White Paper. February McAfee Protection-in-Depth Strategy. Issues in Risk Management: Sarbanes-Oxley Compliance and IT Security.

Transcription

1 White Paper February 2005 McAfee Protection-in-Depth Strategy Issues in Risk Management:

2 2 Table of Contents Background 3 Will SOX Initiatives Deliver a Return on Investment? 3 Who Should Be Concerned about SOX? 4 SOX and IT Security 4 Table I: Common Vulnerabilities in IT Infrastructure 5 A Model for Internal Control 5 Table II: The COSO Framework and the Foundstone/McAfee Approach 5 Tools for Securing the IT Infrastructure 6 Table III: Summary of McAfee Control Tools 6 Prioritizing Risk A Key Strength 7 Meeting the Needs of SOX and Enterprise Risk Management 8 McAfee PrimeSupport 9 Conclusion 9 0

3 3 Background The off-balance-sheet corporate accounting misdeeds of Enron, Worldcom, and other companies during the 1990s were pivotal events that set the stage for SEC and investor outrage and the passage of H.R. 3763, also known as the Sarbanes-Oxley (SOX) Act of This landmark legislation sought to restore confidence in the governance of public companies following a number of widely publicized financial scandals, and resulted in the most stringent guidelines ever for assuring the accuracy and completeness of corporate financial reports. The goal of SOX, of course, is to bring greater accuracy, visibility, and transparency to corporate financial reporting. To do this, the legislation seeks to: Eliminate the incentives for falsifying financial data by combining direct executive accountability with the threat of prosecution Eliminate the opportunities for manipulating financial data by requiring the establishment and certification of adequate and auditable internal controls Section 302 of the legislation establishes direct executive accountability for financial reporting. It states that the CEO and CFO of issuing companies must prepare a statement to accompany its financial reports certifying the appropriateness of the financial statements and disclosures contained in the periodic report, and that those financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the issuer. Any officer who knowingly and intentionally violates this section can be liable for up to $5 million in fines and/or twenty years imprisonment. Among other things, Section 302 requires a company to attest: 1. The signing officers have reviewed the report. 2. The report does not contain any material untrue statements or material omissions, or could be considered misleading. 3. The signing officers are responsible for and have evaluated the company s internal controls within the previous ninety days, and have reported their findings. 4. A list of all deficiencies in the internal controls and information on any fraud that involves employees who are involved in internal activities is reported. 5. Any significant changes in internal controls or related factors that could have a negative impact on the internal controls are reported. Section 404 of SOX broadly sets forth the responsibility of management for establishing and maintaining an adequate internal control structure for financial reporting. It further requires management to conduct an annual self-assessment stating the effectiveness of the internal control structure and procedures for financial reporting, and requires an auditor to attest to and report on management s assessment. Although Section 404 offers little specific guidance as to the kinds of internal controls and procedures it covers, most companies have interpreted Section 404 to encompass all corporate policies, business processes, reporting, computer systems, and networks that feed into their financial reporting. This breadth of coverage, coupled with a lack of specific guidelines, is what has made Section 404 so challenging for companies to address. Will SOX Initiatives Deliver a Return on Investment? While some companies may regard SOX as an example of a few bad apples spoiling things for the whole bunch, many also recognize that SOX brings long-needed discipline to financial reporting, as well as to the business processes and digital assets that are essential to it. These companies understand that by extending SOX initiatives strategically throughout the business, they stand to gain significant ancillary benefits, such as: Improved operational efficiency Better control over information Enhanced ability to manage risk Increased investor confidence Easier accesss to capital through improved corporate governance Even considering that compliance initiatives are still in their early stages, some companies have already reported a positive ROI from the changes brought about by Sarbanes-Oxley. In one recent survey, * more than a quarter of all respondents said that they had seen a positive return on investment from the internal controls mandated by SOX. (Of the remaining respondents, 10 percent considered their SOX investment a break-even; 49 percent said it was too early to gauge SOX ROI; and 17 percent saw no measurable benefit beyond compliance.) As companies gain greater experience in imple- *Source: CMP Media, Compliance Pipeline Quick Poll, January 2005.

