Contenu connexe
Similaire à Vss wht paper sustainable sox c ompliance made easy (20)
Vss wht paper sustainable sox c ompliance made easy
- 2. Contents
Contents
Contents ................................................................................................................................................ 2
Executive Summary ............................................................................................................................. 4
Introduction........................................................................................................................................... 5
Overview of the Sarbanes-Oxley Act .................................................................................................. 6
Impact on IT ...................................................................................................................................... 7
Affected Companies.......................................................................................................................... 7
Compliance Efforts to Date.................................................................................................................. 9
New Guidance from the SEC and PCAOB ........................................................................................ 10
Benchmarking of Automated Controls ............................................................................................ 11
COBIT .................................................................................................................................................. 12
Achieving Sustainable Compliance .................................................................................................. 14
Working with Business Users ......................................................................................................... 14
Integrating Internal Controls............................................................................................................ 14
Automated Tools............................................................................................................................. 15
Continuous Monitoring and Real-time Alerts................................................................................................. 15
Strive for Continuous Improvement................................................................................................. 15
Tango/04 Solutions for SOX Compliance ......................................................................................... 17
Full Operating System Level Coverage .......................................................................................... 19
Databases, Web 2.0 Enablers and other Middleware ..................................................................... 19
Record-level and Field-level Database Auditing ............................................................................. 20
Third Party Security Products, Network Appliances and Device Integration ................................... 20
Business Application Monitoring ..................................................................................................... 20
VISUAL Security Suite Output ........................................................................................................ 21
Business and Enterprise Views..................................................................................................................... 21
Real-time Alerts ............................................................................................................................................. 23
Automated Actions ........................................................................................................................................ 23
Compliance Reports...................................................................................................................................... 24
Ease of Use .................................................................................................................................... 27
Tango/04 Solutions and the COBIT Objectives .............................................................................. 27
Valid for Cross Compliance ............................................................................................................ 27
Extendability ................................................................................................................................... 28
Maximize Your Return on Investment ........................................................................................................... 28
Tying It All Together........................................................................................................................... 29
Multiplatform Cross Compliance ..................................................................................................... 29
Field Proven in Different Industries ................................................................................................. 29
Unique Extensibility......................................................................................................................... 29
Appendix A – Tango/04 Security Solutions...................................................................................... 31
VISUAL Security Suite: List of Controls .......................................................................................... 31
© 2007 Tango/04 Computing Group Page 2
- 3. Contents
Tango/04 Solutions Offer Extensive Coverage for the System i ..................................................... 32
Technology Alliances outside of IBM ............................................................................................................ 32
Professional Services ..................................................................................................................... 32
Appendix B - COBIT 4.1 Control Objectives..................................................................................... 33
Process PO6: Communicate Management Aims and Directions .................................................................. 34
Mapping of Tango04 Solutions to COBIT Objectives...................................................................... 34
About Tango/04 Computing Group................................................................................................... 44
Legal notice......................................................................................................................................... 45
© 2007 Tango/04 Computing Group Page 3
- 4. Executive Summary
Executive Summary
The SOX Act has been around for five years now and many of you have probably spent numerous hours
trying to define and implement a rigorous security plan. Because you need to expose your internal control
strategy to an outside auditor on an annual basis, the most successful strategies will be based on the
notion of sustainable compliance. The best way to achieve sustainability is to:
• work with the business side of the house to identify the most critical processes
• integrate internal controls into daily procedures
• transition manual controls into automated procedures using technology
• strive for continuous improvement in your compliance measures.
In this document we examine the most recent guidance from the SEC and the new auditing standard (AS
5) released by the PCAOB in an effort to help companies reduce the cost of compliance. We also take a
look at the COBIT internal control framework and how it is used by many auditors as a reference point for
measuring compliance. Both AS 5 and the latest version of COBIT, Release 4.1, support the notion of
using automated tools to facilitate compliance efforts.
This white paper also includes an overview of VISUAL Security Suite, the Tango/04 solution for achieving
compliance with SOX as well as any other security regulation or industry standard. We’ll show you how the
product can successfully be used in your efforts to meet regulatory obligations and protect your corporate
data assets while reducing overall compliance costs.
For several years now, the Tango/04 security solution has been used
by many companies world-wide to facilitate sustainable compliance "VISUAL Security Suite has allowed us
with various regulations including SOX. Our technology is field proven to rapidly implement SOX controls,
while VISUAL Message Center helps
and has been adopted by 7 of the 18 largest banks in the world. keep our IT infrastructure healthy. I love
the product."
In fact, Henry Schein Inc. – a Fortune 500 distributor of healthcare
Don Keating, IT Manager
products with global operations based in Melville, NY – is just one of Henry Schein, Inc.
our customers to effectively achieve SOX compliance year after year
using Tango/04 software. Other well known companies using
Tango/04 products include BankBoston, CocaCola, Pfizer, Shell, Office Depot and Nike.
Please visit our website at www.tango04.com to view testimonials from satisfied customers and to learn
more about our Security and integrated Business Service Management solutions.
© 2007 Tango/04 Computing Group Page 4
- 5. Introduction
Introduction
We all know that Sarbanes-Oxley (SOX) is not a new regulation – it’s been around since 2002. Since that
time you’ve probably read numerous white papers offering advice on compliance strategies. On top of that,
you may even have first hand experience in defining and implementing a security plan at your company.
What makes this white paper different is the information it contains on sustainable compliance. After all,
SOX is not a one shot deal; compliance must be demonstrated every year. So why not make it easy and
integrate compliance measures into your business in a way that’s easy and also provides cost benefits? It’s
really not too good to be true.
Following some basic material on SOX for those of you that are new to the regulation, or want a refresher,
we’ll review compliance efforts to date, recent SOX guidance and the COBIT internal control framework.
Next, we explain the methodology of sustainable compliance and examine how the Tango/04 automated
solution set can help you easily comply with SOX year after year.
© 2007 Tango/04 Computing Group Page 5
- 6. Overview of the Sarbanes-Oxley Act
Overview of the Sarbanes-Oxley Act
The Sarbanes-Oxley Act of 2002 was introduced to strengthen corporate governance and improve financial
reporting by public companies operating in the United States (US).
The motivation for the law was the extensive use of improper accounting practices by officers of public
companies during the stock market boom of the late 1990s. Earnings and profits were falsely inflated by
companies such as Enron and WorldCom, resulting in a decline of public trust in corporate accounting and
financial reporting practices.
On a micro-level, these financial distortions meant that many CEOs and CFOs earned large bonuses and
stock options that did not properly reflect the value they had generated for their shareholders. When the
crash arrived, many shareholders, everyday people, found the value of their investments was a fraction of
what it had been only months before.
On a macro-level, financial reporting is key to the efficient operation of the global economy. Capital is
allocated where it delivers the highest return, and the main source of information used by investors to
calculate their expected return is the data contained within company financial reports. If those reports are
untruthful or misleading, capital will be misallocated, investors will be deceived and the economy will be
negatively impacted.
As a consequence of these financial misrepresentations, SOX established new accountability standards
for corporate boards and auditors. It established guidelines for auditing procedures, the composition of
company boards and the governance of everything related to financial reporting. It is in the areas of data
protection and financial reporting that SOX impacts the IT department.
$ Accounting
Practices
ERP
CRM
Financial Reports
10K
10Q
Figure 1 – SOX is about financial reporting. It requires auditing controls to be implemented
© 2007 Tango/04 Computing Group Page 6
- 7. Overview of the Sarbanes-Oxley Act
Impact on IT
Although the SOX Act consists of 11 major Titles and numerous sections, four of them directly impact IT:
Sections 302, 404, 409 and 1102. Sections 302 and 404 are particularly compelling for top level
management as described below.
