*This topic includes the current COBIT information from the COBIT 4.1 edition.
COBIT is not specific to Information Security, but it covers IT in general. COBIT provides a reference framework for management, users, IS audit, control and security practitioners comprising of 4 domains, 34 IT processes and 318 detailed control objectives.
The diagram below outlines the COBIT objectives organized by the following four domains:
There are several security related objectives throughout the domains, such as DS5.3 Identity Management and DS5.9 Malicious Software Prevention, Detection and Correction which are part of the DS5 Ensure System Security process. For your convenience, PowerTech has provided links to relevant sections of the COBIT standards throughout the PowerTech Compliance Guide.
In a typical test matrix for Sarbanes-Oxley compliance, control activities are mapped to COBIT Control Objectives. Management Assertions are identified for each control activity, and a risk description is documented for each control objective. Testing is performed to determine if controls are operating as expected. This eventually leads to test results documentation and gap exposure documentation.
Your external auditor can only provide limited guidance since Section 201 of the act restricts the type of consulting and advice that public accounting firms can provide to their clients.
In fact, many companies hire one firm to conduct the audit and another firm to provide consulting services in preparation for the audit. Many Fortune 1000 corporations are even now appointing Chief Governance Officers or Chief Risk Officers. However, the good news is that the big four firms are now using the same basic COBIT objectives as a framework to evaluate internal controls over IT.
Testing has been the most difficult SOX related task for many companies. It is important to note that there are two things a good plan will test:
The process works as intended (the test of the process)
Everything follows the process (the test of the risk)
After a thorough review of the COBIT objectives by PowerTech security experts, the security related objectives have been compiled here for easy reference. Click on the links in the COBIT Objectives/Topic table below to view specific objective descriptions and recommended PowerTech reports - or scroll through the entire summary of security related COBIT objectives that follows.
Ojective Descriptions and Recommended PowerTech Reports |
|
Objectives |
Topic |
Control Self-Assessment |
|
Data Classification Scheme |
|
Technological Direction Planning |
|
Personnel Training |
|
Job Change and Termination |
|
Event Identification |
|
Risk Assessment |
|
Infrastructure Resource Protection and Availability |
|
Emergency Changes |
|
Identity Management |
|
User Account Management |
|
Security Testing, Surveillance and Monitoring |
|
Security Incident Definition |
|
Protection of Security Technology |
|
Malicious Software Prevention, Detection and Correction |
|
Exchange of Sensitive Data |
|
Physical Access |
|
Operations Procedures and Instructions |
|
Security Provision of Output Reports |
|
Authenticity and Integrity |
|
Evaluate the completeness and effectiveness of management’s control over IT processes, policies and contracts through a continuing program of self-assessment.
PowerTech Compliance Monitor provides the capability to generate regularly scheduled assessments of the security status of System i systems, highlighting any exceptions to corporate policy.
Establish a classification scheme that applies throughout the enterprise, based on the criticality and sensitivity (e.g., public, confidential, top secret) of enterprise data. This scheme includes details about data ownership, definition of appropriate security levels and protection controls, and a brief description of data retention and destruction requirements, criticality and sensitivity. It is used as the basis for applying controls such as access controls, archiving or encryption.
A sound security policy is the first step in any security plan or compliance initiative. PowerTech recommends that your Information Security Policy should specifically address your System i systems. The Compliance Guide (included with PowerTech Compliance Monitor) provides a wealth of useful information that provides guidance on creating security policy for the System i, along with a sample System i security policy.
Analyze existing and emerging technologies and plan which technological direction is appropriate to realise the IT strategy and the business systems architecture. Also identify in the plan which technologies have the potential to create business opportunities. The plan should address systems architecture, technological direction, migration strategies and contingency aspects of infrastructure components.
Provide IT employees with appropriate orientation when hired and ongoing training to maintain their knowledge, skills, abilities, internal controls and security awareness at the level required to achieve organisational goals.
PowerTech provides regular training classes and web seminars on System i security issues.
Take expedient actions regarding job changes, especially job terminations. Knowledge transfer needs to be arranged, responsibilities reassigned and access rights removed such that risks are minimised and continuity of the function is guaranteed.
PowerTech Compliance Monitor ' Inactive Profiles' report can identify any old, unused or dormant accounts.
Identify events (an important realistic threat that exploits a significant applicable vulnerability) with a potential negative impact on the goals or operations of the enterprise, including business, regulatory, legal, technology, trading partner, human resources and operational aspects. Determine the nature of the impact and maintain this information. Record and maintain relevant risks in a risk registry.
Assess on a recurrent basis the likelihood and impact of all identified risks, using qualitative and quantitative methods. The likelihood and impact associated with inherent and residual risk should be determined individually, by category and on a portfolio basis.
Implement internal control, security and auditability measures during configuration, integration and maintenance of hardware and infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure components should be clearly defined and understood by those who develop and integrate infrastructure components. Their use should be monitored and evaluated.