4 4 menting and measuring the impact of internal controls, we would expect to see even higher recognition of positive ROI. As you ll see in this paper, Foundstone and McAfee offer numerous technologies that help your company rapidly and thoroughly address the most difficult aspects of Section 404 compliance. More important, these same tools and technologies will enable you to move beyond compliance to broader risk management initiatives, allowing your company to operate more securely, efficiently, and profitably. Who Should Be Concerned about SOX? All SEC-registered companies are required to comply with the SOX legislation. That means not just companies whose shares trade on a public exchange, but also companies that have floated public debt. Chances are, if you are one of these companies you already know that SOX applies to you. What you may not know is that SOX compliance also may be an issue for companies that: Are considering SEC registration in the future Are vendors to SEC-registered companies that may require others to show compliance in support of their own compliance efforts Are seeking to gain a competitive advantage by implementing best practices in financial reporting Entities not often considered include: Savings associations Small-Business Issuers Final rules apply to all companies that file Exchange Act periodic reports, regardless of their size Non-U.S. Companies Foreign issuers (including Canadian issuers) must comply Unlisted Companies Any unlisted companies with public debt must comply with the SEC s reporting requirements, including executive certification and internal control reporting requirements Municipal Utilities or Universities Any entity that must file a Form 10-K or 10-Q SOX and IT Security Section 404 of the Sarbanes-Oxley Act requires companies to perform a detailed self-assessment of the risks affecting their financial reporting systems, and to implement and maintain internal controls to mitigate these risks. Section 404 doesn t specifically mention IT security when it discusses assessing and maintaining internal controls. But there s no question that computer and network security are at the heart of compliance. That s because nearly all corporate financial information is stored on and accessed from the applications, networks, and computer systems within an organization s IT infrastructure. As a result, these networks, devices, and applications become an integral part of financial reporting. Senior management will demand assurances that the financial reporting process and its systems are bulletproof before they sign on the dotted line and certify their annual and interim reports. To do this, they will need to answer several important questions: What data is used to create our financial reports? Where does the data come from? What business processes and applications are involved? What networks are used to transmit the data? Who has access to the networks, applications, and systems used to create the reports? What inherent vulnerabilities exist in the networks, applications, and systems used? What vulnerabilities exist in the business processes and policies? What controls are used to ensure that none of the networks, applications, systems, or business processes can be compromised? Are the controls effective and adequate to the purpose? By what method do we assess the adequacy of our internal controls, and will this method satisfy our auditor s requirements? Under the law, companies must identify vulnerabilities in the network or systems that are related to financial reporting, assess their severity, remedy material weaknesses, and implement controls to monitor vulnerabilities and protect against future exploits. This is no simple task, since vulnerabilities are legion in today s networks and applications. And those who seek to exploit these vulnerabilities are as likely (if not more likely) to come from inside the company as from outside. Table 1 shows some of the more common areas of vulnerability:

5 5 Table I: Common Vulnerabilities in IT Infrastructure System Component Network Firewall Network Routers, Gateways Host Operating Systems Applications Data-Access Controls Vulnerabilities Arising from: Open ports for VPNs, Web access, remote workers Misconfiguration, default passwords used Known bugs, out-of-date patches, root access poorly controlled Known bugs, non-authorized (rogue) applications in use, viruses, trojans, and other malicious code Departed and reassigned employees, newly created databases, no separation of duties between data administrator and users A Model for Internal Control There are many frameworks and approaches to internal control, particularly in the context of IT infrastructure. Most are based on the widely accepted framework of processes and principles developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and laid out in its document, Internal Control Integrated Framework. The COSO framework was originally created to help organizations assess and enhance their internal control systems and has become the basis for SOX compliance initiatives. It was recently expanded and refined to create a sister document, Enterprise Risk Management Integrated Framework. Because the COSO framework is intended to provide high-level general guidance, other organizations (such as the ISACA, ITGI, and the ISO) have issued even more detailed guidance on internal controls. The details of these frameworks are beyond the scope of this paper, but each of them recognizes the centrality of IT security in establishing and monitoring internal control. They also agree that effective internal control is a multi-faceted problem with several components that can only be addressed through a combination of policy, process, and technology. McAfee has helped companies achieve Section 404 compliance using a simple ten-step process for effectively dealing with network and system vulnerabilities that can affect financial reporting. Our process closely mirrors the five major components of the COSO framework, as shown in the table below. Table II: The COSO Framework and the McAfee Approach COSO Framework Control Environment Risk Assessment Control Activities Information and Communication Monitoring McAfee Process 1. Policy Establish the process, standards, and guidelines 2. Inventory Discover all assets across the network 3. Prioritize Assign business value to assets 4. Vulnerabilities Determine vulnerabilities on assets 5. Threats View potential threats 6. Risk Determine risk level 7. Shield Stop intrusions in real time 8. Remediation Proactively fix vulnerabilities 9. Measure Measure the impact of security decisions 10. Compliance Review for policy compliance

