Sarbanes-Oxley Compliance Using The Hitachi ID Identity Management Suite

Using The Hitachi ID Management Suite

to Comply with

The Sarbanes-Oxley Act of 2002

© 2014 Hitachi ID Systems, Inc. All rights reserved.

http://Hitachi-ID.com/

http://Hitachi.com/

This Hitachi ID Systems, Inc. whitepaper explores the Sarbanes-Oxley Act and how it impacts US-listedpublicly traded corporations. Read about what SOX requires in terms of information security. Learn aboutHitachi ID Systems’ comprehensive identity management solutions and how they help companies meetSOX requirements.

Contents

1 Introduction 1

2 The Sarbanes-Oxley Act of 2002 1

3 Relevant Sections 2

3.1 Section 201 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

3.2 Section 302 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

3.3 Section 404 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

3.4 Section 409 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

4 Impact of Sarbanes-Oxley on Information Security 4

5 Impact of Sarbanes-Oxley on Identity Management 5

6 Hitachi ID Solutions Meeting Sarbanes-Oxley Requirements 7

6.1 The Hitachi ID Identity Management Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

6.2 Meeting Sarbanes-Oxley Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

7 Summary 11

i

Sarbanes-Oxley Compliance Using The Hitachi ID Management Suite

1 Introduction

This document includes a brief overview of the Sarbanes-Oxley Act of 2002 (SOX), and describes how itimpacts information security in publically traded, US-listed corporations.

The Hitachi ID Identity Management Suite is then introduced, and its use to comply with SOX requirementsis described.

Please note that this document does not constitute legal advice. This document represents the best un-derstanding of Hitachi ID of the relevance of this legislation to information security in general and to identitymanagement in particular.

2 The Sarbanes-Oxley Act of 2002

The Sarbanes-Oxley Act of 2002 is an Act of the United States Congress, To protect investors by improvingthe accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for otherpurposes.

The Sarbanes-Oxley Act of 2002 was enacted in response to public accounting scandals at Enron, World-Com, Tyco and elsewhere. It introduces new measures, and amends existing measures to ensure thatfinancial statements made by publically traded corporations are accurate, reliable and timely.

The Sarbanes-Oxley Act of 2002 includes the following broad provisions:

• Introduction of a board to oversee registered audit firms.

• Requirements for independence of auditors from other services provided to publically traded compa-nies.

• Introduction of rules of corporate responsibility, and in particular responsibility for senior officers ofpublic corporations.

• Improved financial disclosures.

• Prohibition of conflicts of interest affecting financial analysts.

• New resources and authority for the securities exchange commission.

• Rules and penalties regarding fraud.

• Rules and penalties regarding corporate taxes.

• Initiation of studies to further improve the corporate governance environment in the United States.

The Sarbanes-Oxley Act of 2002 was signed into law on July 30, 2002. Large corporations had to complyas of June 15, 2004. Smaller companies had to comply fully by April 15, 2005.

© 2014 Hitachi ID Systems, Inc.. All rights reserved. 1


3 Relevant Sections

While the Sarbanes-Oxley Act of 2002 does not make specific mention of information security, they do makereference to sound internal controls, which in turn depend on information security. Please read some of therelevant highlights from the Act:

3.1 Section 201

Among other things, section 201 prohibits financial auditors from also providing these services:

• Financial information systems design and implementation.

• Management functions or human resources.

Information Security Impact:Since both financial systems and HR may be closely integrated with information security infrastructure, thiseffectively prevents auditors from becoming closely involved in the design and implementation of informationsecurity projects.

3.2 Section 302

Section 302 stipulates that the principal executive officer (CEO) or officers and the principal financial officer(CFO) or officers, or persons performing similar functions, certify in each annual or quarterly report that:

• They are responsible for internal controls.

• They have designed internal controls to ensure that all material financial information is available to theappropriate persons to support preparation of these annual or quarterly reports.

• They have evaluated the effectiveness of the above internal controls in the last 90 days.

• They include in the annual or quarterly report information about their assessment of the effectivenessof internal controls.

