Sarbanes-Oxley IT Compliance Using Open Source Tools (eBook)

Front Cover 1
Sarbanes-Oxley IT Compliance Using Open Source Tools, 2E 2
Copyright Page 4
Lead Authors 6
Contributing Authors 7
Contents 10
Chapter 1: Overview - The Goals of This Book 22
IT Manager Bob - The Nightmare 23
What This Book Is 27
What This Book Is Not 27
Disclaimer 27
Conventions Used in this Book 28
The Transparency Test 28
Lessons Learned 28
Tips and Notes 28
VM Spotlight 28
Case Study 29
Why Open Source? 29
Open Source Licensing: A Brief Look 30
GNU General Public License 30
GNU Library or "Lesser" General Public License 31
The New Berkeley Software Distribution License 31
Open and Closed Source in Contrast 32
The Business Case for Open Source 36
Free != No Cost 36
Does It Really Save Money? 37
Platform-agnostic Architecture 38
Open Source and Windows 39
Mixed Platforms 39
Migration: a Work in Progress 40
VM Spotlight: CentOS GNU/Linux Distribution 40
A Word on Linux Distributions in General 41
Linux Distributions and References 42
CentOS in Detail 44
Case Study: NuStuff Electronics, an Introduction 45
IT Infrastructure 45
Server Room (General, Sales, Support, and Executive) 46
Server Room (Engineering and Design) 47
Desktops (Sales, Support, Executive, Finance, and HR) 47
Desktops (Engineering and Design) 47
Network Topology 48
Summary 50
Solutions Fast Track 50
Frequently Asked Questions 53
Chapter 2: Introduction to the Companion DVD 56
The DVD Redux 57
Installing the ITSox2 Toolkit VM 58
Host System Requirements 58
Installing the VMware Player 58
Windows Installation 58
Linux Installation 62
Installing the ITSox2 Toolkit VM 63
Launching the ITSox2 Toolkit VM 66
Uninstalling the ITSox2 Toolkit VM 67
Exploring the CentOS Linux Desktop 68
Selecting your Window Manager 70
Adding Packages and Staying Current 71
Other System Setup Opportunities 71
VM Spotlight - eGroupware 72
eGroupware Applications 73
SiteManager 73
Home 74
Preferences 74
Administration 75
FelaMiMail Email Client 77
Calendar 78
AddressBook 79
InfoLog 79
ProjectManager 80
Wiki 81
General Wiki Concepts 82
Bookmarks 83
Resources 84
TimeSheet 84
Tracker 84
NewsAdmin 84
KnowledgeBase 85
WorkFlow 85
Other Applications 85
Case Study: NuStuff Electronics, Setting the Stage 86
The Portal 86
Main and Headers 87
Launch Pad 87
Reference 88
The Cast of Characters 88
Employee Listing 89
SOX Auditor Listing 89
IT SOX Consultant Listing 89
Group Listing 90
Summary 91
Solutions Fast Track 91
Frequently Asked Questions 93
Chapter 3: SOX and Compliance Regulations 94
What is PCAOB 95
PCAOB Audit Approach 95
SOX Overview 96
What Will SOX Accomplish? 97
Section 302 97
Section 404 97
SOX Not Just a Dark Cloud 97
Good News/Bad News 98
Good News 99
Bad News 100
Sustainability Is the Key 100
Enough Already 102
Other US Regulations/Acts In Brief 102
Compliance Around The Globe 103
VM Spotlight: Desktop Tools 104
OpenOffice 105
Write 105
Calc 105
Impress 106
Base 106
Draw 106
Firefox 106
Evince 108
Case Study: Workflow Concepts 108
Summary 112
Solutions Fast Track 112
Frequently Asked Questions 116
Chapter 4: What's In a Framework? 118
PCAOB Endorses COBIT? 119
The Six COBIT Components 120
Entity Level Controls versus Control Objectives 121
What Are the Four COBIT Domains? 122
Planning and Organization 122
Acquisition and Implementation 122
Delivery and Support 123
Monitoring 123
Are the Developers of COBIT Controls Crazy? Is this Practical? 123
What's Controls Should I Use? 129
Server Room (General, Sales, Support and Executive) 129
Desktops (Sales, Support and Executive) 129
Network Topology 130
Planning and Organization 131
Acquire and Implement 132
Delivery & Support
Monitor & Evaluate
The Top Contenders 133
ITILv2 133
There Is No Panacea 136
VM Spotlight: Project Plan 137
Case Study: Framework Selection 141
Summary 142
Solutions Fast Track 142
Frequently Asked Questions 145
Chapter 5: The Cost of Compliance 148
SOX and IT 149
Section 404 149
Why Comply? 150
Compliance Issues 152
The Human Factor 152
Walk the Talk 154
Who Are You and What Do You Need 158
What's In A Framework? 159
Assessing Your Infrastructure 161
Open Source to Support Proprietary Systems 161
