Security Controls
for Sarbanes-Oxley
Section 404 IT
Compliance:
Authorization,
Authentication,
and Access
Dennis C. Brewer
Security Controls
for Sarbanes-Oxley Section 404
IT Compliance: Authorization,
Authentication, and Access
Security Controls
for Sarbanes-Oxley
Section 404 IT
Compliance:
Authorization,
Authentication,
and Access
Dennis C. Brewer
Security Controls for Sarbanes-Oxley Section 404 IT Compliance: Authorization, Authentication,
and Access
Published by
Wiley Publishing, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com
Copyright © 2006 by Wiley Publishing, Inc.
Published simultaneously in Canada
ISBN-13: 978-0-7645-9838-8
ISBN-10: 0-7645-9838-4
Manufactured in the United States of America
10
9
8
7
6
5
4
3
2
1
1MA/QU/RQ/QV/IN
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as
permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior
written permission of the Publisher or authorization through payment of the appropriate per-copy fee
to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax
(978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department,
Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355,
or online at />Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or
warranties with respect to the accuracy or completeness of the contents of this work and specifically
disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No
warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the
publisher is not engaged in rendering legal, accounting, or other professional services. If professional
assistance is required, the services of a competent professional person should be sought. Neither the
publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or
Website is referred to in this work as a citation and/or a potential source of further information does
not mean that the author or the Publisher endorses the information the organization or Website may
provide or recommendations it may make. Further, readers should be aware that Internet Websites
listed in this work may have changed or disappeared between when this work was written and when
it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993
or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may
not be available in electronic books.
Library of Congress Cataloging-in-Publication Data
Brewer, Dennis C., 1949Security controls for Sarbanes-Oxley section 404 IT compliance : authorization, authentication, and
access / Dennis C. Brewer.
p. cm.
Includes index.
ISBN-13: 978-0-7645-9838-8 (pbk.)
ISBN-10: 0-7645-9838-4 (pbk.)
1. Computer security. 2. Data protection. 3. Computers--Access control. 4. Computer architecture.
I. Title.
QA76.9.A25B7597 2005
005.8--dc22
2005023678
Trademarks: Wiley and related trade dress are registered trademarks of Wiley Publishing, Inc., in the
United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any
product or vendor mentioned in this book.
This book is dedicated to all the people who played a role in my
education, both the book learning and the harder-to-learn life lessons.
About the Author
Dennis C. Brewer holds a Bachelor of Science degree in Business Administration from Michigan Technological University in Houghton, Michigan. He is a
network engineer and information technology solutions specialist for the State
of Michigan with more than 12 years of experience in the computer technology
field. His most recent experience includes a portfolio of computer security
responsibilities, including identity management, identity provisioning, and
privacy protection initiatives for state government. Over the last 10 years,
Dennis has worked on networking and computer technology from the level of
hands-on personal computer repair all the way to up to setting policy and
charting future direction. During his career with the State of Michigan, he
supported end users, networks, and computer systems at the Department of
Military Affairs, led a technology team at the state’s Consolidated Network
Operations Center, and provided technology research for the Office of Information Technology Solutions at the Department of Management and Budget.
He has authored numerous enterprise-level information technology and
telecommunications policies, procedures, and standards currently in use by
the State of Michigan, and was a technology consultant to the team that created the award-winning e-Michigan consolidated Web presence.
When not involved with computer technology, Dennis enjoys camping in
Michigan’s numerous state parks, bicycling, and taking writing courses. He is
planning on returning soon to his hometown of Calumet in Michigan’s Upper
Peninsula, which he says “. . . is a great sanctuary for anyone wanting to write
more books!”