• Section 302 requires that CEOs/CFO’s assure the accuracy of financial reports and guarantee
the data used to compile these reports is correct and has not been manipulated in any way.
Because those financial reports are produced using a company’s IT systems, the security and
integrity of those systems is a fundamental requirement.
• Section 404 is divided into 2 parts and has the greatest impact on the IT department. In fact, the
majority of money company’s spend on compliance is linked to meeting Section 404 objectives.
− Part (a) requires that each annual report include an "internal control report"
indicating that management is responsible for an adequate internal control
structure and an assessment of its effectiveness. Any shortcomings or
material weaknesses in these controls must be reported.
− Part (b) requires that an external auditor attest to, and report on,
management's assertions regarding its assessment of the effectiveness of
the company's internal controls.
• Section 409 requires companies to disclose, on a rapid and current basis (48 hours), information
concerning material changes in its financial condition or operations.
• Section 1102 imparts penalties for anyone who tampers with a record, document, or other object
with the intent to impair the object's integrity or availability for use in an official proceeding.
Affected Companies
In simple terms, SOX applies to all publicly traded companies in the US, each of their divisions and wholly
owned subsidiaries. It also applies to publicly traded, foreign companies doing business in the US.
Affected companies are essentially broken up into 2 major categories: accelerated and non-accelerated
filers. Accelerated filers, those companies with a capital valuation of more than $75M, were expected to
comply with Section 404 of SOX for fiscal years ending on or after November 15, 2004. As a result, these
larger corporations are currently in their third year of compliance.
Non-accelerated filers, those companies with a capital valuation of less than $75M have been given a
reprieve in terms of compliance deadlines. Although the US Securities and Exchange Commission (SEC)
feels that SOX is good for investors overall, they have been making attempts to minimize the financial
burden that Section 404 imposes, particularly on smaller companies. As a result, the deadline for 404
compliance for non-accelerated filers has been extended several times and the latest ruling states that
management must provide the certification required by Section 404 for fiscal years ending after December
15, 2007. However, auditor attestation is not required until fiscal years ending after December 15, 2008.
© 2007 Tango/04 Computing Group Page 7
- 8. Overview of the Sarbanes-Oxley Act
Despite this extension, we caution small companies not to delay their compliance efforts. Compliance is
good for your business and, if approached properly, it can help you to achieve operational efficiencies and
cost reductions. We also recommend that smaller companies take advantage of the opportunity to learn
from the experiences of their larger counterparts.
So, let’s take a look at compliance efforts to date to see how larger companies have been coping with
regulatory mandates over the past several years.
© 2007 Tango/04 Computing Group Page 8
- 9. Compliance Efforts to Date
Compliance Efforts to Date
It’s important to recognize that although SOX mandates internal control over financial reporting, it does not
provide guidance in terms of how to comply. The devil is always in the details and specifics about
compliance measures have been left up to individual companies and their auditors. Consequently, in the
first year of compliance, many companies identified far too many key control objectives supported primarily
by manual processes. Consideration was not given to the extent of risk associated with a process for which
an internal control measure was defined, resulting in a substantial effort that concentrated on a number of
insignificant business procedures. As companies rushed to meet their deadline, enterprise wide controls
were lacking, documentation was developed in silos and duplicate controls were defined. The expense of
compliance was high as internal staff and outside consultants worked on defining and documenting
controls. At that point in time, passing the Year One audit at all costs outweighed any thoughts of
sustainability.
In Year Two of compliance, companies focused on correcting the IT deficiencies that were identified in their
first SOX audit. Although manual processes were still a large part of compliance efforts, companies were
beginning to realize that this approach was costly, not repeatable and simply not sustainable.
In Year Three and beyond, with several years of SOX audits under their belts, companies are beginning to
recognize the importance of consolidating efforts from an enterprise level and replacing manual processes
with automated tools. Clearly understanding that SOX is here to stay, companies are also looking for
opportunities to better integrate compliance measures into their daily processes, as opposed to bolting
them on to existing procedures. Their goal is to make compliance sustainable, efficient and cost effective
for the long run.
In the meantime, the SEC has been working in earnest to develop guidelines and better auditing standards
for companies to follow. The details of their efforts are described in the next section.
© 2007 Tango/04 Computing Group Page 9
- 10. New Guidance from the SEC and PCAOB
New Guidance from the SEC and PCAOB
Over the past several years there has been a backlash of complaints from companies trying to comply with
SOX. Their main issue is that the SEC has not provided direction in terms of how to comply with SOX,
leading to excessive costs as organizations tried to test every possible control without regard to risk.
1
In response, the SEC has been working closely with the Public Company Accounting Oversight Board
(PCAOB) to provide direction in order to help companies reduce excessive testing of controls and resultant
costs. In June 2007, the SEC published interpretive guidance regarding SOX compliance and in the prior
2
month the PCAOB released a new Auditing Standard (AS 5) based on a top-down approach. While
guidance from the SEC is somewhat general, the new PCAOB auditing standard is very specific and based
on four primary principles:
1. Focus the Audit on the Most Important Matters
Implement a top down, risk based approach where energy is devoted proportionately to areas with the
most-to-least impact on financial reporting.
2. Eliminate Unnecessary Procedures
Make use of audit knowledge from previous years, particularly noting deficiencies identified in the prior
year, in addition to making use of recent, internal audit work. The auditor may also use a benchmarking
strategy for automated application controls to reduce testing in subsequent years.
3. Scale the Audit for Smaller Companies
External auditors are encouraged to scale the audit based on the size and complexity of the company,
rather than taking a one-size-fits-all approach.
4. Simplify the Requirements
The level of detail and specificity has been reduced to encourage auditors to apply professional judgment
under the facts and circumstances.
1
The SOX Act created the PCAOB - an organization whose purpose is to oversee the auditors of public companies in
order to protect the interests of investors. The PCAOB operates under the SEC.
2
AS 5 supersedes AS 2 and is the auditing standard on attestation engagements referred to by Section 404(b) of the
SOX Act.
© 2007 Tango/04 Computing Group Page 10
- 11. New Guidance from the SEC and PCAOB
Benchmarking of Automated Controls
In the new auditing standard, AS 5, it is recognized that automated controls are generally not subject to
breakdowns due to human failure and as such, are associated with less risk. As a consequence, AS 5
allows an auditor to use a benchmarking strategy if:
• General controls over program changes, access to programs and computer operations are
effective and continue to be tested and
• The auditor verifies that the automated application control has not changed since the auditor
established a baseline (i.e. last tested the application control).
In this case, the auditor may conclude that the automated application control continues to be effective
without repeating the prior year’s specific tests of the operation of the control. As a result, the previous
year’s tests define the benchmark.
Based on a number of risk factors, it is up to the auditor to determine whether or not to use a benchmarking
strategy, but suffice it to say that the use of automated tools may in fact reduce the amount of time an
external auditor needs to spend assessing your security measures which, in turn, reduces cost to your
organization.
In essence, the new guidance and auditing standard from the SEC and PCAOB is good news. It shows that
both entities are making a serious attempt to ease the compliance burden and associated costs for affected
companies, while still protecting the public at large.
© 2007 Tango/04 Computing Group Page 11
- 12. COBIT
COBIT
Although SOX dictates the need for internal control over financial reporting and both the SEC and PCAOB
have recently provided much needed guidance, a reference point against which internal controls are
compared is necessary. This is where COBIT (Control Objectives for Information and related Technology)
comes in.
