Computerworld - I continue to get a significant amount of e-mail asking about the Sarbanes-Oxley Act, so I thought I would provide an update on our progress toward compliance. Since the last time I commented on this subject , we have come quite a ways.
A few months ago, I attended a meeting with representatives from networking, data center operations, database and application engineering, Unix and Windows NT administration and other groups to discuss control objectives for each area.
We mainly used Cobit (Control Objectives for Information and Related Technology) to help identify our controls. It provides a framework, guidelines and some implementation tools to steer companies in the right direction.
Finding Our Focus
We also needed to think about which systems would have to be looked at. Our company has over 500 production Unix servers and several hundred NT servers running various applications. There was no way we could test over 700 servers. Since Sarbanes-Oxley focuses on financials, we came up with a list of systems that affect our financial reporting. Those 700-plus servers dwindled to just under 100. We then categorized them by application to better manage the workload.
Once we formalized the objectives, the testing was fairly straightforward. For example, one control objective within the Oracle database area might say, "Users do not directly access the Oracle database using the application ID or a generic account." Certain parameters within the Oracle database configuration file, as well as the Unix user accounts, would have to be reviewed to determine who had access to the server and the database. Given that we have dozens of Oracle servers in our environment and 32 tests to perform, it made sense to run a script on each server that would obtain the information from configuration files.
For Oracle, most of the test results were within either the init.ora or the listener.ora file. The script took some time to develop, but in the end, we had an easily repeatable method for testing our Oracle environment.
For the Unix servers, a control objective might be, "User passwords must be changed every 90 days." The test for this objective would be to review the /etc/default/password file for every Unix server and see if the "MAXWEEKS" parameter was set to 90 days. With over 25 control objectives for the Unix environment and dozens of servers to test, we developed another script. Tests included grabbing configuration files, checking file permissions, listing patches and installed applications, and running commands to obtain system information.
We'll have to repeat this process
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