The CEO and CFO (or equivalent) must also disclose to their auditors any significant deficiencies in theirinternal controls, and any fraud that has been discovered and that involves staff with a key role related tointernal controls.

Finally, the CEO and CFO must disclose if there were any changes in internal controls, and corrective actiontaken to address previous problems with internal controls.



Information Security Impact:This section requires very strong internal controls, and management assurance that the controls are de-signed and implemented effectively.Internal controls in financial reporting systems require sound security, since these systems cannot betrusted without ensuring:

• Protection of data• Authentication of users• Authorization of user actions• A capability to audit user actions and transactions, in order to create accountability

3.3 Section 404

Section 404 requires that management include in their annual report:

• A statement of responsibility for internal controls.

• An assessment of the current state of internal controls.

This section also requires that registered public accounting firms must also attest to and report on theassessment of internal controls.

Information Security Impact:This section simply strengthens the requirement for strong internal controls, initially laid out in Section 302.

3.4 Section 409

Section 409 introduces a requirement for public companies to provide “real time” (i.e., very timely) reportingon material changes in the condition and operations of the company.

Information Security Impact:This section implies that internal controls be so efficient and reliable as to support real-time publication ofimportant business data from ERP and operational systems.



4 Impact of Sarbanes-Oxley on Information Security

Internal controls in a financial system depend on the following information security capabilities:

• Users are reliably authenticated before they can access the system.

It should be difficult or impossible for anyone other than a legitimate user to impersonate that user.

• Only authorized users have access to the system.

This implies control over the introduction of new users into the system, and an efficient, reliable pro-cess to terminate access once it is no longer appropriate.

• Once signed in, users can only perform actions for which they have authority.

This implies a strong connection between business processes, which determine what privileges areappropriate to each user, and access controls inside the system.

• Users are assigned rights in a manner that allows one user to monitor the actions of another.

This is where traditional financial controls, such as separation of duties fit into the security structure.

• User actions are recorded in an indelible record.

It should be possible to trace user actions after the fact, for audit and accountability reasons.

• Data is protected.

This implies encryption of transmitted and stored data, access controls at the data storage layer(filesystem or database), and sound backups.

It is important to note that financial information systems depend on other information systems infrastructure– directories, network operating systems, perimeter defenses, virus protection and more. When consider-ing information security requirements for a financial system, it is essential to protect all of this supportinginfrastructure as well.



5 Impact of Sarbanes-Oxley on Identity Management

In the previous section, internal controls were translated into requirements for information security. Next,the information security requirements can be mapped to identity management processes.

• It should be difficult or impossible for anyone other than a legitimate user to impersonate thatuser.

User authentication should be reliable and secure:

– Passwords must be hard to guess – complex, frequently changing, never reused and nevershared. When other forms of authentication

– Q&A profiles, frequently used by corporate help desks to authenticate users who forgot or ac-cidentally disabled their passwords, must contain many personal, private question/answer pairs,some standard and some user-defined to insure accurate authentication.

– Hardware tokens, must be accompanied by a reasonably long, hard-to-guess and secret pass-word or PIN.

– Biometric samples, must be collected and stored in a secure, reliable fashion (e.g., it is notappropriate to e-mail users a PIN asking them to provide a biometric sample, because then thatsample would be no more reliable than the e-mail system and PIN).

• Control over the introduction of new users into the system.

Business processes must be connected to a user provisioning processes:

– Automated provisioning may be triggered by users being added to an authoritative system,such as an HR database.

– A security workflow may be used, allowing business users to request systems access, butensuring that all requests are properly validated and authorized by suitable managers beforethey are fulfilled.

• An efficient, reliable process to terminate access once it is no longer appropriate.

Business processes must be connected to user deprovisioning processes:

– Automated deprovisioning may be triggered by users being removed from an authoritativesystem, such as an HR database.

– Access reviews should be performed periodically, to ensure that unneeded access rights have,indeed, been removed, and to remove them if not.

– A security workflow may be used, allowing managers to request access termination for em-ployees or contractors who left the organization.

– Consolidated administration may be used, to support urgent access termination, when au-tomation or an approvals workflow would take too long.