COBIT is an IT management and governance framework, developed by the IT Governance Institute (an
outgrowth of the Information Systems Audit and Control Association or ISACA). COBIT supports IT
governance by providing a structure that ensures that “IT is aligned with the business, IT enables the
business and maximizes benefits, IT resources are used responsibly and IT risks are managed
appropriately.”
COBIT supports the linkage between business and IT goals. It also provides a common language that can
be shared and understood by both sides of an organization.
The core content of COBIT is comprised of 34 IT processes. Each process is divided into four sections
consisting of a high level control objective, relevant detailed control objectives, management guidelines
including goals and metrics and a maturity model interpreted specifically for the process.
From a regulatory standpoint, COBIT is the de facto standard used by many audit firms to ascertain SOX
compliance. Because business goals and IT security challenges are ever changing, COBIT is continually
updated to maintain its relevancy and practicality. In fact, the latest release of COBIT, 4.1, was made
available in May 2007 and can be downloaded from the ISACA website (www.isaca.org).
With compliance in mind, how does an organization begin to use COBIT in order to prepare for their next
audit? We recommend the following approach:
• Measure current IT controls against the COBIT objectives and identify places where you either
have no controls or where there is a gap between the control and the requirements of the objective.
• Upgrade controls identified as deficient to at least COBIT maturity model level 3.
The COBIT model for management and control over IT processes is derived from a model originally
created by the Software Engineering Institute (SEI)3 to measure the maturity of software development. The
COBIT interpretation of the model focuses on IT management processes, rendering a generic definition for
six levels of maturity as shown in Figure 2.
3
For details regarding Capability Maturity Models go to http://www.sei.cmu.edu/cmm/
© 2007 Tango/04 Computing Group Page 12
- 13. COBIT
Managed
Optimized
Repeatable
Defined
And
Initial or but
Process
Measurable
Ad-Hoc Intuitive
Non-
Existent
Level 0 Level 1 Level 2 Level 3 Level 4 Level 5
Figure 2 – COBIT Maturity Model
The higher the level, the better the control over the IT process, as indicated by the following COBIT
definitions:
• Level 0 – Non-existent: there is a complete lack of recognizable processes and no recognition
that an issue needs to be addressed.
• Level 1 – Initial: the organization recognizes that issues exist and need to be addressed but
processes are ad-hoc, applied on a case-by-case basis and the overall approach to management is
disorganized.
• Level 2 – Repeatable but Intuitive: similar procedures are followed by different people for the
same task but there is no training or communication of standard procedures. Errors are likely
because there is a high degree of reliance on the knowledge of individuals.
• Level 3 - Defined Process: procedures have been standardized, documented and
communicated through training. The procedures themselves are not sophisticated, but are the
formalization of existing practices.
• Level 4 – Managed and Measurable: compliance processes are monitored and management
takes action when procedures are not working effectively. Processes are under constant
improvement and provide good practice. Automation and tools are used in a limited way.
• Level 5 – Optimized: procedures have been refined to a level of good practice based on the
results of continuous improvement. IT is used in an integrated way to automate workflow, providing
tools to improve quality and effectiveness, making the organization quick to adapt.
The maturity levels previously defined are intended as guidelines in order to benchmark current processes
and subsequently set goals for improvement. The levels are not meant to be used as exact thresholds
where one cannot move to the next level without meeting all of the requirements of the previous level.
However, processes with aspects largely at levels 3 and above naturally result in a higher degree of
predictability and tighter controls, significantly facilitating your next audit.
It’s important to note the inclusion of automated tools and the concept of continuous improvement at the
highest levels. These are ideas we’ll examine next as they support the notion of sustainable compliance.
© 2007 Tango/04 Computing Group Page 13
- 14. Achieving Sustainable Compliance
Achieving Sustainable Compliance
Because SOX is here to stay, companies should view compliance as an opportunity rather than a burden.
From an opportunistic standpoint, compliance measures can be defined in such a way as to improve
operational efficiencies and reduce costs at your organization. A few simple concepts will start you on your
way to achieving sustainable compliance:
• Work with business users to identify critical processes
• Integrate internal controls into daily routines
• Transition manual controls into automated procedures using software tools
• Strive for continuous improvement in your compliance measures
Let’s explore each one of these concepts.
Working with Business Users
Although compliance details generally land in the lap of IT, the IT staff must communicate with the business
side of the house early on in order to identify the most critical business processes and eliminate duplication
of effort. Working closely with the business departments from the very beginning helps ensure that
compliance efforts are risk based, focusing on corporate assets that are most important to your company.
By protecting the most crucial assets first, you won’t waste time controlling and testing aspects of the
business that are unlikely to lead to financial misstatements or compromise critical data integrity. This
approach is also consistent with the new AS 5 auditing standard.
Beyond that, close interaction with your business community will help to ensure that compliance measures
don’t inadvertently hamstring day to day productivity. This type of cross-departmental cooperation
facilitates corporate support - a vital component of a successful and ongoing compliance strategy.
Integrating Internal Controls
A key element of your SOX implementation plan is to integrate the control measures you’ve defined into
your daily business activities. Integration ensures that your compliance efforts remain consistent and are
not likely to be bypassed or forgotten. Compliance activities that are tightly woven into daily processes
clearly support the notion of sustainability because they are easy to maintain and perform.
For example, when a new user requires access to your system or an existing user needs more authority,
have their supervisor fill out a standard request form that undergoes the appropriate approvals and
ultimately lands in the hands of IT to execute. No matter what department the user is from or how high
he/she is in the organization, the process should be the same for everyone.
To supplement this process, you could schedule a report to run that lists all new and changed user profiles
on a daily basis. The report can be reviewed for any unauthorized change and then filed away or archived
as a continuing record for your next SOX audit.
© 2007 Tango/04 Computing Group Page 14
- 15. Achieving Sustainable Compliance
Automated Tools
As a result of trying to meet SOX compliance requirements under tight time constraints, many companies
have relied heavily on manual processes. Employees were tasked with creating spreadsheets, defining
checklists and documenting procedures. However, the use of manual processes as the primary method of
implementing internal controls introduces a host of problems over the long run, not the least of which is
sustainability.
Purely from a cost perspective, internal labor and/or hired consultants can comprise a large portion of total
compliance expense. Add to that the fact that human beings are error prone, particularly when subject to
fatigue, stress and distraction, and you aren’t really getting consistent value for your money.
Although technology solutions, in the form of automated software tools, do require an up-front investment,
they more than pay for themselves over time in reduced labor costs. They also provide consistent, accurate
and reliable monitoring and reporting – something your SOX auditor will appreciate! Use of tools also
enables you to draw upon your staff in a more productive way by reallocating their time to higher value,
business activities.
As discussed in previous sections, the use of automated tools is supported by the new AS 5 auditing
standard and is also consistent with levels 4 and 5 of the COBIT maturity model. Implementing controls that
follow the higher levels of the model will surely keep your executive management and external auditors
satisfied.
Continuous Monitoring and Real-time Alerts
A major advantage of automated software tools is their ability to run 24/7, constantly keeping watch over
your implemented security plan and data assets. Continuous monitoring is a vital component of a strategy
intended to facilitate process integration and sustainability.
We recommend that you only consider automated tools that have the capacity to send alerts to you in real-
time when a security event occurs. Real-time notification is a necessity in terms of compliance with Section
409 which requires companies to disclose information about material changes within a 48 hour period.
Beyond Section 409, real-time warnings are invaluable to your business because they allow you to
minimize risk exposure and attend to security incidents as they occur. Continuous auditing is a major trend
and since real-time alerting is technologically available today, there’s no reason not to know about a
potentially serious security issue before it’s too late.
