Virksomheden i forhold til EuroSOX. Ved Christian Stahl, Engagement Manager, Microsoft Services

Transkript

1 Virksomheden i forhold til EuroSOX Ved Christian Stahl, Engagement Manager, Microsoft Services

2 Agenda 1. Hvem er jeg? 2. Hvad er SOX 3. Hvad er EuroSOX sammenlignet med SOX

3 Christian Stahl Ansat i Microsoft Services som Engagement Manager CISSP og CISA Underviser på ITU, IT Arkitektur og Sikkerhed Har været i IT branchen siden 1996 HP Danmark fra 1996 til 2000 (konsulent) HP USA fra 2000 til 2002 (konsulent) HP Danmark fra 2002 til 2004 (senior konsulent) Saxo bank 2004 til 2005 (senior manager) Microsoft 2005 nu Fokus har altid været IT sikkerhed, infrastruktur og mobility Arbejdet de sidste mange år som løsningsarkitekt for større komplekse projekter involverende alt fra fysiske serverrum til netværk og applikationsdesign

4 Fra Version2

5 Hvad er Compliance Compliance: In management, the act of adhering to, and demonstrating adherence to laws, regulations or policies source:

6 Hvorfor Finansielle skandaler rammer børserne. (Enron, Worldcom, Ahold,Citygroup, (Japan), Parmalat, (Italien) Lovmæssige initiativer kræves. Kongresmedlem Michael Oxley sammen med Senator Paul Sarbanes (D) udarbejdede den nu kendte Sarbanes Oxley Act (SOX) 2003 SEC vedtagelse af Sektion Sarbanes Oxley regelopfyldelse udsat til juli (Foreign filers)

7 Sarbanes Oxley Act (SOX) Section 404: Annual Reports are required to contain an internal control report, which shall (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment... of the effectiveness of the internal control structure and procedures.

8 EU 8. Direktiv (EuroSOX) Hoved bestemmelser i EU direktivet: Bestyrelsen skal udnævne en uafhængig revisionskomité, der har den direkte kontakt til revisor. Virksomhederne har mulighed for at forklare hvorfor direktivet ikke bliver fulgt op derefter skal medlemsstater skal have et sanktionssystem og mulighed for at lave effektive undersøgelser. Revisionsfirmaer skal skrive en rapport, hvor de redegør for deres klienter, deres honorarer og deres netværker. Revisorer skal være uafhængige af klienten og må på ingen måde være involveret i klientens beslutninger. Revisionsfirmaer skal have et indført systemer for kvalitetssikring, og et offentligt organ som den amerikanske PCAOB som skal føre tilsyn med det. Medlemslandene skal lave offentlige, elektroniske registre, der har oplysninger om alle revisorer, revisionsfirmaer, ejerskab, ledelse og netværker. ALTSÅ, Lidt mere tilgængelig Til forskel fra den amerikanske lovgivning, som fastsætter regler, der skal følges til punkt og prikke, for eksempel i forbindelse med opbevaring af data, så giver EuroSOX en række principper, som kan fraviges, hvis virksomheden har gode grunde til at gøre sådan.

9 Proces vedrørende EU 8. Direktiv (EuroSOX) punkt plan fra den europæiske kommission (Corporate Governance) som 8. direktiv Fælles vedtagelse i ECOFIN. 16. marts Første udkast til direktivet offentliggjort 21. juni Vedtagelse i Legal Affairs Committee 29. september EU Parlament vedtager EuroSox 11. oktober Politisk enighed om vedtagelse i Rådet 26. april Vedtagelse i Rådet. 24 måneders adoption, dvs. i april 2008

10 Er det vigtigt? Tjaaeee din CEO vil sikkert mene det

11 Hvem (SOX) Danske selskaber, der er noteret i USA f.eks. Novo, (TDC), Torm, Olicom, Eurotrust (Nasdaq). Danske datterselskaber af moderselskaber noteret i USA Danske selskaber med over 300 aktionærer bosiddende i USA og aktiver > 10 mio. USD

12 Hvad forventes der så i min virksomhed Det er der desværre ikke noget præcist svar på. SOX blev til fordi der ikke var styr på finansiel reportering i de pågældende virksomheder og formålet med SOX er at få styr på finansiel reportering! Dvs. en virksomhed skal kunne dokumentere det og hvordan den så gør det er op til virksomheden selv.

13 Et SOX projekt Et SOX projekt bør forankres under ledelsen og handler ikke om IT! IT er dog i vor tid en naturlig konsekvens af et SOX projekt eftersom meget af virksomhedens finansielle data er IT understøttede Et SOX projekt bør derfor have en IT gren

14 Alle de regulativer HIPAA Privacy Act FERC Gramm-Leach-Bliley Homeland Security Act Children's Internet Protection Act Government Information Security Reform Act ISO 17799/27002 SEC Regulation SP SOX Network Advising Initiative European Data Protection Directive Family Educational Rights and Privacy Act constant changes, new regulations, high overlap and/or contradictions.