– A consolidated directory must be available in any case, to track what login accounts each userhas.


Sarbanes-Oxley Compliance Using The Management Suite

• A strong connection between business processes, which determine what privileges are appro-priate to each user, and access controls inside the system.

This means that business processes must drive granular user access controls, using:

– A security workflow allowing business users to request and approve appropriate changes tothe rights assigned to users.

– Policy enforcement to ensure that access rights are created and maintained in compliance withpolicies and standards.

– Access reviews should be performed periodically, to ensure that unneeded access rights have,indeed, been removed, and to remove them if not.

– An enterprise-wide reporting system to enable business users and auditors to review useraccess rights that span multiple systems.

Note that not all of the information security requirements in the previous section relate directly to identitymanagement.



6 Hitachi ID Solutions Meeting Sarbanes-Oxley Requirements

6.1 The Hitachi ID Identity Management Suite

The Hitachi ID Identity Management Suite is a complete, enterprise class solution that includes:

• Hitachi ID Password Manager: Self service management of passwords, PINs and encryptionkeys

Password Manager is an integrated solution for managing user credentials, across multiple systemsand applications. Organizations depend on Password Manager to simplify the management of thosecredentials for users, to reduce IT support cost and to improve the security of login processes.

Password Manager includes password synchronization, self-service password reset, enterprise singlesign-on, PIN resets for tokens and smart cards, enrollment of security questions and biometrics andemergency recovery of full disk encryption keys.

Password Manager reduces the cost of password management using:

– Password synchronization, which reduces the incidence of password problems for users

– Self-service password reset, which empowers users to resolve their own problems rather thancalling the help desk

– Streamlined help desk password reset, to expedite resolution of password problem calls

Password Manager strengthens security by providing:

– A powerful password policy engine.

– Effective user authentication, especially prior to password resets.

– Password synchronization, to help eliminate written-down passwords.

– Delegated password reset privileges for help desk staff.

– Accountability for all password changes.

– Encryption of all transmitted passwords.

To find out more about Password Manager, visit http://Hitachi-ID.com/Password-Manager.

• Hitachi ID Identity Manager: User provisioning, RBAC, SoD and access certification

Identity Manager is an integrated solution for managing identities and security entitlements acrossmultiple systems and applications. Organizations depend on Identity Manager to ensure that usersget security entitlements quickly, are always assigned entitlements appropriate to their needs and incompliance with policy and are deactivated reliably and completely when they leave the organization.

Identity Manager implements the following business processes to drive changes to users and entitle-ments on systems and applications:

– Automation: grant or revoke access based on data feeds.– Synchronization: keep identity attributes consistent across applications.


http://Hitachi-ID.com/Password-Manager


– Self-service: empower users to update their own profiles.– Delegated administration: allow business stake-holders to request changes directly.– Certification: invite managers and application owners to review and correct entitlements.– Workflow: invite business stake-holders to approve or reject requested changes.

Identity Manager strengthens security by:

– Quickly and reliably removing access to all systems and applications when users leave an orga-nization.

– Finding and helping to clean up orphan and dormant accounts.

– Assigning standardized access rights, using roles and rules, to new and transitioned users.

– Enforcing policy regarding segregation of duties and identifying users who are already in viola-tion.

– Ensuring that changes to user entitlements are always authorized before they are completed.

– Asking business stake-holders to periodically review user entitlements and either certify or re-move them, as appropriate.

– Reducing the number and scope of administrator-level accounts needed to manage user accessto systems and applications.

– Providing readily accessible audit data regarding current and historical security entitlements,including who requested and approved every change.

Identity Manager reduces the cost of managing users and security entitlements:

– Auto-provisioning and auto-deactivation leverage data feeds from HR systems to eliminate rou-tine, manual user setup and tear-down.

– Self-service eliminates IT involvement in simple updates to user names, phone numbers andaddresses.

– Delegated administration moves the responsibility for requesting and approving common changes,such as for new application or folder access, to business users.

– Identity synchronization means that corrections to user information can be made just once, onan authoritative system and are then automatically copied to other applications.

– Built-in reports make it easier to answer audit questions, such as “who had access to this systemon this date?” or “who authorized this user to have this entitlement?”

• Hitachi ID Access Certifier: Periodic review and cleanup of security entitlements

Access Certifier is a solution for distributed review and cleanup of users and entitlements. It worksby asking managers, application owners and data owners to review lists of users and entitlements.These stake-holders must choose to either certify or revoke every user and entitlement.

Access Certifier is included with Identity Manager at no extra cost.



6.2 Meeting Sarbanes-Oxley Requirements

As described in Section 4 on Page 4 and Section 5 on Page 5, the Sarbanes-Oxley Act of 2002 impliesinternal controls over financial and related systems, and these controls include effective management ofuser identity information and user access to systems.

The following list captures the identity management capabilities required to implement effective internalcontrols:

Requirement SupportingHitachi IDproducts

Details

Passwordmanagement

PasswordManager

Password policy enforcement, global passwordexpiration, open-ended password history, passwordsynchronization to discourage written passwords.

Automateddeprovisioning

IdentityManager

A data feed from a system of record, such as HR, orfrom managed systems, to identify inactive IDs, isperiodically read by Identity Manager. Identity Managerresponds by first deactivating and later deleting access.

Access Reviews andCertification

Access Certifier Managers, application owners and group owners can berequired to periodically review a list of users, loginaccounts and security group membership within theirscope of authority. They identify anomalies, which arerouted through the Identity Manager workflow engine forauthorization prior to revocation.

Q-A profileadministration

PasswordManager

Registration of complex, secure Q-A authenticationprofiles. Use of this data in both self-service andassisted password reset processes.

Hardware tokenmanagement

PasswordManager

Secure, authenticated administration of tokens,including PIN management, clock synchronization, etc.Use of two-factor authentication (hardware token + PIN)as an authentication method when providing passwordresets.

Biometric registration PasswordManager

Automated, authenticated, unattended processes tomanage the registration of biometric samples. Use ofbiometrics as an authentication method when providingpassword resets.

Automatedprovisioning

IdentityManager

Automated polling of user profile data from authoritativesystems such as HR or corporate directories, isconnected to filtering and transformatino rules, andtrigers automatic setup of appropriate privileges for newor changed users.



Requirement SupportingHitachi IDproducts

Details

Security requestsworkflow

IdentityManager

Business users can request the privileges they requirefor themselves, peers or subordinates. Requests arevalidated by automation and authorized by appropriatestake-holders before being automatically applied totarget systems.

Consolidated useradministration

IdentityManager

Web-based management of users across every systemin the enterprise, supporting central securityadministrators to promptly create, modify or terminateaccess rights when time is short.

A consolidateddirectory

PasswordManager,IdentityManager

An auto-discovery process to collect login ID, groupmembership and attribute data from managed systems,nightly. A reconciliation process to connect login IDsacross systems to individual users, to support globalmanagement of passwords, access rights and reporting.

An enterprise-widereporting system

IdentityManager

User access rights and access change history arecollected into an open database. Pre-built reportssupport common reporting requirements, while an open,documented schema and ODBC access alloworganizations to implement their own enterprise-wideaccess reports.

Policy enforcement IdentityManager,PasswordManager

Enforcement of password quality, authentication, accessrights, authorization and other policies across the entireenterprise.



7 Summary

As described in this document, the Sarbanes-Oxley Act of 2002 introduces formal requirements for publi-cally traded companies to implement strong internal controls, and for corporate officers to design, reviewand sign off on those controls.

Internal controls imply information security, which in turn requires sound identity management practices.

The Hitachi ID identity management suite includes robust, secure, scalable and deployable technology toimplement these identity management processes. It secures processes including:

• User authentication.

• Definition of user authorizations.

• Periodic access certification, leading to executive assurance of current controls.

www.Hitachi-ID.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]

File: /pub/wp/documents/sox/mtech-sox-6.texDate: Nov 7, 2006

http://Hitachi-ID.com/

Sarbanes-Oxley Compliance Using The Hitachi ID Identity Management Suite

Technology

Transcript of Sarbanes-Oxley Compliance Using The Hitachi ID Identity Management Suite