Strive for Continuous Improvement
Once you’ve implemented your SOX security plan, you’ll be monitoring your internal control processes to
assess their effectiveness. As you monitor and run reports, new risk factors are likely to appear that you
hadn’t yet considered. As these new risks are identified, you’ll need to update your control procedures to
prevent any new occurrences of those issues. The refinement of your compliance paradigm is a natural
and iterative process resulting in continuous improvement of your control strategy and better protection of
your corporate information assets.
© 2007 Tango/04 Computing Group Page 15
- 16. Achieving Sustainable Compliance
For each internal control process, you should also strive to move up the COBIT maturity model to higher
levels. More mature procedures contribute to better quality and more efficient business processes. They
also enhance the likelihood of passing your next audit.
In the following section, we’ll examine a particular automated toolset that is currently in use by many
companies worldwide in support of their SOX compliance plan.
© 2007 Tango/04 Computing Group Page 16
- 17. Tango/04 Solutions for SOX Compliance
Tango/04 Solutions for SOX Compliance
The Tango/04 Computing Group3 is a leading developer of Security and Infrastructure Monitoring,
Reporting and Business Service Management solutions. Its VISUAL Security Suite is a multiplatform
security solution that can easily become a part of your automated processes for achieving sustainable SOX
compliance. As shown in Figure 3 below, VISUAL Security Suite receives audit information from various
sources within your enterprise.
Figure 3 – Overview of VISUAL Security Suite
Its monitoring engine offers agents for your different platforms, network components, applications, logs and
databases. In many cases, the monitors can run remotely (agentless), reducing deployment time and
avoiding interference with other applications.
3
For detailed information about Tango/04, its solutions and customer case studies, please go to www.tango04.com
© 2007 Tango/04 Computing Group Page 17
- 18. Tango/04 Solutions for SOX Compliance
In addition, each monitor retrieves only the information you are interested in, allowing you to filter out all
irrelevant data. This powerful filtering feature minimizes the monitoring process and keeps overhead down
resulting in little to no performance impact on your system.
© 2007 Tango/04 Computing Group Page 18
- 19. Tango/04 Solutions for SOX Compliance
Full Operating System Level Coverage
The VISUAL Security Suite agents for the System i, Windows, Unix, Linux and AIX can keep track of:
• Changes and access to all files and objects, including financial databases, configuration files,
sensitive information, etc. Specifically, the tracking of:
− Deletes, copies, edits, renames, restores, and read-only access to specific
data
− Unauthorized access attempts
• Authority failures, such as:
− Persistent failed sign on attempts
− Object access denials
• System configuration changes, such as:
− Creation and modification of user profiles
− System value changes
• Command use, so you can:
− Watch suspicious users
− Monitor use of sensitive commands.
We have a library of standard controls you can leverage based on our experience with many different types
of industries and security projects. However, new, custom checks can easily be added. For instance,
system access times may be well defined at your company, and it is simple to define the time during the
day when a login attempt (even if it is allowed by the operating system) should be considered suspicious.
Other controls can be less direct, but equally important. For example, unusually increased storage
occupation or bandwidth consumption can be a symptom of a suspicious activity (such as a virus sending
out spam from a compromised workstation). Because VISUAL Security Suite allows you to monitor several
performance indicators in addition to traditional security events, you can define a comprehensive list of
controls.
Please refer to Appendix A for a list of common controls per platform.
Databases, Web 2.0 Enablers and other Middleware
VISUAL Security Suite can extract information and continuously audit several databases and middleware
such as Web Application Servers, including the IBM WebSphere Application Server. Platform-specific
controls can be set. Log files can be scrapped, formatted, and correlated in real time from several sources.
Different adapters (WMI, JMX, SNMP, syslogs, text files, message queues, etc.) are also available to
maximize the integration capabilities.
© 2007 Tango/04 Computing Group Page 19
- 20. Tango/04 Solutions for SOX Compliance
Record-level and Field-level Database Auditing
The Data Monitor module captures all Changes, Inserts, Deletions and Reads to files you specify so you
know Who, What, When and How. It provides you with record-level audit data for each transaction
including:
• Before and after image of record changed, clearly indicating the changed fields
• User that made the change (including the real user in application transactions)
• Timestamp
• Context data and platform specific information (such as the name of the application for SQL
Server and library/program for DB2 on the System i).
With this level of visibility, you’re able to keep all users (including database administrators and privileged
users) under control by tracking every action to your sensitive files. As the control is done at the database
level, it doesn’t matter where the change came from or which tool had been used to make the change. In
addition, the before and after images of record changes allow you to revert a change back to its original
value when necessary.
Third Party Security Products, Network Appliances and Device Integration
VISUAL Security Suite can monitor, correlate, inspect and immediately alert you of any log file, regardless
of where it resides and the application that has produced it. In addition, it is easy to centralize the control of
all disperse information, effectively monitoring the activity of network devices such as routers, switches,
firewalls, and so on. Third party applications such as Intrusion Detection/Prevention Systems, antivirus
products, vulnerability scanners, Virtual Private Networking (VPN), and the like, can also be easily
integrated.
Business Application Monitoring
One area where most security products fail is the ability to extract relevant security information from
different business applications. Home grown applications are particularly difficult for most products.
However, as your level of maturity increases, there is a strong need to go from basic audit controls on
operating systems and equipment to business-level controls. VISUAL Security Suite can help you to
automate the control of your existing applications. (Note that several examples of relevant COBIT
business-level controls can be found in the document “IT Control Objectives for Sarbanes Oxley: the Role
of IT in the Design and Implementation of Internal Control Over Financial Reporting”, 2nd Edition, produced
by the IT Governance Institute).
VISUAL Security Suite has a universal log reader (Applications Agent) which can read virtually any log at
blazing speed. By using advanced BNF (Backus Normal Form) grammar definitions that can be created
and modified easily, integration of practically any application events can be done in real time. In other
cases, instead of text files, application security logs and events are stored in data tables, which can easily
be integrated with the VISUAL Security Suite Data Adapter.
© 2007 Tango/04 Computing Group Page 20
- 21. Tango/04 Solutions for SOX Compliance
When more complex business-level controls are required (such as changes to dormant accounts in banks,
excessively discounted sales, or other domain specific checks) Data Monitor can be a perfect tool to
inspect every single one of millions of transactions in real time. Integrity checks can be placed to make sure
no unauthorized changes are done from outside the applications, bypassing the applications integrity
controls.
Examples of business applications that can be monitored with VISUAL Security Suite include SAP R/3,
Siebel, JD Edwards, SWIFT, legacy (RPG/COBOL), and practically any custom application running in any
environment, from mainframes to standalone desktop workstations. Modern Java applications can also be
monitored by using JMX (Java Management Extension) technology.
The information presented in this section is merely a subset of the kind of audit data you can collect with
VISUAL Security Suite. Please refer to Appendix A for a more complete listing by platform.
VISUAL Security Suite Output
Once the audit information you specify has been collected, it can be accessed and presented to you in a
variety of ways:
• Business and Enterprise views
• Real-time alerts
• Automated actions
• Reports
Let’s examine each one of these output mechanisms.
Business and Enterprise Views
One of the key features of VISUAL Security Suite is that it allows you to centrally manage your security
paradigm by consolidating events across all platforms in a single view. This is accomplished using the
VISUAL Security Suite SmartConsole, shown below in Figure 4.
© 2007 Tango/04 Computing Group Page 21
- 22. Tango/04 Solutions for SOX Compliance
Figure 4 – The SmartConsole
Within the SmartConsole, the left most pane contains your business view as a series of hierarchical
folders that are color coded to quickly draw your attention to important events. Although a default security
configuration is shipped with VISUAL Security Suite, you are free to customize this view to best fit your
corporate needs.
