Auditor’s Checklist

A XYPRO Solution Paper

MAY, 2009
XYPRO Technology Corporation
3325 Cochran Street, Suite 200
Simi Valley, California 93063-2528 U.S.A.
Email: info@xypro.com
Telephone: + 1 805-583-2874
FAX: + 1 805-583-0124

Copyright© 2009 by XYPRO Technology Corporation. All rights reserved.

Trademark Acknowledgments
The following are trademarks or service marks of Hewlett-Packard Company:
Distributed System Management (DSM) NonStop Kernel
EDIT NonStop SQL
ENFORM PATHCOM
Enscribe PATHWAY
Event Management Service (EMS) SAFECOM
FUP SAFEGUARD
Guardian SCUP
MEASURE SPOOLCOM
NETBATCH TACL
NonStop TEDIT

The following are trademarks or service marks of XYPRO Technology Corporation:

XYGATE/MI
XY-2K XYGATE/OS
XYCLOPS XYGATE/PC
XYDOC XYGATE/PM UM
XYDOC II XYGATE/PQ
XYGATE XYGATE/SE
XYGATE/AC XYGATE/SE40
XYGATE/CD XYGATE/SM
XYGATE/CM XYGATE/SP
XYGATE/EFTP XYGATE/SR
XYGATE/ESDK XYGATE/SW
XYGATE/FE XYGATE/UA
XYGATE/KM XYPRO
XYGATE/LD XYTIMER
XYGATE/MA XYWATCH

The PCI Data Security Standard has been compiled by the PCI Security Standards Council. For more information,
please consult www.pcisecuritystandards.org.

December, 2007 XYPRO Technology Corporation

TABLE OF CONTENTS
Introduction ..........................................................................................................................1
1.00 Integrity ........................................................................................................................3
2.00 Authentication ..............................................................................................................4
3.00 Authorization ...............................................................................................................7
4.00 Auditing .......................................................................................................................7
5.00 Encryption ..................................................................................................................11
6.00 Access Control ...........................................................................................................13
7.00 Operating Systems & Network ..................................................................................14
8.00 Application Security ..................................................................................................14

December, 2007 XYPRO Technology Corporation Page i

Introduction
Security regulation has taken the forefront in the current decade. Significant monetary losses due to lessened corporate regulation and
concerns for individual privacy in a time of large data mining have motivated many legislative establishments and voluntary
cooperative organizations to create standards for secure behavior.

Four such sets of standards are presented in this document: PCI, SOX, HIPAA and SB1386.

The Payment Card Industry Data Security Standard (PCI) Version 1.2 is a standard of security for all payment card transactions
agreed upon by the members of the Payment Card Industry Council, which includes VISA, Mastercard, American Express, Discovery
Card and JCP. This standard is being phased in within the United States and internationally to secure retail transactions between a
cardholder and the merchant accepting the transaction, between the merchant accepting the transaction and the merchant’s bank, and
between the bank and the payment card organization.

The Sarbanes-Oxley Act of 2002 (SOX) targets internal controls over accounting procedures and financial reporting. It also brings
pressure on the information security organization within a corporation to provide the underlying assurance needed to produce accurate
accounting and reporting. While the SOX legislation has no specific security standards, the Control Objectives For Information And
Related Technology (COBIT) have been created to provide a structure to meet SOX requirements. Even though the Sarbanes-Oxley
Act of 2002 is a law of the United States of America, it is applied to any company that has a presence in the USA, and so it must be
part of the security considerations of any corporation doing international business in the USA.

The government of the United States of America created the Health Insurance Portability and Accountability Act (HIPAA) to reduce
health care fraud and abuse, introduce and implement administrative simplification to increase the effectiveness and efficiency of the
health care system, and protect the health care information of individuals against unauthorized access.

The State of California passed the legislation SB1386 in response to several breaches of privacy in databases containing personal
information. This legislation a person or business that conducts business in California, that owns or licenses computerized data that
includes personal information to disclose any breach of the security of the data to any resident of California whose unencrypted
personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

XYPRO Technology Corporation Page 1

The Auditor’s Checklist
The spreadsheet on the following pages presents a view of various security requirements and how they are viewed in the context of the
security standards described above. The specific standard to which a security requirement relates, is listed in the corresponding
column. This allows you to easily find and reference a particular security requirement.