vii
Credits
Acquisitions Editor
Carol Long
Development Editor
Maryann Steinhart
Production Editor
Pamela Hanley
Copy Editor
Joanne Slike
Project Coordinators
Erin Smith
Michael Kruzil
Graphic and Layout Technicians
Carrie A. Foster
Stephanie D. Jumper
Alicia South
Editorial Manager
Mary Beth Wakefield
Quality Control Technicians
David Faust
Jessica Kramer
Carl William Pierce
Vice President & Executive Group
Publisher
Richard Swadley
Proofreading and Indexing
David Faust
TECHBOOKS Production Services
Vice President and Publisher
Joseph B. Wikert
ix
Contents
About the Author
vii
Acknowledgments
xix
Introduction
xxi
xxii
xxii
Offering a Strategy
How This Book Is Organized
Chapter 1
The Role of Information Technology Architecture
in Information Systems Design
Meeting the SOX Challenge
1
1
Understanding the New Definition of Adequate
High Stakes for Compliance Failures
2
3
Examining the Role of Architecture
3
Looking Forward
Blending Science and Art
Seeing the Whole Picture
Document, Document, Document
Seeing Caution Flags
Increased Technical Complexity
4
4
5
6
6
7
Architecture Basics
Stepping Back
Stepping Forward
Process and Result
Applying Architecture to Legacy Systems
Staffing the IT Architecture Design Team
8
8
9
9
10
10
xi
xii
Contents
Creating, Documenting, and Enforcing Architectural Design
Creating Value with Architecture
Documenting for the Desired Design
Enforcing Design Vision through Documentation
No Legal Enforcement
Security Issues Always in Sight
Chapter 2
13
14
15
16
17
Summary
17
Understanding Basic Concepts of Privacy
and Data Protection
Classifying Data
19
20
Understanding Public Domain or Open Information
Understanding Protected Information
Understanding Restricted Information
Keeping It Simple
Chapter 3
12
20
21
22
22
Essential Elements of Privacy and Data Protection
23
Protecting against Disclosure
Controlling What Is Disclosed
Controlling to Whom Details Are Exposed
Controlling How Details Are Used Once Shared
Controlling the Condition of Disclosure
Controlling When Data Is Disclosed
Controlling Where to Share, Store, and Move Data
Controlling Why Data Is Disclosed
Controlling Compensation for Disclosure
23
24
25
26
27
28
31
31
32
Summary
34
Defining and Enforcing Architecture
Examining Documentation for IT Architecture
35
36
Substantiating Business Objectives
Substantiating Guiding Principles
Substantiating Policies
Substantiating Standards
Substantiating Procedures
Substantiating Best Practices
Substantiating Reference Lists
Substantiating Guidelines
Substantiating Security Policy Domain Definitions
Examining Diagrams for IT Architecture
Diagramming Locations
Diagramming Hierarchical Infrastructure
Diagramming Networks
Diagramming Logical Grouping N-Tiers
Diagramming Device Interfaces
Diagramming Application Logic
Diagramming Host-to-Host Data Flow
Diagramming Contained Process Flow
37
38
40
40
41
41
42
43
43
45
46
48
50
52
52
55
55
56
Contents
Diagramming Web Sites
Diagramming Security Sectors
Diagramming Security Policy Domains
Chapter 4
Summary
65
Combining External Forces, Internal Influences,
and IT Assets
Examining Framework Influences
67
68
Evaluating the Public For-Profit Environment
Evaluating the Privately Held For-Profit Setting
Evaluating the Government Sector
Evaluating the Nonprofit Sector
It’s All in the Details
Sizing Up the Framework
68
69
69
70
70
71
Understanding Business Drivers
Using Security Controls as Business Drivers
Using Increased Efficiency as a Business Driver
Using Profit as a Business Driver
Using Competitive Advantage as a Business Driver
Using Risk Reduction as a Business Driver
Using Values as Drivers and Boundaries
Understanding Infrastructure
Assessing Device Life Cycles
Applying Security Policies
Evaluating Physical Access Controls
Exploring Infrastructure Categories
Assessing Handheld Devices
Assessing Notebooks and Portables of All Sizes
Assessing Desktop and Tower Computers
Assessing Host Systems
Assessing Networking Components
Chapter 5
58
61
62
72
72
73
74
74
75
75
76
77
77
78
78
79
79
80
80
80
Summary
81
Simplifying the Security Matrix
Understanding Identification
83
84
A Case of Mistaken Identity
Exploring Paper Credentials
Vetting All New Users
Exploring Digital Identity
Identifying Devices
85
85
86
87
88
Understanding Authentication
Using Username, Password, and PIN
Using Token Card and PIN
Using Software Tokens
Using Biological Scans
Using Digital Certificates
Understanding Authorization
89
91
92
93
94
94
94
xiii
xiv
Contents
Understanding Access Control
Understanding Administration
Understanding Auditing
Using Logging
Using Monitors
Using Detection
Using Reporting
Chapter 6
106
107
Developing Directory-Based Access Control Strategies
Exploring Multiple- versus Single-Directory Paradigms
Examining Directory Services
109
111
113
Understanding LDAPv3
Understanding the Meta-Directory (Meta-Functionality)
Using the Aggregated View of Multiple Directories
Using the Information Exchange Point