VM Spotlight: Fedora Directory Server 162
LDAP Overview 164
Fedora Directory Server in Detail 169
The Fedora Directory Server Console 169
Managing Fedora Directory Server 170
Configuring Fedora Directory Server 171
Viewing and Updating the Directory 175
Managing Users and Groups 178
Case Study: Costs 181
Old Habits Are Hard To Break 182
Summary 183
Solutions Fast Track 184
Frequently Asked Questions 187
Chapter 6: What's First? 188
The Work Starts Here 189
What Work? 190
Planning and Organization 191
Ensure Compliance with External Requirements 200
Assess Risks 200
Manage Quality 201
Working The List 202
Policy Definition and Management 206
NuStuff Corporate Policy Documents 206
Administrative Access Control Policy 206
Change Management Policy 206
Data Backup and Restore Policy 207
Firewall and Intrusion Detection Policy 207
Malicious Software Policy 207
Network Device Configuration Backup Policy 207
Network Security Monitoring and Controls Policy 207
Oracle New User Account Creation and Maintenance Policy 207
Oracle New User Password Policy 208
Password Control Policy 208
Physical Building Access and Budging Policy 208
Server Room Access Policy 208
Server Room Environmental Policy 208
System Security Policy 208
Generic Template 209
Spotlight: KnowledgeTree Document Management 209
KnowledgeTree Web Interface 210
The Dashboard View 211
DMS Administration View 213
Users and Groups 214
Security Management 214
Document Storage 214
Document Metadata and Workflow Configuration 215
Miscellaneous 216
DMS Administration View 216
Folder Details and Actions 217
Document Information and Actions 218
Other Actions 220
A Document Class Example 220
Case Study: NuStuff Electronics 223
Defining your own policies 225
Policy Approval Workflow 226
Workflow Roles 227
Workflow Activities 228
Defining your own policy approval workflows 228
Summary 230
Solutions Fast Track 230
Frequently Asked Questions 234
Chapter 7: What's Second 236
Definition of Information Requirements 237
Evaluating Open Source In-House Expertise 238
Deployment and Support Proficiency 239
Addressing Deficiencies 241
Automation is the Name of the Game 241
Identify Automated Solutions 243
Acquire and Maintain Application Software 244
Acquire and Maintain Technology Infrastructure 246
Develop and Maintain Procedures 247
Install and Accredit Systems 248
Manage Changes 249
Working The List 251
Project Management is Key 251
VM Spotlight - Webmin 252
Webmin Users 255
Adding Users 256
Applying Security Rights 257
Fedora-DS Administrator, a Webmin Module 258
Managing Users 258
Managing Groups 261
Managing Hosts 262
Webmin Audit Trail 264
Case Study: Automation and Workflow 264
NuStuff Electronics Example Implementation: Intrusion Detection System 265
Availability and Security 265
Sustainability and Accountability 266
Infrastructure Change Request Workflow 266
Workflow Roles 268
Workflow Activities 268
Implementation Planning 269
NuStuff Electronics Snort IDS 269
Test Procedure 269
Production Procedure 270
Rollback Procedure 270
Implementation 272
Documentation 272
Other Change Management Workflow Examples 273
Firewall Change Request 273
Workflow Roles and Activities 274
Oracle Change Request 274
Workflow Roles and Activities 276
Summary 277
Solutions Fast Track 278
Frequently Asked Questions 282
Chapter 8: Are We There Yet? 284
All About Service 285
Delivery & Support
Define and Manage Service Levels 287
Manage Third-Party Services 289
Manage Performance and Capacity 290
Ensure Continuous Service 292
Ensure Systems Security 293
Identify and Allocate Costs 297
Educate and Train Users 297
Assist and Advise Customers 298
Manage the Configuration 300
Manage Problems and Incidents 302
Manage Data 303
Manage Facilities 303
Manage Operations 305
Working The List 305
Service Level Agreements 306
What is a Service Level Agreement? 307
Template: Internal Service Level Agreement 308
Signoff and Approval 309
Managing The Infrastructure 310
Performance, Capacity and Continuity 311
Service and System Virtualization 311
Xen Virtual Machine 311
VMWare Server 312
High Availability and Load Balancing 314
Fault Tolerance 318
Uninterruptible Power 321