The spreadsheet also includes references to discussions of these topics in the two definitive HP NonStop information security
handbooks.

“Volume 1” refers to: HP NonStop Server Security: A Practical Handbook (ISBN-13: 978-1555583149) and “Volume 2” refers to:
Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL (ISBN: 978-1555583446).

XYPRO has designed this document primarily for educational purposes. Readers should note that no regulatory, legislative, or
advisory body has endorsed this document. Accordingly, companies should seek counsel and appropriate advice from their risk
advisors and auditors. The IT professional should always consult his or her own professional judgment to specific control
circumstances presented by the particular systems or information technology environment.

Internal controls, automated or manual, no matter how well designed and operated, can provide only reasonable assurance of
achieving control objectives and can never achieve certainty. The likelihood of achievement is affected by limitations inherent to
internal control. These include the realities that human judgment in decision-making can be faulty and the breakdowns in internal
control can occur because of human factors such as errors of inappropriate override of internal controls.

XYPRO Technology Corporation Page 2

Item Discussion Security PCI SOX (Cobit) HIPAA SB1386 Your Findings
Handbook
1.00 Integrity
1.01 Protect personal information Vol 1; 3 164.312 (
from improper alteration or pp 536- c)
destruction 537
Vol 2;
pp225-230
1.02 Implement security measures to Vol 2; 164.312(e)
ensure that electronically pp230-234
transmitted personal information
is not improperly modified
without detection

1.03 Deploy measures to prevent Vol 1; 5.1

malicious code and update them p523
regularly Vol 2;
pp53-54
1.04 Ensure that measures to prevent Vol 1; 5.2
malicious code execute regularly p523
and produce audit logs of Vol 2;
execution and findings p54
1.05 Deploy file integrity monitoring Vol 1; 11.5
software to monitor critical pp10-11
system resources and alert
appropriate personnel

XYPRO Technology Corporation Page 3

 2.00 Authentication
2.01 Management should establish Vol 1;p95 User Account
procedures to ensure timely Management
account management

2.02 Management should have a Vol 1; Management

control process in place to pp94-95 Review of User
review and confirm access rights Accounts
periodically
2.03 Users should control the activity User Control of
of their proper accounts User Accounts

2.04 Assign a unique userid to each Vol 1;p94 8 User Control of

user User Accounts
2.05 Do not use group, shared, or Vol 1;p94 8.5.8 User Control of
generic accounts or passwords User Accounts
2.06 Ensure proper user Vol 1;p94 8.5 164.312
authentication and password (a)(1)
management for all users

2.07 Authenticate each user based on Vol1; 8.2 Identification, 164.312 Implied
his unique userid p94 Authentication, and (d)
p110 Access
2.08 Two-factor authentication for 8.3
network access

2.09 Authenticate users before 8.5.2

resetting passwords

XYPRO Technology Corporation Page 4

 2.10 Reset passwords at least every Vol 8.5.9
90 days 1;p116
2.11 Require a minimum length of 7 Vol 8.5.10
characters 1;p116
2.12 Ensure that each password Vol 8.5.11
contains at least 1 numeric and 1 1;p111
alphabetic character p116
2.13 Maintain a password history Vol 8.5.12
value of at least 4 iterations 1;p115
2.14 Set AUTHENTICATE- Vol 8.5.13
MAXIMUM-ATTEMPTS to 1;p131
permit a maximum of 6
attempted password entries
before handling bad password
event
2.15 Set AUTHENTICATE-FAIL- Vol 8.5.14
TIMEOUT to a minimum of 30 1;p131
minutes when a bad password
event occurs or implement
AUTHENTICATE-FAIL-
FREEZE or AUTHENTICATE-
FAIL-STOP

2.16 If AUTHENTICATE-FAIL- Vol 8.5.14

FREEZE is used, ensure that the 1;p131
SUPER.SUPER and security
administrator userids cannot be
affected by the
AUTHENTICATE-FAIL-
FREEZE
2.17 Force users to change new Vol 1; 8.5.3 User Account
passwords immediately after p117 Management