6 6 Note that a number of the steps in the McAfee process relate to essentially human processes, such as establishing policy, prioritizing assets, determining acceptable risk levels, measuring the impact of security decisions, and reviewing for compliance. Other steps in the table relate to processes that are ideally suited to technology, such as discovering assets across the network, determining vulnerabilities, viewing potential threats, preventing threats in real time, and remediating vulnerabilities. In the next section, we will look more closely at how McAfee helps you address the technology-based processes and also provide vital data needed to support human decisions. Foundstone Professional Services also offer extensive risk assessment services, penetration testing, and other services that are beneficial to SOX compliance. McAfee products and services are aimed at reducing risk. We can help reduce regulatory risk of noncompliance with Sarbanes-Oxley and the SEC s regulations through welldocumented processes and controls that provide a credible body of evidence that the certifying officers have established effective internal control over financial reporting. We also help reduce risk by identifying key risk areas and control points that enable the certifying officers to better manage processes and drive accountability throughout the organization. One final difference to note between the COSO model and the McAfee process is that McAfee takes a more granular view of risk assessment. Risk is a composite of three variables that can be expressed: Risk = Assets x Vulnerabilities x Threats (R = AxVxT) In any given situation, each of these variables (assets, vulnerabilities, and threats) has a unique value. The organization s policy determines which values carry more weight and what sum of all values is considered tolerable (i.e., the organization s risk tolerance). This is a good thing, because not all risks are equal and, as a practical matter, it would be unreasonably expensive and counter-productive to eliminate all risk. Tools for Securing the IT Infrastructure McAfee offers a wide range of technologies and tools to help companies address all phases of internal control and IT security to meet the demands of Sarbanes-Oxley and overall enterprise risk management. We enable companies to quickly assess their vulnerability to risk; implement controls to mitigate, prevent, or remediate risk; and to manage and document their internal control processes. Some of our most important enterprise-class internal control solutions are listed in Table III. Table III: Summary of McAfee Control Tools Solution Area Tool or Technology Scope Threat Monitoring Foundstone Enterprise, (System, Network) McAfee VirusScan 8.0i Prior to incident Vulnerability Detection, Monitoring, and Remediation Network Intrusion Prevention Foundstone Enterprise (misconfigurations, unapplied patches, open ports, rogue systems and devices, default passwords, etc.) McAfee IntruShield (network device monitoring), McAfee WebShield (Web content monitoring) (Network) Prior to incident (Network) During incident Host Intrusion Prevention McAfee Entercept (System Root) Prior to incident Client Intrusion Prevention McAfee Desktop Firewall (Client) Prior to incident Anti-Virus Scanning and Removal Documenting Internal Controls and Incidents McAfee VirusScan 8.0i (application and system activity monitoring) McAfee epolicy Orchestrator, Entercept Management System (System) During incident (Policy, System, Network) Post incident Information Security Management Foundstone Professional Services Risk Assessment, Policy Review and Development