Note that the folders under the iSeries and Windows Security branches are green, indicating no imminent
issues. However, there is a problem with the Infrastructure node as indicated by the red folder. Expanding
any of the folders and then double clicking on the problem node will reveal underlying messages pertaining
to the issue. These related messages contain detailed information about the problem and many soft-coded
variables that can be passed to messages sent via email or to your cell phone.
The uppermost right pane in Figure 4 summarizes your business services and the pane below it identifies
the most probable root cause of the failure. Although this figure shows both security and infrastructure
configurations, you can install the security portion alone and either grow into infrastructure monitoring at a
later date or continue to use whatever infrastructure monitoring you may already have in place.
In addition to business views, security information can also be presented in an enterprise view or
dashboard accessible through the web. Enterprise views can be especially useful for CISO’s who need a
high level glimpse of current security status but not the underlying details provided by the SmartConsole.
Figure 5 below presents a sample enterprise view of a SOX compliance scenario.
© 2007 Tango/04 Computing Group Page 22
- 23. Tango/04 Solutions for SOX Compliance
Figure 5 – Sample Enterprise View of a SOX Security Plan
Similar to the business view shown in Figure 4, the color of the icons provides visual information regarding
status. For instance, a potential problem is indicated under iSeries Server > Object Access because the
icon is yellow. Double-clicking on any icon allows you to drill down for specific information about the
problem.
Real-time Alerts
Besides visual notification, with VISUAL Security Suite you can also define alarms and actions to send
alerts regarding urgent situations in real-time. These alerts can take various forms such as email, SMS
messaging, sound or video. Having real-time access to your security information is absolutely critical
to comply with SOX Section 409. Remember that 409 requires companies to disclose information about
material changes to its financial condition within 48 hours of the occurrence. Regulations aside, instant
awareness of security exceptions enables you to respond to the suspect event as it happens, significantly
reducing risk and giving you total control - even if the incident occurs after hours or over the weekend.
Automated Actions
In addition to real-time alerts, VISUAL Security Suite can be configured to automatically respond to events
that you define. For example, if a user changes a critical system setting, VISUAL Security Suite can send
you a real-time alert and also initiate predefined actions such as reverting the system setting back to its
original value, ending the user’s job and disabling his/her user profile to prevent further malicious actions.
© 2007 Tango/04 Computing Group Page 23
- 24. Tango/04 Solutions for SOX Compliance
Compliance Reports
VISUAL Security Suite includes a robust reporting system so you can perform forensic analyses, review
events against security policies and comply with regulations such as SOX. We ship over 200 built-in reports
to provide you with all the information you’ll need to satisfy your auditors. Figure 6 below shows a segment
of the reporting system in addition to the data selection parameters for one of the reports.
Figure 6 – Segment of the Reporting System and Sample Data Selection Screen
It’s worth noting that our built-in reports can be customized so you can create your own subreport version.
Furthermore, reports can be generated in different formats such as .pdf, .xls, .doc, .html and can also be
scheduled and automatically emailed to the appropriate stakeholders.
A sample report depicting User Inactivity on the Windows platform is shown below in Figure 7.This report
shows users defined on a particular domain, the number of days they have been inactive and whether or
not their profile is enabled. By running this report you can identify users who have not signed on for a
period of time and either disable or eliminate the profile before it can be used maliciously to commit a
security infraction. A similar report is also available for the System i.
© 2007 Tango/04 Computing Group Page 24
- 25. Tango/04 Solutions for SOX Compliance
Figure 7 – Windows User Inactivity Report
Figure 8 below, presents a segment of a Data Monitor report showing detailed information about a data
record change. As indicated, Data Monitor can capture and report the date and time of a file access, the
type of access (read, update, insert, deletion, etc), the actual user and even the before and after images of
the accessed data record. This is exactly the kind of information you need to help provide evidence for
compliance with SOX Section 1102.
© 2007 Tango/04 Computing Group Page 25
- 26. Tango/04 Solutions for SOX Compliance
Figure 8 – Data Monitor Report Segment
As shown in Figure 8, you can even instruct Data Monitor to hide sensitive field values in the generated
reports, such as Social Security or credit card numbers. This feature is essential in order to ensure and
protect the privacy of consumer information.
The Data Monitor module also has many other advanced features including the ability to:
• Select the files you want to monitor and even particular fields within those files;
• Select particular users or user groups to monitor;
• Store your audit data on a different LPAR or platform which might be more secure or where
storage space is less expensive;
• “Enrich” the audit data so, for instance, an account number can appear as a customer name on
your reports, making them easier to read;
• Include information on your reports that is not stored in the journal such as user group or class.
© 2007 Tango/04 Computing Group Page 26
- 27. Tango/04 Solutions for SOX Compliance
Ease of Use
VISUAL Security Suite is fast to deploy and easy to use so Complete Coverage for the System i
you can immediately begin to monitor and protect your
As a Premier IBM Business Partner,
corporate assets as soon as you install the product. We Tango/04 provides the most complete
offer Professional Services to help you configure business functionality on the market for auditing
views, real-time alerts and automated actions to meet your System i security environments. With more
than 15 years experience on this platform,
specific compliance needs. We also train your designated Tango/04 works directly with IBM
staff so they can add additional controls as you need them laboratories in Rochester, Minnesota to take
due to changes in regulations or in your corporate advantage of new i5 technology
developments.
environment.
We continuously invest in improvements and
support for the latest versions of i5/OS in
Because the SmartConsole component allows you to
order to offer you the best solution on the
centralize the management of your security controls market.
across platforms, within a single view, your security staff (Refer to Appendix A for more information
will be highly productive as they maintain the integrity of regarding our technology alliance with IBM)
your compliance plan.
Tango/04 Solutions and the COBIT Objectives
As mentioned earlier in this paper, COBIT is an internal control framework often used by external auditors
to measure compliance. Although the use of automated tools is highly supported by COBIT, there’s not a
single tool that can help you comply with all of the COBIT objectives. In fact, some objectives aren’t even
suited to the use of a technology solution and are best addressed with written policies and/or employee
training. In the end, it’s your job to put together a mix of manual and automated processes in order to
satisfy each objective. As you evaluate the use of automated software solutions, be sure to consider tools
that will not only help you to comply with SOX but also improve your business processes, productivity and
overall competitive advantage.
By meeting 19 of the detailed COBIT objectives, the Tango/04 solution set can not only offer assistance
with your SOX compliance needs, but also provide value to your business by helping you protect your
corporate assets. Please refer to Appendix B for descriptions of each objective and how the Tango/04
solutions address each one.
Valid for Cross Compliance
We understand that many companies today are subject to multiple regulations such as SOX and HIPAA or
PCI or GLBA. Despite the fact that the details of complying with these laws differ, they all share common
objectives. That is, the intent of these regulations is to protect shareholders, patients and consumers from
financial misstatements and the disclosure of private information. The Tango/04 security solution aptly
supports this intent by providing you with the capabilities of real-time alerts, automated actions, visual
status displays by PC or web, monitoring of data changes at the field level and overall abundant reporting.
When used together, these aspects of our solution are very powerful and can be easily implemented at
your company to help you successfully comply with multiple regulations.
© 2007 Tango/04 Computing Group Page 27
- 28. Tango/04 Solutions for SOX Compliance
Extendability
One of the best parts about the Tango/04 solution suite is that you can implement it in a step-by-step
fashion. Start with your most critical platform and begin to define the security controls you need to monitor
and report on. Because our solution is so easy to use, you’ll find that once you’ve defined a business view
and associated it with alarms and actions, it’s a snap to define other security views.