XYPRO Technology Corporation Page 5

 resets

2.18 Force SUPER.SUPER password Vol 2.1

to change regularly 1;p122
2.19 Secure SUPER.SUPER Vol 1; 7
password so that it can only be p86
used by authorized personnel p92
when needed for specific job
functions
2.20 Force NULL.NULL password to Vol 1;p85 2.1
change regularly or FREEZE
NULL.NULL userid
2.21 Unique ID per person Vol 1; p81 8.1 Segregation of 164.312 Implied
duties (a1)
2.22 Temporary and vendor accounts Vol 1; 8.5.6 User Account
should become inactive at p103 Management
appropriate time
2.23 Remove userids of terminated Vol 1; p95 8.5.4 User Account
users Management
2.24 Remove userids that haven't Vol 1; p81 8.5.5 User Account
been used in >90 days Management
2.25 Force users to change new Vol 1; 8.5.3 User Account
passwords immediately after p117 Management
resets
2.26 Change name of Vol 1;p87 2.1
SUPER.SUPER userid to a non-
default value (i.e., NOT
SUPER.SUPER) when network
is new

XYPRO Technology Corporation Page 6

 2.27 Change NULL.NULL when Vol 1;p85 2.1
node is new to a non-default
value (i.e., NOT NULL.NULL)
when node is new

3.00 Authorization
3.01 Establish a procedure for linking 10.1
all access to system resources to
an individual user
3.02 Management should implement Vol 1;ch 5 12.5.5 Security of Online
procedures to provide authorized access to data
access to resources based on the
individual's demonstrated need
to view, add, change, or delete
data.
3.03 The userid structure used by the Vol 1; 12.5.4 Segregation of
computing resource must p143 Duties
support segregation of duties to
ensure that personnel are
peforming only those duties
stipulated for their respective
jobs and positions.
4.00 Auditing
4.01 Implement automated audit trails Vol 1; 10.2.1 Use and monitoring 164.312 Implied
to reconstruct all individual user pp72-79 of system utilities (b)
accesses to personal data ch 5

XYPRO Technology Corporation Page 7

 4.02 Implement automated audit trails Vol 10.2.2 Use and monitoring 164.312 Implied
to reconstruct the following 1;p107 of system utilities (b)
events, for any activity
performed by as user logged on
as SUPER.SUPER and
accountable to the user's unique
userid.
4.03 Implement automated audit trails 10.2.3 Use and monitoring 164.312 Implied
to reconstruct access to all audit of system utilities (b)
trails
4.04 Implement automated audit trails 10.2.4 Use and monitoring 164.312 Implied
to reconstruct invalid logical of system utilities (b)
access attempts
4.05 Implement automated audit trails 10.2.5 Use and monitoring 164.312 Implied
to reconstruct use of of system utilities (b)
identification and authentication
mechanisms
4.06 Implement automated audit trails 10.2.6 Use and monitoring 164.312 Implied
to reconstruct initialization of of system utilities (b)
the audit logs
4.07 Implement automated audit trails 10.2.7 Use and monitoring 164.312 Implied
to reconstruct creation and of system utilities (b)
deletion of system -level objects;
4.08 Implement audit trails and 10.3 Security
reporting procedures to ensure Surveillance
that security activity is logged

XYPRO Technology Corporation Page 8

 4.09 Implement reporting to ensure Vol 1; 12.5.2 Security
that any indicatotion of pp7-11 Surveillance
imminent security violation is
reported immediately to all who
may be concerned and is acted
upon in a timely manner

4.10 Implement reporting to ensure Vol 1; Violation and

that violation and security pp7-11 Security Activity
activity is logged, repoted, Reports
reviewed and appropriately
escalated on a regular basis to
identify and resolve incidents
involving unauthorized activity

4.11 Secure all audit trails to prevent 10.5

modification
4.12 Limit viewing of audit trails to 10.5.1
those users that require this
access to perform their duties
4.13 Back up audit trails to a separate 10.5.3
platform to ensure redundancy
4.14 Review audit logs daily 10.6
4.15 Retain audit trail for at least one 10.7
year, with minimum of three
months online
4.16 Alerts for intrusion detection 12.9.5 Violation and
and file integrity Security Activity
Reports
4.17 Alert personnel about suspected 11.4
intrusion attempts

XYPRO Technology Corporation Page 9

 4.18 Produce quarterly reports Section 302:
certified by the CEO/CFO that CEO/CFO
any material changes or Certification of
deficiencies in control have been Annual, Semi-
reported to the audit committee Annual, and
Quarterly Reports

