Section 404 of the Sarbanes-Oxley Act requires that public listed companies report to the SEC on the effectiveness of their internal controls over financial data as well as providing an additional report from independent auditors attesting to the effectiveness of the company's internal controls and procedures for handling this data. Continuing compliance with section 404 requires that companies continue to assess and monitor their internal controls as risks change over time.
While the main purpose of the Sarbanes-Oxley Act is to raise the standards of corporate governance, particularly in relation to financial reporting and auditing, a broad interpretation by the SEC of affected business practices can include much of a company’s corporate data. Since most corporate data is held with in IT systems, enhanced IT controls are now a necessary requirement for continued compliance with section 404.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides a framework mandated by the SEC to ensure consistency and quality in evaluating the effectiveness of internal controls across many organizations. While COSO provides a general framework for internal controls the Control Objectives for Information and related Technology (CobiT) provides a framework specific to Information Technology.
CobiT helps meet the multiple needs of management by bridging the gaps between business risks, control needs and technical issues. It provides good practices across a domain and process framework and presents activities in a manageable and logical structure. CobiT’s “good practices” means consensus of the experts — they help optimize information investments and will provide a measure to be judged against when things do go wrong.
VerSec provides organizations the functionality to centrally apply policies across the enterprise to control and audit the device and applications being used by employees, the data they transfer to and from removable media and storage device, the encryption level required for data transfered to removable media and storage devices and the documents that are printed.
VerSec specifically helps organizations meet the following control objectives as defined in the CobiT framework:
PLANNING AND ORGANISATION
4. Define the Information Technology Organization and Relationships
4.1 Segregation of Duties
VerSec ensures a segregation of duties between end users, system administrators, security administrators and security auditors.
Versec ensures only those users with duties that require access to certain device, applications and the ability to transfer data on and off your IT systems have it.
Access to change and modify VerSec policies can be restricted to Security Administrators only.
Access to VerSec Logs can be restricted to Security Auditors only. The Security Administrator and Security Auditor are not required to be System Administrators.
System Administrators can not override VerSec policy settings.
The location of audit logs can be configured on a policy by policy basis. This allows for segregation of duties between Security Auditors (ie one Security Auditor can be made responsible for auditing one department but wont have access to audit a second department which could be assigned to a second Security Auditor who would not have access to the first department.
VerSec can delegate the responsibility for authorizing removable media and storage device to trusted individual users and/or groups of users. The authorization of a device or media for use on the system is fully audited as is its eventual use.
6. Communicate Management Aims and Directions
6.3 Communication of Organizations Policies
VerSec is configurable on a policy by policy basis to:.
1. Prompt a user before any file transfer on and off your system about your companies security policy.
2. Prompt a user when they attempt to access a device or application for which they are not authorized about your companies security policy.
6.5 Maintenance of Policies
As VerSec is integrated within your Group Policy infrastructure all you security policies are centrally managed within the one environment.
VerSec Management Console uses the familiar look and feel of the Microsoft Management Console ensuring your Security Administrators will feel right at home in its use.
Maintenance of VerSec policies is therefore quick, simple and intuitive.
6.6 Compliance with Policies, Procedures and Standards
VerSec enforces and audits compliance with your organizations policies and procedures on access to device and applications and data exchange to and from removable media and storage device and printing.
6.9 Intellectual Policy Rights
VerSec enforces and audits compliance with your organizations policy on intellectual policy rights by ensuring data transferred to and from removable media and storage device and/or transmitted via email is controlled and audited and all documents printed are audited.
VerSec can be configured to prompt a user wishing to transfer data for the classification and or a reason why they wish to transfer the data. This information is then audited along with details (such as what, when, where and who) of the transfer.
VerSec can be configured to block certain file types from being transferred. It ships with over 1900 file types and new ones can be added simply. This can ensure only certain users can transfer certain file types. Archive and OLE file types that can contain embedded files are recursively searched for blocked file types before a transfer is permitted.
VerSec can be configured to block the transfer of documents that contain certain keywords or patterns (SSN's and Credit Card Numbers for example).
VerSec can be configured to capture the files transferred for later analysis.
VerSec can be configured to enforce an encryption policy for all files transferred of your system. This ensures if your intellectual property is lost or stolen once it has been transferred to removable media or storage device it cant be accessed by unauthorized individuals.
6.10 Issue Specific Policies
VerSec allows policies to be assigned to individual users and/or groups of users from your existing NT Domains, Active Directory Domains or Work Groups. Specific policies can therefore be tailored to address access to particular device and applications and data exchange and print auditing requirements.