Although VISUAL Security Suite can be used exclusively as a security compliance solution, it shares a
number of modules and agents with VISUAL Message Center, Tango/04’s solution for IT infrastructure
monitoring and Business Service Management (BSM). This concept allows you to expand the scope of the
solution in a progressive fashion over time as shown in Figure 9.
Security
BSM/SLM
Applications
Management
Infrastructure
Security
BSM
Operations
Figure 9 – Extend the Tango/04 Security Solution to Infrastructure and BSM
It also allows you to create dashboards in order to visualize the impact of security problems on your
different business applications. Integrating IT with business operations will not only facilitate corporate
support for your compliance activities, but will also help your company function more efficiently as a whole.
As various departments work together, increases in productivity are achieved, resulting in overall cost
reductions.
Maximize Your Return on Investment
Because Security, Infrastructure and BSM all share the same concepts in terms of installation,
configuration and training time, your initial investment can be reused to monitor the status of services,
SLAs, user experience and application availability. Security administrators, auditors and operation
managers can all have different views of the SmartConsole to focus in on what they need to know. In
essence, you have one console with many possibilities at your finger tips.
© 2007 Tango/04 Computing Group Page 28
- 29. Tying It All Together
Tying It All Together
If you’ve read this far, it’s likely that you’re required to comply with SOX and are looking for ideas on how
best to do so. Clearly, you need to develop a compliance paradigm that’s sustainable and does not
overburden your staff or your corporate bank account. While you’re at it, you might as well define a strategy
that will benefit your company beyond compliance requirements. Namely, you want to develop a security
plan that not only satisfies your auditing requirements but one that also provides the added benefits of
increased productivity and overall cost reduction.
If you implement a risk-based approach per the new AS 5 auditing standard, the task of achieving
compliance will be well within your reach. To achieve sustainable compliance, we suggest that you
include automated software tools as an integral part of your security paradigm. The use of automated
technology is supported by both AS 5 and COBIT.
Multiplatform Cross Compliance
The Tango/04 security solution can assist you in attaining sustainable compliance across multiple
regulations. With our built-in real-time alerting capability, you’ll not only meet mandated SOX requirements
but you will also have instant awareness of the efficacy of your security plan. This enables you to address
problems as they occur, before they propagate and when they are easiest to fix. With our multi-platform
capabilities, we can consolidate security information across your enterprise in a single view, greatly
simplifying the task of assessing compliance. Our rich reporting feature will also help you to satisfy the
needs of your external auditor as you demonstrate compliance year after year.
Field Proven in Different Industries
The Tango/04 security solution is fast to deploy, easy to use and field proven. We have over one thousand
customers across the globe and our technology has been adopted by 7 of the 18 largest banks in the
world. In fact, Henry Schein Inc. – a Fortune 500 distributor of healthcare products with global operations
based in Melville, NY – is just one of our customers to effectively achieve SOX compliance year after year
using VISUAL Security Suite. Our customer base also includes a number of well known enterprises such
as BankBoston, CocaCola, Dole Fresh Fruit, Pfizer, Shell, Office Depot and Nike.
Unique Extensibility
Beyond security auditing, our software also offers infrastructure monitoring, application monitoring and
business service management, so you can continue to align IT with the business side of the house using a
single software solution. The beauty of our solution is that you can implement additional controls and
functions in a stepwise manner and at your own pace.
© 2007 Tango/04 Computing Group Page 29
- 30. Tying It All Together
Consider the Tango/04 family of solutions to help you achieve your compliance goals, protect your
corporate assets and facilitate business management. As you continue to grow into the Tango/04 solutions
you will increase productivity levels and save money over time.
© 2007 Tango/04 Computing Group Page 30
- 31. Appendix A – Tango/04 Security Solutions
Appendix A – Tango/04 Security Solutions
VISUAL Security Suite: List of Controls
As previously discussed and illustrated (see Figure 3 – Overview of VISUAL Security Suiteon page17),
VISUAL Security Suite can collect auditing information from multiple platforms and make it available for you
to filter and analyze within a single console. Below is a summary of the types of events we can monitor by
platform:
System i: DB2 UDB: Windows:
• System access • Use of special editing tools • Changes in auditing
• Profile and user activity or (e.g. DFU, STRSQL) configuration, privileges,
inactivity • Exit point control directory services, domain
• Adopted security • SQL statement level policies…
• Sensitive commands auditing • Complete event log
• Object access • File access at record level monitoring (real-time)
• System values • Auto control of logs with
• Spool files any format
• Any type of log such as • Control of Active directory,
QSYSOPR, QHST or IIS, firewall service,
system audit log Exchange, Citrix, remote
• Use of service systems access…
• Message queues • Changes to system folders
• Invalid logins
• Inactive users
SQL Server: Oracle: Linux, UNIX, AIX:
• Instance status • SQL statements run by • Complete verification of
• Changes to roles and sysda syslogs (real-time)
users • User SQL statements • Changes made to system
• Transaction log • Role and user monitoring configuration
• Connections and access • Critical processes • Control of super users
• SQL statements • Special permissions • Invalid logins
• Locks • Relevant users • Changes to folders/objects
• Table auditing (field level) • Table auditing (field level) • Changes in privileges and
• Objects • Super user activity user accounts
• Errors • Authentication • Change in security policies
• Windows processes • Log monitoring • Sensitive command
management
• Suspicious processes
© 2007 Tango/04 Computing Group Page 31
- 32. Appendix A – Tango/04 Security Solutions
Beyond platform specific abilities, a full array of other third party products, including middleware, network
equipment, appliances, firewalls, IDS, antivirus systems, etc. can also be integrated easily. Business
applications logs can be monitored in real time, and custom business-specific controls are easy to create
and maintain. Overall, Tango/04 offers the most comprehensive security solution on the market.
Tango/04 Solutions Offer Extensive Coverage for the System i
Although our security solutions are multi-platform capable, it’s important to stress our strength on the i5
platform for those of you that manage System i centric shops. Tango/04 is a Premier IBM Business Partner
and key member of IBM’s Autonomic Computing initiative. In addition to receiving industry recognition on
numerous occasions, our solutions have been validated by IBM and designated as IBM ServerProven.
Other associations we have with IBM include:
• IBM PartnerWorld for Developers (Advanced Member)
• IBM ISV Advantage Agreement
• IBM OS Early Code Release member
• IBM ServerProven Solution Provider
Technology Alliances outside of IBM
In addition to our strong ties to IBM, the success of our solution also relies on the working relationships we
have with other platform providers. These include:
• Microsoft Developer Network (MSDN)
• Microsoft Early Code Release member
• Red Hat Linux Partner
Professional Services
We provide top notch professional services to help you install "Tango/04 pre-sale activities, post-sale
and configure our products across your critical platforms to implementation and support services
meet your specific security needs. We’ll work together with exceeded our expectations. The
Tango/04 employees are intelligent,
your staff to add the precise controls you need in order to helpful, funny, patient and honest. The
achieve compliance year after year. We’re not happy with any training they provided was outstanding."
implementation unless you are completely satisfied. In fact, David Dresdow, Team Leader
since 2004 we’re proud to say that all of our projects for JDEdwards System Administration
security, data protection and operations monitoring have been Stora Enso
implemented on time and with full customer satisfaction. The
loyalty and high rate of customer satisfaction is one of the best
guarantees we can offer you.
© 2007 Tango/04 Computing Group Page 32
- 33. Appendix B - COBIT 4.1 Control Objectives
Appendix B - COBIT 4.1 Control Objectives
COBIT is the de facto IT governance framework used by many auditing firms to assess SOX compliance.