Security Considerations 321
Configuration Management and Control 321
Applying Changes 321
Rollback to Previously Known Good Configuration 322
Managing Systems and Applications 322
Identity Management 323
Password & Shadow Text File System
Network Information Systems (NIS) 324
Lightweight Directory Access Protocol 324
Kerberos 325
Systems and Network Devices 326
Databases and File Shares 326
Backup and Data Retention 327
Security Considerations 327
VM Spotlight - Subversion 328
Getting Data into your Repository 329
Using Apache to Expose Your Repository 332
Using the ViewVC Web Interface 333
Case Study: NuStuff Electronics Segregation of Duties 335
Operations Workflows 335
Account Activation Request 335
Workflow Roles 336
Workflow Activities 336
Account Termination Request 336
Workflow Roles 336
Workflow Activities 336
Oracle Account Activation Request 336
Workflow Roles 337
Workflow Activities 337
Oracle Account Termination Request 337
Workflow Roles 337
Workflow Activities 337
Data Access Request 337
Workflow Roles 338
Workflow Activities 338
Data Restoration Request 338
Workflow Roles 338
Workflow Activities 338
Report a Virus or Spyware 338
Workflow Roles 339
Workflow Activities 339
VPN Access Request 339
Workflow Roles 339
Workflow Activities 339
Summary 340
Solutions Fast Track 341
Frequently Asked Questions 344
Chapter 9: Finally, We've Arrived 346
Never Truly Over 347
Monitoring In Theory 347
PDCA - Deming 348
Monitor the Processes 349
Assess Internal Control Adequacy 350
Obtain Independent Assurance 351
Provide for Independent Audit 351
Working The List 351
Monitoring In Practice 352
System Monitoring 353
Configuration Monitoring 355
Syslog 356
Tripwire and AIDE 356
Kiwi Cat Tools 357
Compliance Monitoring 357
Annual Oracle Admin Review 358
Bi-Annual IT Policy Review 360
Monthly Data Restoration Test 361
Monthly Offsite Backup 363
Monthly Oracle Active User Review 364
Quarterly AV Inventory Review 367
Quarterly Environmentals Review 369
Quarterly File Permissions Review 371
Quarterly Infrastructure Change Review 374
Additional Workflows 376
VM Spotlight - Zabbix Monitoring System 377
Zabbix Architecture 378
Zabbix Example Linux Template 382
Zabbix Web Front End 387
Administration 387
Configuration 388
Monitoring 389
In Conclusion 392
Case Study: NuStuff - Oops, Still Not Right 392
Summary 394
Solutions Fast Track 394
Frequently Asked Questions 396
Chapter 10: Putting It All Together 398
Analysis Paralysis 399
Organization - Repositioning 401
Policies, Processes and SLAs 402
SOX Process Flow 402
Control Matrices, Test Plan & Components
Control Matrix 404
Gap and Remediation 406
Test Plan 407
What Makes a Good Test Plan 408
Return On Investment (ROI) 408
Summary 412
Solutions Fast Track 412
Frequently Asked Questions 414
Appendix A: COBIT Control Objectives 416
Planning & Organization
Acquisition & Implementation
Delivery & Support
Monitoring 427
Appendix B: ITIL Framework Summary 430
The Five ITIL Volumes 431
Service Strategy 431
Service Design 431
Service Transition 431
Service Operation 431
Continual Service Improvement 431
Service Support 431
Service Delivery 435
Appendix C: GNU General Public Licenses 438
GPL Version III 439
GNU General Public License 439
Preamble 439
Terms And Conditions 440
0. Definitions 440
1. Source Code 441
2. Basic Permissions 441
3. Protecting Users' Legal Rights From Anti-Circumvention Law 442
4. Conveying Verbatim Copies 442
5. Conveying Modified Source Versions 442
6. Conveying Non-Source Forms 443
7. Additional Terms 445
8. Termination 446
9. Acceptance Not Required for Having Copies 446
10. Automatic Licensing of Downstream Recipients 447
11. Patents 447
12. No Surrender of Others' Freedom 448
13. Use with the GNU Affero General Public License 449
14. Revised Versions of this License 449
15. Disclaimer of Warranty 449
16. Limitation of Liability 449
17. Interpretation of Sections 15 and 16 450
GPL Version II 450
GNU General Public License 450
Preamble 450
Terms And Conditions For Copying, Distribution And Modification 451
0 451
1 451
2 452
3 453
4 453
5 453
6 454
7 454
8 454
9 455
10 455
No Warranty 455
11 455
12 455
Index 458