7. Manage Human Resources
7.8 Job Change and Termination
VerSec allows policies to be assigned to individual users and/or groups of users from your existing NT Domain, Active Directory Domains or Work Group.
When a user moves job function they are removed from the groups applicable to their old role and added to groups applicable to their new role. The VerSec policy applied when the user next logs in will then be the one applicable to their new role.
Restrictive policies can be created for users who have resigned. Once a user has resigned they can be added to leavers group which is associated with the restrictive policy. The next time the user logs in then the restrictive policy will be applied.
8. Ensure Compliance with External Requirements
8.4 Privacy, Intellectual Property and Data Flow
VerSec safe guards your company’s Intellectual property and compliance with external rules and regulations that require your company to safe guard the data it collects on 3rd parties.
VerSec controls and audits the data transferred to and from removable media and storage device and your IT systems as well as auditing all printing that is occurring.
VerSec can enforce an encryption policy on all data transfers to removable media and storage devices ensuring once data is removed from your system it is protected to appropriate levels.
9. Assess Risks
9.3 Risk Identification
VerSecs ability to audit the device and applications in use on your IT systems as well as the data transfer occurring between it and removable media and storage device, emails that are sent and the documents that are printed allows you to assess the risk poised to your business by this activity. Device, application or data exchange deemed too high a risk can then be blocked.
9.6 Risk Acceptance
The risks poised by the use of various device and applications and the transfer of data to and from removable media and storage device can be identified by VerSec's auditing capabilities. Such activities can be blocked if deemed too high a risk to your business or alternatively risk can be managed by continued auditing.
9.7 Safeguard Selection
VerSec is unique in its ability to centrally manage, control and audit the device and applications used and the data transfer occurring throughout your organization. When calculating the ROI possible through the purchase of VerSec consider the following:
1. What would the cost to your business be if a competitor got hold of your intellectual property?.
2. What would the cost to your business be if information your organization holds on 3rd parties was released illegally outside of your organization?.
3. What would the cost be to your business if a removable storage device was lost or stolen and it contained confidential information that was not encrypted?.
4. Would you be able to prove which individuals had removed the information from your IT systems?.
5. What is the cost to your organization each time a new computer virus infects your computer systems and it is 12 – 24 hours before a pattern is released from your Antivirus vendor and rolled out across your organization?.
6. What is the cost of software licenses that are not being used within your organization?.
7. What would the cost be to your organization if it is found to have unlicensed software installed?.
VerSec can help you mitigate all these risks and costs.
ACQUISITION AND IMPLEMENATION
2. Acquire and Maintain Software Application
2.13 Availability as a Key Design Factor
VerSec is a highly available enterprise solution for auditing and controlling the device and applications in use throughout your organization as well as the data exchange to and from removable media and storage device and print auditing.
VerSec extends your existing Microsoft Group Policy infrastructure and therefore is scalable from the largest to smallest enterprises and organisations.
VerSec will continue to securely audit and control machines that become disconnected from your corporate network and audit logs will automatically be updated when the machine is reconnected.
2.14 IT Integrity Provisions in Application Program Software
VerSec uses technologies such as digital signatures and encryption to safe guard and verify the various software components it uses.
2.16 User Reference and Support Materials
The VerSec comes with extensive User and System Administration documentation.
3. Acquire and Maintain Technology Infrastructure
3.7 Use and Monitoring of System Utilities
The use of sensitive software utilities can be tightly controlled and audited using the VerSecs application auditing and control features.
6. Manage Change
6.3 Control of Changes
Changes in software and hardware configurations can be immediately identified via the audit and inventory collection features of the VerSec. Additionally software and device that have been installed without authorization can be automatically prohibited from use.
1. Define and Manage Service Levels
1.4 Monitoring and Reporting
The VerSec Management Console provides a simple and intuitive interface to the VerSec audit logs. Only users authorized to view the logs have access.
VerSec not only audits device, application, data exchange and printing but also audits events written to the Microsoft Event Logs.
VerSec integrates with Computer Associates eTrust Security Command Center allowing the VerSec audit events to be correlated and aggregated with other security events from other applications such as intrusion detection and anti-virus products and presented in a common management console.
5. Ensure System Security
5.1 Manage Security Measure
VerSec policies are extremely configurable and designed such that your organizations security requirements for device, application and data exchange can be implemented in line with your business requirements.
5.2 Identification, Authentication and Access
VerSec provides access control to a wide array of devices.
VerSec provides access control to the data that can be transferred to and from storage devices and removable media. Data can be control based on its file type and actual content.
VerSec provides access control over what applications that can run on your organizations systems. Malicious software (such as viruses and spyware) that make it onto your system is stopped from executing before it can cause any damage.