15 Hvad er problemet? Procesbeskrivelser, testbeskrivelser, narratives, issuerapportermed videre betragtes udelukkende som dokumenter Dokumenter lagres både lokalt og i fælles mapper på filservere Lokale kopier af dokumenter kommer let ud af sync Dokumenter sendes rundt mellem medarbejdere i mails med fare for at dokumenter knopskyder i nye versioner Dialog om dokumenter foregår på mail og går dermed tabt Der er ofte ingen fast lagringsstruktur, så der skal i bedste fald ledes hver gang dokumenter skal fremfindes og i værste fald ved medarbejderne slet ikke at konkrete dokumenter findes

16 Hvad anbefaler man generelt? For at leve op til SOX er det en god idé at kigge på hvad SEC (US Securities and Exchange Commission siger. SEC anbefaler at man anvender COSO (specielt I mindre virksomheder). COSO står for Committee of Sponsoring Organizations of the Treadway Commission COSO har udarbejdet en guide kaldet Guidance for Smaller Public Companies Reporting on Internal Control Over Financial Reporting COSO identificerer 5 hovedområder som er essentielle for effektiv interne kontroller: Control environment Risk assessment Control activities Information and communication Monitoring Specifikt for IT kontroller bør man også kigge på PCAOB Auditing Standard No. 2 som diskuterer relationen mellem IT og interne kontroller I relation til financiel reportering.

17 PCAOB Specifikt for IT kontroller bør man også kigge på PCAOB Auditing Standard No. 2 som diskuterer relationen mellem IT og interne kontroller I relation til financiel reportering. PCAOB siger om COSO: Known as the COSO report, it provides a suitable and available framework for purposes of management s assessment. For that reason, the performance and reporting directions in this standard are based on the COSO framework. Other suitable frameworks have been published in other countries and may be developed in the future. Such other suitable frameworks may be used in an audit of internal control over financial reporting. Although different frameworks may not contain exactly the same elements as COSO, they should have elements that encompass, in general, all the themes in COSO. Så COSO er vigtigt at efterleve!!!

18

19 Framework baseret regulativ compliance Hvis at i har styr på det og vælg et compliance framework!!!

20 Control framework

21 Hvilke framework findes der? IT Governance Institute (ITGI) Control Objectives for Information and related Technology 4th Edition (COBIT 4.0) ISO 17799:2005 Code of Practice for Information Security Management The British Office of Government Commerce IT Infrastructure Library (ITIL) The Microsoft Operations Framework (MOF) American Institute of Certified Public Accountants/Canadian Institute of Chartered Accountants (AICPA/CICA) Trust Services Framework American Institute of Certified Public Accountants/Canadian Institute of Chartered Accountants (AICPA/CICA) Privacy Framework

22 Microsoft Operations Framework Samling af principper, processer, vejledning og best practices omkring datacenter management - Bygget på ITIL - Udviklet på baggrund af erfaringer fra kunder, partnere og Microsoft IT Fremmer continuous improvement gennem en IT livs-cyklus tilgang til IT service management - Service Management vejledning: Modeller, Process beskrivelser, produkt specifikke drifts vejledninger - Menneske og proces assessments - Service forbedrings projekter Målsætning: - Effektivisering af drift af en Microsoft platform - Accellerere implementering af service forbedringer - Ikke bare hvad men også hvordan...

23 Microsoft Operations Framework Process Model Team Model Risk Management Discipline for Operations

24 Business Compliance med MOF Compliance BS15000, Sarbanes Oxley When have you arrived? Where do you want to be? Drivers Service Scorecard Management Assessment How do you get there? Improvement Service Management Guidance Where are you now? Metrics IT ITIL, CMM, Service CobIT, Improvement Six Sigma Governance, Maturity, Quality Program

25 Er MOF svaret på alt? Nej, MOF er rigtigt godt i forbindelse med IT Operations men ikke ligeså omfattende som f.eks. COBIT og ITIL. MOF indeholder mange af de samme elementer som ITIL, er dog nemmere at gå til, mere operationel og passer typisk bedre i forbindelse med IT Operations (specielt i et Microsoft miljø). Er ønsket udelukkende SOX compliance uden hensyn til omkostnings effektivisering af IT drift er COBIT nok bedre!

