How LM / SIEM plays a critical role in the integrated system of internal controls
Many public companies are still grappling with the demands of complying with the Sarbanes-Oxley Act of 2002 (SOX). SOX Section 404 dictates that audit functions are ultimately responsible for ensuring that financial data is accurate. One key aspect of proof is the absolute verification that sufficient control has been exercised over the corporate network where financial transactions are processed and records are held.
Where do auditors find that proof? In the data points logged by today’s SIEM tools, of course.
The logged data is a pure treasure trove of information that provides insight into every aspect of an organization’s information technology (IT) operations. As a compensating / detective control, the data is an integral part of an organization’s overall system of internal controls. Moreover, depending on the tools being utilized, the data also can be the starting point of a preventative control.
The proper distillation of critical log data is a bit like looking at a very large haystack and helping the auditor determine if a needle (i.e., a violation of a control) is buried within. A perspective of what guides the audit function as it pertains to SOX will help to explain the search for the elusive needle, if it even exists.
The COSO control framework guides the SOX audit function
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a U.S. private-sector initiative whose major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence. In 1992, COSO established a common definition of internal controls, standards and criteria against which companies and organizations can assess their control systems. This widely used framework provides a corporate governance model, a risk model and control components that together form the blueprint for establishing internal controls that minimize risk, help ensure the reliability of financial statements, and comply with various laws and regulations.
COSO is a general framework that is not specific to the IT area of a company— or to any other functional area, for that matter. However the COSO framework can be, and often is, applied specifically to IT processes and controls that are governed by SOX Section 404 compliance, the Assessment of Internal Control for all controls related to financial data and reporting.
According to the COSO framework, internal controls consist of five interrelated components. These components are derived from the way management runs a business and are integrated with the organization’s management processes. The components are: the Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring. And, as described below, log management has a crucial role in each of them.
- The Control Environment – Coming from the Board of Directors and the executive management, a company’s control environment sets the tone of how the organization will conduct its business, thereby influencing the control consciousness of the entire workforce. The control environment provides discipline and structure, and includes factors such as corporate integrity, ethical values, management’s operating style, delegation of authority systems, and the processes for managing and developing people in the organization.
Log management aids corporate management in designing, implementing, and refining controls via its ability to establish a baseline, or snapshot, of an organization’s IT infrastructure and its activities; for example, knowing what devices exist, what applications are running on them, and who is accessing the applications.
- Risk Assessment – Every organization has business objectives; for example, to produce a product or provide a service. Likewise, every organization faces a variety of risks to meeting its objectives. The risks, which come from both internal and external sources, must be identified and assessed. This risk assessment process is a prerequisite for determining how the risks should be managed.
Log data/management is a starting point of the iterative IT risk management process by providing baseline and near real-time insight into the condition of an organization’s infrastructure. This helps the company identify and assess the risks that may threaten the business objectives and provides the opportunity for the revision of an organization’s acceptable risk posture. And then with a continual feed, log data can be used to ascertain current conditions and to alert someone to the need for appropriate corrective action to mitigate a risk if one arises.
- Control Activities – Control activities are the policies and procedures that help ensure management directives are carried out and that necessary actions are taken to address the risks to achieving the organization’s objectives. Control activities occur throughout the organization, at all levels and in all functions. Numerous control activities are utilized in the IT area, including access control, change control and configuration control, to name a few.
Log management provides automated event correlation/consolidation and reporting, thereby providing assurance that log data entries are presented to control stakeholders accurately and in a timely fashion. This reporting allows management to take corrective action if needed, as well as measure the effectiveness of designed processes and controls.
- Information and Communication – Information systems play a key role in internal control systems as they produce reports including operational, financial and compliance-related information that make it possible to run and control the business. An effective communication system ensures that useful information is promptly distributed to the people who need it – outside as well as inside the organization – so they can carry out their responsibilities.
Within log management, this takes the form of automated generation and delivery of detail and summary reports and alerts of key events for appropriate management review and/or action.
- Monitoring – Internal control systems need to be monitored – a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two.
From a log manager’s view, “monitoring” is what he is doing on a daily basis – i.e., performing a “control activity.” From the COSO view, “monitoring” is the assessment of how well the control activities are performing. In other words, the latter is looking over the shoulder of the former to make sure the control activities are effective.
Once an organization has established its control structure(s), an auditor is charged with the independent review of the controls that have been implemented. He is ultimately responsible for assessing the effectiveness of the controls, including those IT controls designed to protect the accuracy and reliability of financial data. This is the heart of SOX Section 404.
A unified and comprehensive log management approach will continue to be the cornerstone of an IT organization’s control processes. It is the best way to get timely insight into all activities on the network that have a material impact on all systems, including financial systems.
Brian Musthaler, CISA – is a Principal Consultant with Essential Solutions Corp. A former audit and information systems manager, he directs the firm’s evaluations and analysis of enterprise applications, with a particular interest in security and compliance tools.
PCI costs slow compliance projects in down economy
The economic recession is making it difficult for some information security pros in financial services to get the funding they need to accomplish their goals. A good example of a project that can help both the bottom line and PCI compliance is automated log management
Security threats rise in recession
Threats to data and network security increase during tough times, even as scarce resources make companies more vulnerable to attack.
Did you know? EventTracker allows you to meet a large number of requirements while helping you cut costs and boost productivity. Comply with standards such as PCI-DSS, secure critical servers, protect from inside theft and optimize IT operations while saving money at the same time! Need hard numbers? Take a look at our ROI calculator
Feds allege plot to destroy Fannie Mae data
A fired Fannie Mae contract worker pleaded not guilty Friday to a federal charge he planted a virus designed to destroy all the data on the mortgage giant’s 4,000 computer servers nationwide.
Did you know? Employees, especially disgruntled ones, can significantly increase the risk exposure of a company. EventTracker helps companies minimize this risk by tracking and alerting on all unusual/unauthorized user activity.
Prism Microsystems continues record revenue into 4th quarter
We had a great 4th quarter – get a recap of our performance and key product innovations in 2008