October 25, 2004 (Computerworld) --
I continue to get a significant amount of e-mail asking about the Sarbanes-Oxley Act, so I thought I would provide an update on our progress toward compliance. Since the last time I commented on this subject , we have come quite a ways. A few months ago, I attended a meeting with representatives from networking, data center operations, database and application engineering, Unix and Windows NT administration and other groups to discuss control objectives for each area. We mainly used Cobit (Control Objectives for Information and Related Technology) to help identify our controls. It provides a framework, guidelines and some implementation tools to steer companies in the right direction. Finding Our Focus We also needed to think about which systems would have to be looked at. Our company has over 500 production Unix servers and several hundred NT servers running various applications. There was no way we could test over 700 servers. Since Sarbanes-Oxley focuses on financials, we came up with a list of systems that affect our financial reporting. Those 700-plus servers dwindled to just under 100. We then categorized them by application to better manage the workload. Once we formalized the objectives, the testing was fairly straightforward. For example, one control objective within the Oracle database area might say, "Users do not directly access the Oracle database using the application ID or a generic account." Certain parameters within the Oracle database configuration file, as well as the Unix user accounts, would have to be reviewed to determine who had access to the server and the database. Given that we have dozens of Oracle servers in our environment and 32 tests to perform, it made sense to run a script on each server that would obtain the information from configuration files. For Oracle, most of the test results were within either the init.ora or the listener.ora file. The script took some time to develop, but in the end, we had an easily repeatable method for testing our Oracle environment. For the Unix servers, a control objective might be, "User passwords must be changed every 90 days." The test for this objective would be to review the /etc/default/password file for every Unix server and see if the "MAXWEEKS" parameter was set to 90 days. With over 25 control objectives for the Unix environment and dozens of servers to test, we developed another script. Tests included grabbing configuration files, checking file permissions, listing patches and installed applications, and running commands to obtain system information. We'll have to repeat this process every year, so it's imperative that we come up with a standardized method to test our control objectives. Scripts are one
If you're like our 7,000 survey respondents, your paycheck this year has been flattened and your bonus obliterated. We offer 12 ways to plump up your paycheck.
By helping Intel with loosened 'Vista Capable' requirements, Microsoft 'severely damaged' its credibility, said an HP exec in a newly unsealed Feb. 2006 e-mail.
Turning information into a Competitive Advantage View this webcast now! Go to the webcast
SaaS Solutions for Remote Systems Management
Download this Technology Briefing, free, compliments of Dell. (Source: Dell) The benefits of Software as a Service (SaaS) are extending their reach into systems management. So in addition to the more obvious cost control and rapid application deployment benefits, SaaS can be instrumental in filling needs for compliance, security and business continuity - all the while reducing costly infrastructure. Learn more in this brand new Technology Briefing. Download this executive briefing
The Importance of Application Management
Get this white paper now! (Source: Dell) Efficient desktop application management is essential in normal day-to-day operations of any company. Whether you are introducing a new application or implementing an OS migration, the goal is the same: minimize disruptions and ensure user productivity throughout the process. Download this white paper
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
With an estimated 40% of the world's information now residing behind a firewall, employee productivity is driven by the ability to quickly find key information no matter where it's stored across your organization. At Google, we believe in a simple premise: all of the information you need to be productive at work should be available through one search box, giving users real-time access to content across the enterprise and delivering a single, integrated, secure set of search results.
Moving to Windows Vista: The Promise, The Reality
IDG survey says...that while migration to Windows Vista looms inevitable, the road is fraught with challenges from application compatibility to integration issues to upgrade costs. Fortunately one company is stepping up with solutions and services to help manage Vista in a mixed environment and to automate key aspects of that management chore. View this webcast. See more Webcasts
See your link here
Subscribe to
Computerworld 
or
Other Security Stories
Turning information into a Competitive Advantage
Download this Technology Briefing, free, compliments of Dell. 
Get this white paper now!
Read up on the latest ideas and technologies from companies that sell hardware, software and services. 
The Enterprise Search Zone
IDG survey says...that while migration to Windows Vista looms inevitable, the road is fraught with challenges from application compatibility to integration issues to upgrade costs. Fortunately one company is stepping up with solutions and services to help manage Vista in a mixed environment and to automate key aspects of that management chore. 
Computerworld