December 6th , 2005

A Sarbanes-Oxley (SOX) Compliance Driven Risk Assessment Model
Team: Mahesh Babu Chetak Sirsat

" .Sarbanes-Oxley Act of 2002 "To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the security laws. and for other purposes.

Sarbanes-Oxley Act of 2002 • Government’s Response to Enron. WorldCom • Intended to restore investor trust in US corporations • Changes how companies manage: – – – – Auditors Financial Reporting Executive Responsibility Internal Controls .

SOX Section 302. 404 • Corporations required to: – assess internal controls around financial reporting system – Report effectiveness of controls to SEC – Assessment must be reviewed and judged by an outside auditing firm .

Information Security and SOX • Financial reporting systems heavily dependent on well controlled IT environment (ITGI. • Internal controls include information security controls • ITGI identified security controls required by SOX in the following areas: – – – – – – – Security Policy Security Standards Access and Authentication Network Security Monitoring Segregation of Duties Physical Security • Companies required to assess and report the effectiveness of these controls to be compliant . 2004).

Risk Assessment • Important step in an effective information security strategy • Used to: – evaluate risk associated with security related threats – Identify controls to minimize risk • Can be modified to assess SOX security controls .

NIST Risk Assessment Methodology .

Why need a SOX driven Risk Assessment? • Companies required by SOX to assess and report the effectiveness of security controls to be compliant • Current methods are proprietary • Risk assessment is important to company’s information security strategy • Current risk assessment methods do not consider SOX compliance. .

The following modifications will be made – The scope of the assessment would be the IT infrastructure associated with the financial reporting process. . – The asset identification process would involve analyzing: • User Authentication • User provisioning/de-provisioning • Segregation of Duties • Audit Logging/Reporting – The threat identification step will be modified to identify non compliance with SOX regulations as a threat. – Threats associated with the financial reporting process itself will be identified along with the threats associated with the IT infrastructure.Proposed Solution • Leverage NIST methodology as framework.

– The control analysis step will be modified to test for specific security controls associated with the financial reporting process of the organization. it would receive a higher priority than a control that would not address non compliance. . – The impact of non compliance will be factored in during the impact analysis step. If a recommended control would address a threat related to non compliance. – Compliance specifications and deadlines will be factored in when formulating and prioritizing control recommendations.– The financial reporting process will also be assessed for vulnerabilities. – A control checklist will be developed to test the level of compliance of the organization’s financial reporting process.

.Step 1: Scope Identification 1. identify the categories that are involved with the organization’s financial reporting process. Rank categories based on CIA-SOX score 5. Break down IT infrastructure into (no more than 5) categories. 3. 2. Categories with highest rank will fall into scope. 4. Assign a value (CIA-SOX score) for the impact to CIA and SOX compliance if each category is compromised.

Example: .Step 2: Asset Identification 1. Build Asset Classification Model.

Step 2: Asset Identification Application Assessment Interview – For each category. analyze: • User Authentication • User provisioning/de-provisioning • Segregation of Duties • Audit Logging/Reporting – Produce Application Definition Document .

Step 3: Threat Identification • Threat Definition – Source. Action. Resource. . Motivation. Capability • Threat Categorization • Threat Evaluation • SOX compliance related threats identified based on previous audit findings and the results of the application assessment from Step 1.

Step 4: Vulnerability Identification This step involves identifying three kinds of vulnerabilities: – Technical vulnerabilities – Non-technical vulnerabilities – SOX compliance related vulnerabilities • To identify SOX compliance vulnerabilities: – Complete the vulnerability checklist – Complete the application assessment questionnaire • .

Step 5: Control Analysis • The following contain the basic standards that will be used to systematically evaluate compliance and noncompliance to those standards (NIST 800-30.) – The vulnerability checklist – Appendices A. 17. B and C of IT Control Objectives for Sarbanes-Oxley by ITGI – the application assessment questionnaire in appendix B (also used in the previous step) .

– Availability: A loss of availability is the disruption of access to or use of information or an information system. – Compliance: Noncompliance would have severe legal and financial implications. – Reputation: A loss in reputation is the loss in the esteem and respect that the public and peer institutions have. – Integrity: A loss of integrity is the unauthorized modification or destruction of information. .Step 6: Impact Analysis • The adverse impact of a threat was examined along five (5) axes: – Confidentiality: A loss in confidentiality is the unauthorized disclosure of information.

Step 7. 8. 9: Likelihood Determination. . Risk Determination and Documentation The concluding steps of the risk assessment will identically follow the NIST 800-30 risk assessment methodology with the one following exception: – Compliance specifications and deadlines will be factored in when formulating and prioritizing control recommendations.

Benefits • Findings can be used when evaluating current level of SOX compliance. . • It would reduce the costs associated with performing separate risk assessments as part of the organization’s information security strategy. • It would bring information security related risks into the focus of the organization’s leadership because of its association with SOX compliance. • It could be the first step in developing a risk management program for organizations that have to be SOX compliant. • It would lay the groundwork for developing a generalized compliance driven risk assessment model that could incorporate any set of regulations or specifications.