7 7 Foundstone Enterprise A comprehensive vulnerability management solution engineered to manage and mitigate the business risks associated with digital vulnerabilities. It is the most accurate, flexible, and scalable vulnerability management system available today and offers network infrastructure protection through asset discovery, inventory, and prioritization; threat intelligence and correlation; and remediation tracking and reporting. With its extensive capabilities, Foundstone Enterprise helps organizations manage multiple aspects of SOX compliance, including risk assessment, internal control implementation and measurement, and compliance monitoring. Further, it provides extensive flexibility and customization options so organizations can tailor their vulnerability management processes to meet specific network, compliance, and business requirements. Foundstone Enterprise provides tools to: Rapidly discover and map the entire global network Pinpoint and prioritize your most valuable information assets Relentlessly probe for vulnerabilities and determine risk Provide threat intelligence alerts for quick response to fast-spreading attacks Facilitate strategic protection of critical assets, according to business requirements, policies, and rules Assign, manage, and validate remediation Track and measure progress and improvements, and cost/benefits By 2005, more than 40 percent of G2000 firms will adopt Risk Management and a balanced risk/reward reporting process, improving portfolio investment decisions (build, buy, retire, table, postpone) based on defined and accepted RM analyses. Paul Proctor, META Group Prioritizing Risk A Key Strength Because risk is a mult-faceted problem, Foundstone and McAfee compliance solutions allow companies to easily prioritize and address risk based on the value of its component variables. This is particularly advantageous in the case of SOX compliance because it lets companies meet their immediate need for identifying and controlling risks related to financial reporting without embarking on more lengthy and expensive IT security initiatives. In short, Foundstone and McAfee solutions let you start small and move incrementally toward overall enterprise risk management, according to your budgets and business priorities. McAfee Entercept A host intrusion prevention system that proactively defends enterprises from the full range of known, zero-day, DoS, and encrypted attacks. Unlike intrusion detection solutions, which merely detect these costly exploits, Entercept prevents them before they occur. In addition to the enterprise version, other versions of Entercept are available to meet the special requirements of database servers and Web servers. For SOX compliance, Entercept provides an effective control point for one of the most vital areas of IT vulnerability. Working in tandem with Entercept, the McAfee Entercept Management System provides comprehensive, enterpriseclass management for all Entercept products. The single management server and geographically distributed consoles reduce security complexity and supply a scalable, robust, and highly available infrastructure. With centralized policy administration and support for multiple platforms, the Entercept Management System enables consistent, reliable security for heterogeneous servers and desktops, and support for SOX-specific security policies. McAfee IntruShield A family of pioneering intrusion prevention appliances that redefine the deployment of network security by enabling the most comprehensive intrusion prevention for advanced threat protection against known, zero-day, encrypted, and DoS attacks. IntruShield s IPS technology provides unparalleled prevention accuracy, centralized management, enterprise-class bandwidth scalability, and mission-critical performance in all network environments. IntruShield appliances are available to meet the specific needs of remote/branch offices, the enterprise network perimeter, and the enterprise network core (or data centers), at up to multi-gigabit speeds. Using high-speed sensors and patented threat detection techniques, IntruShield provides reliable control points offering accurate, comprehensive realtime threat detection and prevention.