26 COBIT og COSO ISACA har udført nuanceret mapping.

27

28 COBT Igen, COBIT er meget præcis Know your enemy

29 Framework kontrol kategorier og compliance Control Categories SOX GLBA HIPAA EUDPD ISO Organizational Framework X X X X X IT Strategic Planning X X X X X IT Resource Planning X X X X X Development and Communication of Policies and Standards X X X X X Solution Development X X X X IT Risk Management X X X X Project Management Change Management X X X X Service Level Management X X X X X Capacity and Availability Management X X X X X Security Management and Administration X X X X X Financial Management Awareness and Training X X X X Configuration Management X X Problem and Incident Management X X X X Data Management X X X X X Operations Management X X X X IT Effectiveness X X X IT Assurance X X X X IT Compliance and Governance X X X X X Privacy Management X X X X

30 Teknologier til hjælp med compliance Vi har nu nu kigget på hvordan regulativer kan drive krav til specifikke IT kontroller Vi vender den nu om og kigger på hvordan teknologi løsninger kan adressere IT kontrol krav. Således har vi 19 teknologi løsnings kategorier: Document Management Business Process Management Project Management Risk Assessment Change Management Network Security Host Control Malicious Software Prevention Application Security Messaging and Collaboration Data Classification and Protection Identity Management Authentication, Authorization, and Access Control Training Physical Security Vulnerability Identification Monitoring and Reporting Disaster Recovery and Failover Incident Management and Trouble- Tracking

31

32 Document Management Document management targets two regulatory compliance objectives: Ensure that document-based policies, standards, procedures, and requirements are clearly communicated. Control unstructured data. Mulige løsninger: SharePoint Office Infopath RMS Office Partnere der bygger ovepå ovenstående

33 Filserver: Løst defineret hierarkisk mappe struktur Test kontekst er bestemt igennem mapper Dokumentets type eller status er defineret igennem dets fysiske placering Intet status overblik over sager findes kun som domæne viden for involverede medarbejdere eller i eksterne systemer Besværligt at styre rettigheder må oftest igennem IT personale Ingen kontrol over dokument livscyklus i samarbejdssituationer Ingen automatiske notifikationer ved ændringer, må gøres manuelt ved mails Ingen eller begrænset mulighed for søgning Compliance løsning: Styret struktur på overordnet niveau Test kontekst er bestemt igennem opsætning Dokumentets type eller status er defineret igennem meta-data på dokumentet Status på testen defineres domæne viden ikke nødvendig Testejer kan selv opsætte rettigheder Dokument håndterings funktioner (tjek ind/ud) understøtter samarbejde Push/pull notifikationer ved ændringer på dokument Indbygget søgning

34

35 Business Process Management In terms of regulatory compliance, BPM helps ensure transaction security, reliable service and availability, and service level refinement. On a broader scale, BPM helps provide a messaging solution so that all affected parties involved in addressing a compliance issue are in contact and can track the issue, regardless of their physical location. Large enterprises that are subject to the Sarbanes-Oxley Act benefit most commonly from these systems. Mulige løsninger: Biztalk

36 Project Management Organizations use project management solutions to help implement projects, ensure operation reliability, and maintain compliance programs. Project management solutions provide additional control and feedback to project managers and other participants. These solutions provide direct cost savings, and improve project control and the effectiveness of all compliance program aspects. Mulige løsninger: Project MSF MOF (OMP) Project Server

37 Operations Improvement Framework - Operations Management Portal Offering Improve efficiency of IT staff Responsibility Assessment Allow people to work more effectively by optimizing distribution of responsibilities Save time by doing more preventive maintenance and less troubleshooting Increase IT service availability Reduce downtime by understanding what preventive maintenance to perform Change Manager Call Handler Incident Incident Resolver Coordinator Role Assignment Problem Analyst Incident Service Desk Manager Manager Configuration Manager Improve manageability of IT operations Understand how to assign tasks for effective execution Increase accountability and the ability to follow up by assigning tasks through the Operations Management Portal (OMP) Task Assessment Realize more value from IT documentation Improve knowledge sharing by using OMP to make documentation more available and easier to find Operations Management Portal

38 Risk Assesment Due to shifting requirements, most risk assessment solutions take the form of a consulting engagement that uses tools to complete the assessments. There are also methodologies your organization can use for self assessment. A critical portion of the assessment process is to identify assets and then place a qualitative or quantitative value on each asset to the enterprise. Mulige løsninger: Microsoft Security Risk Management Guide SMS

39 Change Management Change management is critical to regulatory compliance because it is difficult to say that your IT environment is under control if you do not know what changes have been made to it. One of the most effective ways to manage change is to use a change management solution. Such a solution, which combines software, people and processes, depends on the people and processes that it uses. Mulige løsninger: Microsoft Office Solution Accelerator for Sarbanes-Oxley Microsoft SharePoint Services works with partner solutions to provide an example of how to control change in IT systems. Microsoft provides guidance for IT professionals on the basics of change management, which you also can apply to compliance. This guidance appears in the Service Management Functions (SMFs) series