Revisiting Security Policy Domains
Using a Checklist
Fictional Case Study: Governor’s Brew Coffee Shop
Exploring Solution Options
Looking for Patterns
113
113
115
116
117
117
118
120
121
122
124
125
Summary
126
Integrating the Critical Elements
Putting Security First
127
128
Evaluating Security Features
Increasing Regulations
Controlling by Data Element
Improving Accountability
128
130
130
132
Understanding Identity Management
Understanding Authoritative Sources
Using Unique Population Information
Exploring the Risks of Self-Enrollment Identities
Chapter 8
101
102
103
105
Understanding Assessment
Summary
Using Hard-Copy Directories
Using Digital Directories
Examining the Interoperability Challenge
Chapter 7
97
99
100
132
133
135
135
Understanding Identity Vaults
Understanding Service Directories
Understanding Identity Provisioning
Summary
136
138
139
141
Engineering Privacy Protection into Systems
and Applications
Basing Designs on Asset Values
Protecting Open Public Information
Shielding Protected Information and Data
143
143
144
146
Contents
Defending Restricted Information
Securing Legacy Applications
Correcting Current Application Development Efforts
Securing New Applications
Seeking Management Support and Funding
Profiling Hackers
Building a Case for Security
Seeking a Benchmark
148
149
150
151
153
154
154
155
Summary
155
The Value of Data Inventory and Data Labeling
Comparing Value Protection Ratios
Understanding Data Inventory
Examining the Basic Data Inventory Model
Labeling (Tagging) Data
Summary
157
158
159
160
163
163
Chapter 10 Putting It All Together in the Web Applications
Environment
Using DEALS
Foiling OS Attacks with Web Proxy Appliances
Choosing and Using Authoritative Sources
165
166
167
168
Chapter 9
Linking to an Existing Identity Data Source
Allowing Distributed Administrative Entry as a
Identity Data Source
Avoiding Self-Enrollment as an Identity Data Source
Unlocking Identity Vaults
Serving Up Applications with Service Directories
168
170
170
171
172
Exploring How It Works
Looking at an Access Control Sequence
Examining Other Capabilities
173
175
177
Understanding Key Design Considerations
Summary
177
179
Chapter 11 Why Federated Identity Schemes Fail
Understanding Federated Identity Schemes
181
181
Affording Convenience to Customers
Risks Are Complex
Acknowledging Benefits
Exploring the Five Stars of Federated Identity
Looking at the Identified User
Looking at the Identity and Authentication Provider
Looking at the Service Provider
Looking at Transfer of Trust
Looking at the Circle of Trust
Seeing the Fundamental Flaws
182
182
183
184
184
184
185
185
185
185
xv
xvi
Contents
Exploring Options
Creating a National Standard
Moving Forward
Examining Third-Party Certification of Standards of Practice
Summary
Chapter 12 A Pathway to Universal Two-Factor Authentication
Heading toward a Single Identity Credential
Finding the Magic Key
Looking for a Vision
Examining the Challenges in a Global Access
Controls Strategy
Seeking Common Goals
Seeking Cooperation
Understanding the Consumers’ Part
Understanding the Government’s Part
Needing Government to Contribute
Finding Everyone
Understanding the Private and Nonprofit Sector’s Part
Understanding the Technology Vendors’ Part
Understanding the Standards Bodies’ Part
Understanding the Token Card Manufacturers’ Part
Exploring a Future with Global Access Controls
Going with Biology
Checking Out the Paracentric Approach
Checking Out the Endocentric Approach
Looking at Prospective New Roles for Directories
Examining a Standard Approach and Terms
for Data Access Rights
Understanding Standard Data-Related Access Rights
Exploring First-Person Access Roles and Rights
Exploring Second-Person Access Roles and Rights
Exploring Third-Person Access Roles
Exploring Subordinate Roles
Looking at Interim Steps
Recognizing Responsibilities
Using Third-Party Security Review
Summary
186
186
186
187
188
189
190
190
190
191
191
192
192
193
194
194
195
195
195
196
196
197
197
198
200
200
201
201
202
202
203
205
205
206
207
Appendix A WWW Resources for Authentication, Authorization,
and Access Control News and Information
209
Appendix B Important Access Control and Security Terms
213
Appendix C Critical Success Factors for Controls Design
219
Contents
Appendix D Sample Policy Statements for Compulsory Access
and Security Controls
Administration
Why You Need an Administration Policy
What to Include in an Administration Policy
Sample Administrative Policy Statements
Access Control
Why You Need an Access Control Policy
What to Include in an Access Control Policy
Sample Access Control Policy Statements
Authorization
Why You Need an Authorization Policy
What to Include in an Authorization Policy
Sample Authorization Policy Statements
Authentication
Why You Need an Authentication Policy
What to Include in an Authentication Policy
Sample Authentication Policy Statements
Identity
Why You Need an Identify Management Policy