8 8 McAfee also offers IntruShield Global Manager for administering IntruShield sensor appliance deployments of up to several hundred sensors. Integrating a comprehensive set of security management functions, the IntruShield system dramatically simplifies and streamlines the complex tasks associated with intrusion prevention system (IPS) configuration, policy compliance, and threat and response management. McAfee VirusScan 8.0i A highly advanced anti-virus application, integrating elements of intrusion prevention and firewall technology into a single solution for PCs and file servers. This powerful combination delivers truly proactive protection from the newest of today s threats including buffer-overflow exploits, spyware, and blended attacks and features advanced outbreak management responses to reduce the damage and costs of outbreaks. VirusScan 8.0i is an essential component of a SOX-compliant internal control strategy, with award-winning virus-scanning technology and the ability to identify previously unknown viruses. This suite of protection can be centrally managed by McAfee epolicy Orchestrator or ProtectionPilot for scalable security policy compliance and graphical reporting. McAfee Webshield Configure-and-forget appliances designed to protect important financial data and other digital assets at the Internet gateway, scanning inbound and outbound traffic for SMTP, HTTP, FTP, and POP3 protocols. The Webshield appliances offer unmatched performance, detection, and cleaning of viruses and protection against unwanted mail in the form of spam and unwelcome content for companies of any size. McAfee Desktop Firewall Proactively protects network desktop clients against new threats that anti-virus software cannot defeat alone. Combining comprehensive network and application firewall capabilities with intrusion detection, Desktop Firewall prevents clients from sending or receiving traffic- or application-borne threats. It also precludes trusted applications from being used to spread attacks across the network. Desktop Firewall integrates with McAfee epolicy Orchestrator for scalable, centralized management and reporting. McAfee epolicy Orchestrator The industry-leading system security management solution, and a key tool for implementing control policies, protecting against threats, and monitoring compliance. McAfee epolicy Orchestrator delivers a coordinated, proactive defense against malicious threats and attacks for the enterprise. As the central hub of McAfee System Protection Solutions, administrators can mitigate the risk of rogue, non-compliant systems, keep protection up-to-date, configure and enforce protection policies, and monitor security status, 24/7, from one centralized, enterprise-scalable console. A vital tool for documenting and monitoring internal controls. Foundstone Professional Services Technology can help you address a specific component of meeting Sarbanes- Oxley compliance, however a professional services engagement can help to fill the remaining gaps and ensure compliance. Foundstone Professional Services offer risk assessment services in line with FFIEC, ISO17799, and NIST guidelines, to help comply with risk assessment requirements. Foundstone Professional Services can also help organizations to assess the current state of their information security policies, and develop policies that comply with regulations such as Sarbanes-Oxley. Internal control is most effective when controls are built into the entity s infrastructure and are a part of the essence of the enterprise. Built-in controls support quality and empowerment initiatives, avoid unnecessary costs, and enable quick response to changing conditions. COSO, Executive Summary of Internal Control Integrated Framework Meeting the Needs of SOX and Enterprise Risk Management Clearly, for SEC-registrants, the issue is not if, but when and how to go about the process of complying with Section 404. Simply gauging the scope of financial reporting and the need for internal control has proven to be a time- and resource-consuming effort for many companies, and some are further down this road than others. But McAfee can make this job far more manageable for companies by powerful, scalable suites of solutions that can be implemented in the short timeframe that SOX allows, and interoperate with your current IT and security infrastructure. Our solutions can help you: Enforce policies for internal control Inventory and value digital information assets Identify and manage vulnerabilities throughout your infrastructure (network, application, host) Implement auditable internal controls Establish a control baseline and a process for measuring and reporting on ongoing improvements Provide comprehensive reports for auditing

9 9 McAfee PrimeSupport McAfee has pursued a strategy of providing best-of-breed technology for each type of security and performance management application but the Protection-in-Depth Strategy is more than just deploying and implementing bestof-breed solutions today. Prevention is certainly our first priority, but inevitably, you will have to react to a problem. The McAfee PrimeSupport program is essential for making the most of your investment in McAfee System and Network Protection Solutions. McAfee s PrimeSupport team has all the right resources and is ready to deliver your needed service solution. PrimeSupport resources include: delivering authorization to access all available maintenance releases and product upgrades, access to a comprehensive suite of additional online self-support capabilities, live telephone support accessible 24/7/365, available assigned support account managers, and a range of software and hardware support solutions that can be tailored to meet your needs. Conclusion Looking beyond the requirements of Sarbanes-Oxley, our tools will also help you improve overall corporate governance, reduce risk throughout your organization, and reduce costs over time. Better risk management and financial controls can also help you gain improved visibility into business operations, build your company s market value, and enhance your ability to secure capital. For additional information on McAfee compliance solutions, visit:. McAfee, Inc Freedom Circle, Santa Clara, CA 95054, , McAfee products denote years of experience and commitment to customer satisfaction. The McAfee PrimeSupport team of responsive, highly skilled support technicians provides tailored solutions, delivering detailed technical assistance in managing the success of mission-critical projects all with service levels to meet the needs of every customer organization. McAfee Research, a world leader in information systems and security research, continues to spearhead innovation in the development and refinement of all our technologies. McAfee, Foundstone, VirusScan, IntruShield, WebShield, Entercept, Desktop Firewall, epolicy Orchestrator, Protection-in-Depth, and PrimeSupport are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners McAfee, Inc. All Rights Reserved. 6-sps-sox