4.19 Produce internal control reports Section 404(a):

annually Internal Control
Reports
4.20 Produce rapid and current Section 409: Real-
reports on material changes in Time Disclosure
operations
4.21 Ensure that attempts to tamper Section 1102:
with the security of computing Corporate Fraud
resoures can be detected Accountability
4.22 Any breach of security must be 1798.8
reported to the person whose
information was disclosed

XYPRO Technology Corporation Page 10

 5.00 Encryption
5.01 Encrypt personal information, Vol 2; 4 Security of online 164.306 1798.9
including: first, last, middle pp231-232 access to data (a);
name or initial, social security 164.312
number, drivers license number (e)
or other govt issue ID, account
number, credit card number,
debit card number, access code
or password, PIN number

5.02 Render personal account Vol 2; 3.4

information unready anywhere it pp231-232
is stored by using
-strong one way hash
-truncation
-index tokens and pads
-strong cryptography with key
management

5.03 Secure encryption keys 3.5

5.04 Limit access to encryption keys 3.5.1
5.05 Cryptographic keys must be 3.5.2 Cryptographic Key
generated, changes, revoked, Management
certified, sored, used and
archived in a secure manner
5.06 Ensure encryption uses strong 4.1
algorithm: SSL/TLS, DES168,
AES

XYPRO Technology Corporation Page 11

 5.07 Encrypt all passwords at all Vol 8.2
times 1;p115 8.4
Vol
2;p117
5.08 Encrypt all non-console 2.3
adminstrative access
5.09 Fully document and implement 3.6
all key manage processes and
procedures:
-Generation of strong keys
-Secure distribution of keys
-Secure storage of keys
-Periodic changing of keys
-Split knowledge and
establishment of dual-control of
keys
-Prevention of unauthorized
substitution of keys
-Replacement of know or
suspected compromised keys
-Revocation of old or invalid
keys

XYPRO Technology Corporation Page 12

 6.00 Access Control
6.01 Limit access to computing Vol 1; 7.1
resources to individuals who p94-95
require the access to perform
their duties

6.02 Deny access to computing Vol 1; 7.2

resources unless the inidividual p94-95
has a demonstrated and p143
authorized need to access the
resource

6.03 Document usage policies for Vol 1; 12.3.3

critical system resources and pp7-11
document all personnel with
access
6.04 Access to computing resources Vol 8.5.15 164.312(a)(1)
should expire after 15 minutes of 1;p487
inactivity

6.05 Modem sessions should expire 12.3.8

after a defined period of
inactivity
6.06 Vendor access should be 12.3.9
activitated only when needed
with immediate deactivation
when finished

XYPRO Technology Corporation Page 13

 7.00 Operating System & Network
7.01 Disable all unneeded networks Vol 1; 2.2.2
services pp102-104
7.02 Monitor all access to network 10
resources and application data
7.03 Syncronize all system clocks 10.4
and times
7.04 Configure system security 2.2.3
parameters to prevent misuse
7.05 Remove all unnecessary 2.2.4
functionality
7.06 Do not use vendor defaults Vol 1; p32 2.0
7.07 Control the addition, deletion, Vol 1; 8.5.1
and modification of userids and pp94-95
identification objects such as
tokens or credentials
8.00 Application Security
8.01 Separate test, development, Vol 1; 6.3.2
production environments ch 7
8.02 Test all products and product Vol 1; 6.3.1
updates before implementation p523
into production
8.03 Separate test, development and Vol 1; 6.3.3
production duties p523
8.04 Evaluate all application updates; Vol 1; 6.3
apply appropriate updates on a p523
timely basis

XYPRO Technology Corporation Page 14

 8.05 Develop requirements for all 6.3
application updates. Review all
requirements against
implementation
8.06 Ensure that test data does not 6.3.4
contain live information
8.07 Ensure that live data files do not 6.3.5
contain test information
8.08 Use appropriate change control Vol 1; 6.4
to ensure that the changes made p523
to the application are applied in
an orderly manner and that the
change is recorded in a source
code maintainenance system

8.09 Authenticate access to 8.5.16

application information
8.10 Ensure all web-facing 6.5
applications are secure

XYPRO Technology Corporation Page 15