The latest release4, published in May 2007, is comprised of 34 IT processes that fall under the following
domains:
• Plan and Organize
• Acquire and Implement
• Deliver and Support
• Monitor and Evaluate
The domains and associated processes are consistent with the responsibilities of “plan, build, run and
monitor”, providing an end-to-end view of IT.
Each of the 34 IT processes is linked to a high level control objective which is further broken down into
numerous detailed control objectives. The table below indicates that there are a total of 210 detailed control
objectives under COBIT 4.1
Number of detailed
Domain Number of Processes
Control Objectives
Plan & Organize (PO) 10 74
Acquire & Implement (AI) 7 40
Deliver & Support (DS) 13 71
Monitor & Evaluate (ME) 4 25
Total: 34 210
Each new release of COBIT has resulted in a decreased number of detailed control objectives as the IT
Governance Institute (ITGI) has tried to consolidate objectives and consequently simplify the
implementation of the framework.
As a company striving to comply with SOX, you must review each of the 210 control objectives and devise
a plan to meet them. Many of the objectives can be met with the support of automated software tools, while
others simply require a documented policy or procedure. As an example, consider one of the processes
under the PO domain:
4
COBIT 4.1, IT Governance Institute, ISBN 1-933284-72-2, 2007
© 2007 Tango/04 Computing Group Page 33
- 34. Appendix B - COBIT 4.1 Control Objectives
Process PO6: Communicate Management Aims and Directions
Detailed objective PO6.5: Communicate awareness and understanding of business and IT objectives and
direction to appropriate stakeholders and users throughout the enterprise.
This is not an objective that is likely to be met through the use of technology. Meeting this objective would
more likely involve presentations and the dissemination of a written security plan which includes business
risks at stake and planned measures to mitigate those risks.
Other detailed control objectives can clearly be met with the use of technology. The remainder of this
Appendix will present detailed control objectives that are supported by the use of Tango/04 software
solutions.
Mapping of Tango04 Solutions to COBIT Objectives
Domain: Acquire & Implement
Process: Acquire & Maintain Application Software
Detailed Control Objectives:
AI2.3 Application Control and Auditability
Implement business controls, where appropriate, into automated application controls such that
processing is accurate, complete, timely, authorized and auditable.
Tango/04 Solution: VISUAL Security Suite can both leverage existing auditability and enhance
and extend application auditability by adding new business controls easily. For instance, checks
for completeness and timeliness of processing that are usually forgotten at application design time
are frequently deployed using Tango/04 technology in our compliance projects. Extensive
business integrity controls can be added at the database level, preventing data tampering from
outside the applications. VISUAL Security Suite can alert on not only the existence of a certain
event log entry, but also in its absence (for instance, if someone disables the incident logging
capability of an application). Disperse audit logs can be properly formatted and centralized on the
Tango/04 console, leveraging its visibility and usefulness, and adding powerful real-time
notification mechanisms. The use of web-based, real-time business and enterprise views aligns
security auditing to business practices and compliance standards. Application response times can
be measured and application failures or service disruptions are easily detected, so specific COBIT
measurement objectives (such as the number of production problems per application causing
visible downtime) can be produced. Reports provide historical information for auditing and forensic
purposes.
© 2007 Tango/04 Computing Group Page 34
- 35. Appendix B - COBIT 4.1 Control Objectives
AI2.4 Application Security and Availability
Address application security and availability requirements in response to identified risks and in line
with the organization’s data classification, information architecture, information security
architecture and risk tolerance.
Tango/04 Solution: Application usage and availability can easily be monitored and reported on in
real-time or from a historical audit standpoint. Synthetic (simulated) transactions can be created
and executed periodically to test production applications’ behavior on an ongoing basis, or
application logs can be used to monitor end user response times. Color coded, web-based
dashboards can be readily configured for a dynamic view of an application failure or slow down.
Real-time alerts of application failures can also be in the form of an email or sent to a pager or cell
phone. Strategic planning reports can be produced to analyze the best improvement alternatives
to optimize application availability. New controls can be added at the database level using
different levels of auditability to match the sensitiveness of the protected data.
Process: Acquire & Maintain Technology Infrastructure
Detailed Control Objective:
AI3.2 Infrastructure Resource Protection and Availability
Implement internal control, security and availability measures during configuration, integration and
maintenance of hardware and infrastructural software to protect resources and ensure availability
and integrity. Responsibilities for using sensitive infrastructure components should be clearly
defined and understood by those who develop and integrate infrastructure components. Their use
should be monitored and evaluated.
Tango/04 Solution: The use of powerful tools (such as data editors, system service tools and
other specific applications) that can compromise integrity and availability can be monitored and
logged. Login and logon can be monitored for most applications, middleware, and operating
systems. File-system level checks can be created to monitor access and usage to ensure that
access policies are respected. In addition, application availability and data integrity can also be
monitored on a continuous basis. Suspicious events can produce instantaneous alerts and audit
reports can be run to reveal usage patterns.
© 2007 Tango/04 Computing Group Page 35
- 36. Appendix B - COBIT 4.1 Control Objectives
Domain: Deliver & Support
Process: Define and Manage Service Levels
Detailed Control Objective:
DS1.5 Monitoring and Reporting of Service Level Agreements and Contracts
Continuously monitor specified service level performance criteria. Reports on achievement of
service levels should be provided in a format that is meaningful to the stakeholders. The
monitoring statistics should be analyzed and acted upon to identify negative and positive trends
for individual services as well as for services overall.
Tango/04 Solution: Tango/04 is extremely capable in this area, since VISUAL Security Suite and
VISUAL Message Center share the same technological foundation. As a consequence, it’s easy to
extend VISUAL Security Suite to monitor availability and end-to-end response time for
applications, reusing most of its components, agents, and product knowledge. Synthetic
(simulated) transactions can be created and executed periodically to test production application
behavior on an ongoing basis, or application logs can be used to monitor end user response
times. Real-time alerts can be produced if expected Service Level Agreements (SLAs) are not
met. Underlying IT infrastructure can be easily mapped to the supported business services, and
vice versa, rapidly modeling applications and service control points. Extensive IT infrastructure
monitoring can be deployed through modular, extensible Tango/04 agents. Real-time, visual
correlation of technical components with the business applications they support helps to identify
the root cause of poor performance in order to expedite problem resolution and ensure the
alignment of IT operational staff with the business strategy. SLA achievement can be evaluated
against reports that include numeric data as well as graphs to clearly depict application availability
and response times. ITIL-compliant indicators (such as MTBSI) can also be generated. Top
reasons of non-compliance with underpinning contracts can be easily identified to facilitate the
continuous improvement of service levels.
© 2007 Tango/04 Computing Group Page 36
- 37. Appendix B - COBIT 4.1 Control Objectives
Process: Manage Performance and Capacity
Detailed Control Objective:
DS3.5 Monitoring and Reporting
Continuously monitor the performance and capacity of IT resources. Data gathered should serve
two purposes:
• To maintain and tune current performance within IT and address such issues as
resilience, contingency, current and projected workloads, storage plans, and resource
acquisition.
• To report delivered service availability to the business, as required by the SLAs.
Tango/04 Solution: Performance goals can be continuously monitoring by adding Tango/04
extension monitoring modules. Extensive support for popular IT infrastructure components,
devices, platforms, and middleware, and open standards can be used to embrace and leverage
existing monitoring tools. Any undesired deviation from normal performance goals is immediately
detected and appropriate stakeholders are notified. Storage occupation and activity can be
monitored at the device, file system, folder or file level. End user response time can be monitored
to guarantee adequate performance at the application level, not only at the component level.