VerSec policies automatically adapt to the location of the endpoint computer. Access control can therefore be automatically changed when a computer is taken of your network. For example wireless cards and modems can be disabled whilst a laptop is connected to your corporate network but automatically enabled once that laptop is disconnected.
VerSec override codes allow blocked events to be overridden for a period of time without requiring a policy update. This enables business continuity for mobile users without requiring a connection to the corporate network and also one off events to be handled without the need for policy changes.
VerSec can be configured so that users with Administration privileges can not bypass the protection put in place by the VerSec.
5.3 Security of Online Access to Data
VerSec allows access controls on removable media and storage device. Any combination of read, write and delete access can be granted to a user and/or group of users to access a particular storage device or media.
5.4 User Account Management
Assigning users and groups within your existing NT Domain, Active Directory Domains or work group to VerSec policies ensures that all account management functions can occurs centrally.
5.5 Review of User Accounts
The Microsoft Group Policy Management Console has various views that help to identify not only what users and groups are assigned to a policy but also what policy is assigned to a user and/or group. Policies can also be printed for periodic comparison of access controls.
5.6 User Control of User Accounts
VerSec allows users to be prompted in a variety of ways when an action is blocked.
Users are alerted if malicious software (such as virus's and spyware) have been blocked from starting.
Users are alerted if they try to use or insert a device or media for which they are not authorized, and are again prompted if they try to transfer data to or from their computer and their policy prevent them from doing so.
Users are alerted if they try to transfer or transmit data from their computer for which they have not been authorized.
The manner in which the user is alerted can be by either messagebox or popup notification. The text of a messagebox notification is also configurable.
5.7 Security Surveillance
VerSec supports the auditing of device, application, data exchange and printing events throughout your organization. The audit destinations are configurable on a policy by policy basis and support the Microsoft Windows Event Log, Relational Database Management Systems (RDBMS), files and email. The events to be audited are also fully configurable ensuring you can only audit what you require to be audited and thus avoid the unnecessary storage requirements that can accompany extensive auditing.
5.8 Data classification
A VerSec policy can be configured to prompt the users to which it is assigned, to provide a classification for the data they are transferring. Additionally it can be configured to prompt users for a reason as to why the data is being transferred. This information is then captured as part of the audit event for the data transfer.
5.9 Central Identification and Access Rights Management
VerSec extends the Microsoft Group Policy framework which is a robust and scalable centralized policy management framework.
5.10 Violation and Security Activity Reports
VerSec auditing capabilities are both extensive and configurable. Both the audit destination and the details to audit can be configured on a policy by policy basis.
VerSec is delivered out of the box with many useful management reports.
5.13 Counter Party Trust
The VerSec makes use of encryption and digital signatures to verify and safe guard policies and authorize removable media and storage device.
5.19 Malicious Software Prevention, Detection and Correction
The VerSec policies can be configured to take a White List approach in determining a programs ability to execute. In this scenario if an application is not identified by its unique signature as being authorized to run it will stopped from executing. This has huge advantages over Anti-Virus and Anti-Spyware solutions. The majority of these solutions work on a Black List policy, requiring a pattern of the virus or spyware to be downloaded before the malicious application can be detected. This results in major infections when new malicious software is released to the world or extremely difficult to remove infections when a malicious program attacks the actual Anti-Virus or Anti-Spyware software.
9. Manage the Configuration
9.5 Unauthorized software
VerSec policies can be configured to take a White List approach in determining a programs ability to execute. In this scenario unauthorized software installed will be prevented from running. Where a Black List approach is used, all software executing across your organization can be audited. Unauthorized software will be audited and appropriate action can then be taken.
VerSecs application auditing features can also be used to analysis software licensing issues. It can easily be used to answer questions such as "Who has actually used Microsoft Word over the last 3 months?". Being able to quickly and easily answer such questions can save your organization thousands of dollars in unnecessary license fees or the costly fees associated with the breach of license agreements.
The VerSec Inventory Collection reports on all software installed on your endpoints even if it is not used.
9.8 Software Accountability
VerSecs application auditing features can also be used quickly to determine what versions of applications are executing across your organization. This can be used to help identify software compatibility issues.
VerSec Inventory Collection reports on all software installed on your endpoints even if it is not used.
11. Manage Data
11.3 Output Distribution
Removable media and storage devices have huge ever increasing storage capacities and are generally very small in size. With the plug and play nature of many of these device and media, users can quickly and discretely transfer very large quantities of your sensitive corporate data. VerSec negates this risk by controlling and audit the data transferred to and from your network to removable media and storage device.