security, and operational goals are available from professional associations, research organizations, vendors, and even peers. Resources mentioned throughout the Guide will help improve opera-tional excellence and the likelihood of success.

Help your organization take the next step toward regulatory compliance, increased secu-rity, and high-performing IT operations.

NEXT STEPS

prescriptive guide to operational excellence volume 1

Technology

tripwire solutions

ackowldgements tripwire

compliance requirements

leading compliance

change management

security experts

operational efficiency

report change