40 Network Security Many regulations require organizations to take steps to provide appropriate security for the IT environment. Because network security is a critical element to overall information security, it is important for regulatory compliance. Mulige løsninger: IPSec NAP VPN 802.1x IAS ISA Host Firewall

41 Host Control Host control is fundamental to all of the core security control categories, such as confidentiality, integrity, and availability. Mulige løsninger: MBSA WSUS SMS Host Firewall

42 Malicious Software Prevention Without applications that you can use to help detect, monitor, and remove malicious software, there is an increased risk that sensitive corporate information in your organization could be compromised or destroyed. A lack of such resources also creates a situation in which the confidentially, integrity, and availability of the information on the IT system for your organization are increasingly at risk. Mulige løsninger: Malicious Software Removal Tool Windows Defender ForeFront client Guidelines ang. Lokal admin, execution prevention etc.

43 Application Security Application security involves key application controls that auditors focus on as they examine critical business systems. Application security also forms a major portion of best practice recommendations, and is an area that the National Institute of Standards and Technology (NIST) Computer Security Division focuses on. Mulige løsninger: Applikations specifikke guides Kode guides Office Infopath RMS Office Partnere der bygger ovepå ovenstående

44 Messaging and Collaboration One of the most common issues that most regulatory compliance assessments find is that messaging applications, such as , expose privileged information outside the organization. Because is so ubiquitous and employees rely on it so heavily to perform their jobs, automating the protection of messaging and collaboration solutions is essential. Mulige løsninger: Exchange compliance guides OCS/LCS Infopath Groove

45 Data Classification and Protection Data classification is important to compliance because it informs users about what levels indicate the relative importance of the data, how they must handle the data, and how they must safeguard and dispose of it. High, medium, and low are typical data classification examples that indicate the relative impact of the data on business. The military classification system of Top Secret, Secret, Confidential, and Un-Classified may also apply in some organizations. Mulige løsninger: EFS RMS Bitlocker Domain and Server isolation

46 Identity Management This solution category applies to many of the critical control categories in regulatory compliance. Identity management solutions are one of the top recommendations from consultants to help meet regulatory compliance requirements. Examples of identity management solutions include developing processes to ensure accounts are disabled in a timely fashion, and developing processes to review the access controls on data resources. Mulige løsninger: ILM ADFS ADAM PKI

47 Authentication, Authorization, and Access Control This control objective is critical to helping to meet the requirements of the core security principles of confidentiality, integrity, and availability. Mulige løsninger: IAS PKI AD (generelt)

48 Training Regulatory compliance demands that organizations address security and compliance training. Security and compliance training solutions in most organizations are typically modifications of existing training software solutions. Mulige løsninger: Ingen rigtigt teknologiske løsninger

49 Physical Security Physical security is critical to help ensure the security of the entire IT environment in the organization. This is because attacks in which the attacker gains physical access to the server almost always succeed in compromising the organization's resources. Qualified service providers usually custom-develop physical security solutions for the organization, as well as install and provide support services for them. Mulige løsninger: Smartcards

50 Vulnerability Identification Regularly monitoring computers and servers for vulnerabilities in the organization is extremely important because it provides a controlled platform on which to run business application software. If IT management is unaware of the vulnerabilities that exist in the organization's systems, management cannot be sure whether an attacker has compromised the environment. A compromised environment is not under control, making it unsuitable to run business software that is compliant. Mulige løsninger: The Security Monitoring and Attack Detection Planning Guide MBSA

51 Monitoring and Reporting Monitoring and reporting solutions provide verification and quality control methods to ensure that organizations maintain security and confidentiality. For example, these solutions can assist your organization in its efforts to comply with HIPAA, which requires auditors to evaluate individual patient records. Mulige løsninger: MOM RMS Component Partners for Reporting Services SQL Server 2000 SP3 Security Features and Best Practices

52 Disaster Recovery and Failover Many regulations and standards explicitly require disaster recovery and failover solutions, including HIPAA, GLBA, and EUDPD. Mulige løsninger: DPM Exchange Server Disaster Recovery Analyzer Diverse Backup og restore guidelines Clustering SQL server replication

53 Incident Management and Trouble-Tracking Several regulations and standards, including GLBA and HIPAA, specifically require organizations to use incident management and trouble-tracking solutions. Mulige løsninger: Microsoft guides omkring Responding to IT Security Incidents MOF

54 Mere information Se i øvrigt: Microsoft Solutions for Security and Compliance - Regulatory Compliance Planning Guide Skal i læse ET dokument må jeg kraftigt anbefale IT Governance Institutets guide: IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting fra September Den kan downloades fra: ment/contentdisplay.cfm&contentfileid=12383 Kræver registrering.

55 Spørgsmål: