SOX/COBIT Framework - netwrix.com

1 SOX/COBIT Framework and Netwrix Auditor Mapping | Toll-free: 888-638-9749 2 About SOX All public companies in the are subject to Sarbanes Oxley (SOX) compliance without exceptions. SOX compliance requirements also apply to overseas operations of public companies and international companies listed on exchanges. SOX requires all listed companies to adopt Internal Controls over Financial Reporting (ICFR) and establish internal auditing of the adopted ICFR. The Sarbanes-Oxley Act does not provide any specific recommendations for implementation of internal controls; instead, it requires organization to adopt a recognized control Framework . One such frameworks is COBIT, which is focused on governance of enterprise information technology; it is aligned with another common Framework , COSO, which provides more general guidance on internal control over financial reporting.

2 These frameworks are more effective in tandem, since COBIT complements COSO in the area of the governance and management of enterprise IT. 3 Mapping of the provisions of the COBIT Framework to Control Processes The following table lists some of the key provisions of the COBIT Framework and explains how Netwrix Auditor can help your organization implement these provisions and achieve compliance with SOX. Please note that the efforts and procedures required to comply with SOX requirements may vary depending on an organization s systems configuration, internal procedures, nature of business and other factors. Implementation of the procedures described below will not guarantee SOX compliance, and not all the COBIT provisions that Netwrix Auditor can possibly support are included. This mapping should be used as a reference guide to help you implement policies and procedures tailored to your organization s unique situation and needs.

3 APO12 Manage Risk Control Description Control Process Collect data Identify and collect relevant data to enable effective IT-related risk identification, analysis and reporting. Risk Assessment Risk Assessment Security Categorization Analyze risk Develop useful information to support risk decisions that take into account the business relevance of risk factors. Risk Assessment Risk Assessment Security Categorization Respond to risk Respond in a timely manner with effective measures to limit the magnitude of loss from IT-related events. Risk Assessment Risk Assessment Security Categorization 4 APO13 Manage Security Control Description Control Process Establish and maintain an ISMS Establish and maintain an ISMS that provides a standard, formal and continuous approach to security management for information, enabling secure technology and business processes that are aligned with business requirements and enterprise security management.

4 Identification and Authentication Access Control Audit and Accountability Configuration Management Incident Response Risk Assessment System and Information Integrity (To address this broad provision, an organization needs to implement a wide set of security procedures and organizational improvements from several different control families; no particular control process alone can ensure compliance with this requirement.) BAI10 Manage Configuration Control Description Control Process Establish and maintain a configuration repository and baseline Establish and maintain a configuration management repository and create controlled configuration baselines. Configuration Management Baseline Configuration Produce status and configuration reports Define and produce configuration reports on status changes of configuration items. Configuration Management Configuration Change Control DSS01 Manage Operations Control Description Control Process Monitor IT infrastructure Monitor the IT infrastructure and related events.

5 Store sufficient chronological information in operations logs to enable the reconstruction, review and examination of the time sequences of operations and the other activities surrounding or supporting operations. Audit and Accountability Audit Record Generation Audit Record Retention Audit Trial Review 5 DSS02 Manage Service Requests and Incidents Control Description Control Process Investigate, diagnose and allocate incidents Identify and record incident symptoms, determine possible causes, and allocate for resolution. Incident Response Incident Detection Incident Analysis Resolve and recover from incidents Document, apply and test the identified solutions or workarounds and perform recovery actions to restore the IT-related service. Incident Response Incident Mitigation DSS05 Manage Security Services Control Description Control Process Manage user identity and logical access Ensure that all users have information access rights in accordance with their business requirements and co-ordinate with business units that manage their own access rights within business processes.

6 Identification and Authentication User Identification Device Identification Identifier Management Authenticator Management Access Control Inactive Accounts Role and Group Assignment Access Enforcement Least Privilege Monitor the infrastructure for security-related events Using intrusion detection tools, monitor the infrastructure for unauthorized access and ensure that any events are integrated with general event monitoring and incident management. Access Control Account Management Audit Account Usage Monitoring System and Information Integrity Information System Monitoring 6 Control Processes Control Processes Facilitated by Netwrix Auditor From the compliance perspective, IT operations can be viewed and managed as a collection of control processes. Such processes allow focusing organizational efforts on a specific area of IT, enforcing certain policies, and establishing particular set of compliance controls.

7 While control processes can be seen as separate entities for the purposes of implementation and management simplicity, in fact all these processes are deeply interconnected and often intrinsic to many regulations and best practices frameworks. Identification and Authentication Access Control Audit and Accountability Configuration Management Incident Response Risk Assessment System and Information Integrity Identification and Authentication The objective of the identification and authentication controls is to ensure that all users and devices accessing information systems are uniquely identifiable and their authenticity is verified before the system grants access. Identification and authentication are crucial for ensuring accountability of individual activity in the organizational information systems. User Identification Audit the identification and authentication processes for users who access your information systems.

8 How to Implement Control Applicable Netwrix Auditor Features Cross-reference HR data with Active Directory user accounts in order to: Ensure that each user with a business need to access your information systems has a unique account. Identify personal accounts that cannot be traced to a particular individual. Active Directory State-in-Time reports User Accounts Review audit trails to check whether the use of shared accounts complies with your policies. User Behavior and Blind Spot Analysis reports Logons by Single User from Multiple Endpoints Interactive Search Who = shared account 7 Correlate employee absence data (typically from HR) with the access audit trail to spot suspicious activity. Active Directory Logon Activity reports All Logon Activity Interactive Search Action = Interactive Logon Device Identification Audit the identification and authentication processes for devices used to access your information systems.

9 How to Implement Control Applicable Netwrix Auditor Features Crosscheck the IT inventory against the list of computer accounts in Active Directory. Active Directory State-in-Time reports Computer Accounts Review all computer domain joins and all account creations, modifications and deletions to spot any unauthorized changes to computer accounts. Active Directory Changes reports Computer Account Changes Interactive Search Object Type = Computer Audit dynamic address allocation to devices by monitoring the DHCP server for: DHCP scopes Lease parameters and assignments Interactive Search Object Type = DHCP Scope Audit remote network connections to identify unauthorized remote devices. Netwrix Auditor Add-on for RADIUS Server Active Directory - Logon Activity reports Identifier Management Audit provisioning, modification and de-provisioning of users and groups. How to Implement Control Applicable Netwrix Auditor Features Review the creation, modification and deletion of users and groups to spot: Unauthorized changes Identifiers that do not comply with the your naming standards and policies ( , no public, generic or reused identifiers) Active Directory Changes reports User Account Changes Active Directory Changes reports Security Group Changes Interactive Search Object Type = Group | User Configure alerts to notify designated personnel about unauthorized account changes.

10 Custom alerts for user account modifications 8 Authenticator Management Review changes to password policy requirements, and audit user and admin activity for policy compliance. How to Implement Control Applicable Netwrix Auditor Features Audit changes to account policy settings to spot inappropriate or unauthorized modifications. Settings to check include: Account lockout threshold, duration and status reset Max/min password age Enforce password history Enforce strong passwords Irreversible password encryption Active Directory Group Policy Changes reports Account Policy Changes Password Policy Changes GPO Link Changes Active Directory Group Policy State-in-Time reports Account Policies Alert designated personnel about Group Policy changes related to account passwords. Predefined Alerts Password Tampered alert Audit administrative password resets to spot unauthorized or suspicious changes.