Extensive reporting includes the ability to create historical graphs with trend and forecasting
analyses to facilitate basic system capacity planning, analysis of peak load, utilization rates, SLA
compliance, transaction failures, worst components (to identify components that must be replaced
or fixed immediately), etc. In addition, for the System i there are several modules to model and
forecast capacity, and automatically tune the system.
Process: Ensure Continuous Service
Detailed Control Objective:
DS4.1 IT Continuity Framework
Develop a framework for IT continuity to support enterprise wide business continuity management
using a consistent process. The objective of the framework should be to assist in determining the
required resilience of the infrastructure and to drive the development of disaster recovery and IT
contingency plans. The framework should address the organizational structure for continuity
management, covering the roles, tasks and responsibilities of internal and external service
providers, their management and their customers, and the planning processes that create the
rules and structures to document, test and execute the disaster recovery and IT contingency
plans. The plan should also address items such as the identification of critical resources, noting
key dependencies, the monitoring and reporting of the availability of critical resources, alternative
processing, and the principles of backup and recovery.
© 2007 Tango/04 Computing Group Page 37
- 38. Appendix B - COBIT 4.1 Control Objectives
Tango/04 Solution: Although this objective requires the use of other technologies (such as
clustering, backup devices, etc.), monitoring can help enormously to automate several testing
tasks of the continuity framework, since Tango/04 technology helps you identify problem areas
(measuring the availability of critical business processes, generating rankings of failing
components, etc.) and monitors the compliance of the continuity strategy. For instance, Tango/04
security projects usually include the monitoring of backup and recovery products (such as IBM
BRMS or Tivoli Storage Manager), file system checks, real time indication of the health of the
continuity processes (such as replication software), etc.
Process: Ensure Systems Security
Detailed Control Objectives:
DS5.3 Identity Management
Ensure that all users (internal, external and temporary) and their activity on IT systems (business,
application, IT environment, system operations, development and maintenance) are uniquely
identifiable. Enable user identities via authentication mechanisms. Confirm that user access rights
to systems and data are in line with defined and documented business needs and that job
requirements are attached to user identities. Ensure that user access rights are requested by user
management, approved by system owners and implemented by the security-responsible person.
Maintain user identities and access rights in a central repository. Deploy cost-effective technical
and procedural measures, and keep them current to establish user identification, implement
authentication and enforce access rights.
Tango/04 Solution: Procedures to keep authentication and access mechanisms in check include
ongoing monitoring of user profile creation, deletion, changes to user profiles, and management of
passwords. User activity such as log-ins and access to applications are also audited. Access right
rules can be enforced using simple (IP address filtering) or complex custom rules (such as
automatically holding user processes for a profile corresponding to an employee currently on
vacation, until the incident is investigated). Correlation technology can be used to check
authentication mechanisms. Real-time alerts can be executed when a suspicious event occurs
and built-in reports can be run in order to provide user activity information to the appropriate
management personnel.
DS5.4 User Account Management
Address requesting, establishing, issuing, suspending, modifying and closing user accounts and
related user privileges with a set of user account management procedures. Include an approval
procedure outlining the data or system owner granting the access privileges. These procedures
should apply for all users, including administrators (privileged user) and internal and external
users, for normal or emergency cases. Rights and obligations relative to access to enterprise
© 2007 Tango/04 Computing Group Page 38
- 39. Appendix B - COBIT 4.1 Control Objectives
systems and information should be contractually arranged for all types of users. Perform regular
management review of all accounts and related privileges.
Tango/04 Solution: Continuous user profile monitoring and regularly scheduled reporting allows
easy tracking of user accounts and access rights for your users. Real-time alerts can be executed
when a questionable event occurs such as the granting of special authority to an existing user
profile. Privileged user activity can also be tracked and reported. Inactive (obsolete) accounts can
be detected easily and automatically disabled if desired.
In addition, the Data Monitor module can audit the actions of privileged users as they access your
critical data files. Our ability to track changes to files at the record level, including “before” and
“after” images of the change, helps you to monitor and control powerful users on your system.
DS5.5 Security Testing, Surveillance and Monitoring
Test and monitor the IT security implementation in a proactive way. IT security should be
reaccredited in a timely manner to ensure that the approved enterprise’s information security
baseline is maintained. A logging and monitoring function will enable the early prevention and/or
detection and subsequent timely reporting of unusual and/or abnormal activities that may need to
be addressed.
Tango/04 Solution: The real-time notification feature provides instant alerts and automatic
actions to quickly respond to security violations. Audit reports provide full information on potential
violations, and specific issues, for example, use of sysdba / sysadmin / security officer user
profiles, or access to sensitive objects. Integration of third-party security products (such as
antivirus or vulnerability scanners) is possible through the use of any of the numerous industry
standard protocols and technologies supported by Tango/04. Extensive business application
controls can be added to extend existing application security controls. Complex security policy
rules can be implemented and automatically checked on using the Tango/04 console in real time.
DS5.9 Malicious Software Prevention, Detection and Correction
Put preventive, detective and corrective measures in place, (especially up-to-date security patches
and virus control) across the organization, to protect information systems and technology from
malware (e.g. viruses, worms, spyware, spam).
Tango/04 Solution: VISUAL Security Suite can detect deviations from corporate security policy in
many areas including changes to system settings, user profiles, objects and data files. We also
monitor logs and alerts coming from antivirus software, firewalls, IDS, applications, web servers
and network devices. Events are sent to a centralized console where they are consolidated into a
single view for further analysis. Beyond that we provide you with the ability to generate real-time
alerts when a suspicious event occurs so you can take immediate action to the problem at hand.
© 2007 Tango/04 Computing Group Page 39
- 40. Appendix B - COBIT 4.1 Control Objectives
Our technology additionally includes the ability to perform actions (such as disabling a user at
once from several platforms and domains, modifying a system setting, or ending a process) when
an alert is generated so incidents can be handled automatically.
Process: Manage Service Desk and Incidents
Detailed Control Objective:
DS8.3 Security Requirements for Data Management
Establish service desk procedures, so incidents that cannot be resolved immediately are
appropriately escalated according to limits defined in the SLA and, if appropriate, workarounds are
provided. Ensure that incident ownership and life cycle monitoring remain with the service desk for
user-based incidents, regardless which IT group is working on resolution activities.
Tango/04 Solution: Security incidents can be automatically escalated using notification rules
and multiple delivery mechanisms (pager, SMS, email). Guidance text (or even multimedia files)
can be shown to the operators at incident time, offering context-sensitive information about the
procedures to be followed from the knowledge base. The open architecture of the Tango/04
console makes it easy to forward incident data to third party service desks products, such as
Remedy. Bi-directional integration is also possible. As the modeling of the business services and
its underlying IT components is very easy on the Tango/04 console, real-time, accurate, dynamic
information about the real business impact of each incident is easy to attach to the original event,
thus aligning IT priorities with business priorities easily. Enrichment of event data, correlation, and
business impact information can be added to the forwarded event to reduce resolution times.
Process: Manage Problems
Detailed Control Objective:
DS10.1 Identification and Classification of Problems
Implement processes to report and classify problems that have been identified as part of incident
management. The steps involved in problem classification are similar to the steps in classifying
incidents; they are to determine category, impact, urgency and priority. Categorize problems as
appropriate into related groups or domains (e.g., hardware, software, support software). These
groups may match the organisational responsibilities of the user and customer base, and should
be the basis for allocating problems to support staff.
Tango/04 Solution: Security incidents can be automatically classified or categorized based on the
original event data, correlated data, or any additional data that is able to be calculated or
retrieved, even from remote systems. As the modeling of the business services and its underlying
© 2007 Tango/04 Computing Group Page 40