PowerTech Recommendations
Users with special authorities in OS/400 have responsibilities for 'sensitive infrastructure components'. Run the PowerTech Compliance Monitor 'Profiles with Special Authorities' report to learn who these users are. PowerTech Authority Broker allows you to monitor, control, and audit the use of special authorities.
Establish a process for defining, raising, testing, documenting, assessing and authorising emergency changes that do not follow the established change process.
Ensure that all users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms.
Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. Ensure that user access rights are requested by user management, approved by system owners and implemented by the security-responsible person. Maintain user identities and access rights in a central repository.
Deploy cost-effective technical and procedural measures, and keep them current to establish user identification, implement authentication and enforce access rights.
Run PowerTech Compliance Monitor 'User' and 'Log File' reports on a regular basis:
User:
Log File:
Address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges with a set of user account management procedures. Include an approval procedure outlining the data or system owner granting the access privileges. These procedures should apply for all users, including administrators (privileged users) and internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information should be contractually arranged for all types of users. Perform regular management review of all accounts and related privileges.
Run PowerTech Compliance Monitor 'User' and 'Log File' reports on a regular basis:
User:
Log File:
Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed.
OS/400 level security auditing allows you to turn on detailed auditing for system objects including creation and deletion of the objects. PowerTech software simplifies the management and interpretation of these logs using regularly scheduled reporting.
PowerTech Compliance Monitor (release 2.0) provides comprehensive reporting capability of all audit information on the System i.
Creation and deletion of objects
Clearly define and communicate the characteristics of potential security incidents so they can be properly classified and treated by the incident and problem management process.
Make security-related technology resistant to tampering, and do not disclose security documentation unnecessarily.
The OS/400 security audit journal is tamperproof. Once an event has been written to the audit journal it cannot be changed.
Put preventive, detective and corrective measures in place (especially up-to-date security patches and virus control) across the organisation to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam).
Save and Restore category of system values on the OS/400 (QALWOBJRST, QVFYOBJRST, QFRCCNVRST) can be used to control the restoration of programs to the system. PowerTech Compliance Monitor All System Values report can be used to verify that these system values are set to their appropriate values on all systems in the enterprise. Any exceptions to corporate policy will be highlighted in a single enterprise wide report.
Exchange sensitive transaction data only over a trusted path or medium with controls to provide authenticity of content, proof of submission, proof of receipt and non-repudiation of origin.
PowerTech Encryption can be used to exchange sensitive data like credit card numbers, bank account details, and Social Security Numbers between partners.
Define and implement procedures to grant, limit and revoke access to premises, buildings and areas according to business needs, including emergencies. Access to premises, buildings and areas should be justified, authorized, logged and monitored. This should apply to all persons entering the premises, including staff, temporary staff, clients, vendors, visitors or any other third party.
Define, implement and maintain procedures for IT operations, ensuring that the operations staff members are familiar with all operations tasks relevant to them. Operational procedures should cover shift handover (formal handover of activity, status updates, operational problems, escalation procedures and reports on current responsibilities) to support agreed-upon service levels and ensure continuous operations.
Procedures are in place to assure that the security of output reports is maintained for those awaiting distribution as well as those already distributed to users.
The authenticity and integrity of information originated outside the organization, whether received by telephone, voice mail, paper document, fax or e-mail, are appropriately checked before potentially critical action is taken.
Application controls have been reworked to be more effective, based on work to support controls effectiveness assessment and reporting. This resulted in a list of six application controls replacing the 18 application controls in COBIT 4.0, with further detail provided in COBIT Control Practices, 2nd Edition.
Ensure that source documents are prepared by authorised and qualified personnel following established procedures, taking into account adequate segregation of duties regarding the origination and approval of these documents. Errors and omissions can be minimised through good input form design. Detect errors and irregularities so they can be reported and corrected.
Establish that data input is performed in a timely manner by authorised and qualified staff. Correction and resubmission of data that were erroneously input should be performed without compromising original transaction authorisation levels. Where appropriate for reconstruction, retain original source documents for the appropriate amount of time.
Ensure that transactions are accurate, complete and valid. Validate data that were input, and edit or send back for correction as close to the point of origination as possible.
Maintain the integrity and validity of data throughout the processing cycle. Detection of erroneous transactions does not disrupt the processing of valid transactions.
Establish procedures and associated responsibilities to ensure that output is handled in an authorised manner, delivered to the appropriate recipient, and protected during transmission; that verification, detection and correction of the accuracy of output occurs; and that information provided in the output is used.
Before passing transaction data between internal applications and business/operational functions (in or outside the enterprise), check it for proper addressing, authenticity of origin and integrity of content. Maintain authenticity and integrity during transmission or transport.
© 2010 The PowerTech Group, Inc.
All Rights Reserved