What to Include in an Identity Policy
Sample Identity Policy Statements
Assessment
Why You Need an Assessment Policy
What to Include in an Assessment Policy
Sample Assessment Policy Statements
Audit
Why You Need an Audit Policy
What to Include in an Audit Policy
Sample Audit Policy Statements
223
224
225
225
225
226
226
226
227
228
228
228
229
229
229
230
230
230
231
231
232
232
232
232
233
233
233
234
234
Appendix E Documentation Examples
Guiding Principles
Policies
Standards
Procedures
Best Practices
Guidelines
Go with the Flow
235
235
236
236
237
237
238
238
Appendix F Sample Job Description for Directory Engineer/
Schema Architect
239
Index
241
xvii
Acknowledgments
Thanks to my fiancé, Penny, for her constant encouragement; my friend Peggy
for her sage advice and compliments; my older son, Jason, for setting the standard to reach for in technical writing; and my younger son, Justin, for reminding me that nearly everything worthwhile, writing included, is at least part art
and not all science. Many thanks to my mother, Verna, who convinced me at an
early age that you could accomplish most things you are willing to work at
with some tenacity.
Thanks to my literary agent, Carole McClendon at Waterside Productions,
for believing I had something to offer as a technical author; Carol Long, Acquisitions Editor at Wiley Publishing, for taking a chance on a new writer; and
Maryann Steinhart, the Development Editor, for making this book turn out far
better than it began. Thanks to everyone else at Wiley for their excellent work
and for always being so pleasant to work with. Thank you all!
xix
Introduction
Identity theft and fraudulent access is a huge global problem. IT systems managers are charged with protecting privacy and personally identifying financial
information, and are responsible for building access controls capable of protecting the integrity of financial statements and safeguarding intellectual
property in a strong and growing regulatory environment against a worldwide threat force that never sleeps. Systems designers are challenged to create
authentication strategies and access controls that work, and after end users are
authenticated, to provide discerning authorizations to system resources. These
are the critical elements in creating quality systems designs.
This book was written to move the discussion of authentication, authorization, and access controls in a direction intended to meet current and expected
regulatory requirements, and is intended for IT systems architects, directory
engineers, technology consultants, systems analysts and designers, applications developers, and systems integrators. It also will benefit IT systems managers and decision makers in government and the private sector, including
chief information officers, chief security officers, project managers, and anyone in the public or private sector who may be held accountable in any way for
making sure systems designs protect personally identifying, medical, and
financial information or protect the systems that house that information to
meet external regulatory requirements. Others who would gain from reading
this book include college-level course instructors and students; policy makers
on the federal, state, and local levels; IT system auditors; inspectors general;
and accountants.
Anyone wanting to know enough to hold the trustees of his or her personally identifying, medical, and financial information accountable for providing
adequate protections could also learn something by reading this book, as
xxi
xxii
Introduction
would principals in publicly traded companies who attest to the adequacy of
or rely on IT controls. IT consultants who have products and services to offer
will gain valuable insights into their customers’ needs from this book.
Offering a Strategy
This book presents a strategy for developing architecture that private-sector
and government systems designers can use for identity controls where privacy
or protected information is shared and used online.
Consumers of information technology services and systems designers and
implementers will be exposed to a design concept for appropriately dealing
with end-user identities, authentication, and access controls that are intended
to meet the regulatory requirements of Sarbanes-Oxley Section 404 criteria for
adequate controls. This book explains how to leverage existing technologies
through proper design combinations and discusses the elements of architecture documentation needed to realize implementation. It presents the critical
concepts necessary to design and create a system that integrates the elements
of the controls architecture for the following:
■■
Identity management (dealing with identity in the modern enterprise)
■■
Meta-directories (leveraging to reduce administration and improve
access controls)
■■
Identity provisioning (value provided, accuracy gained)
■■
Authentication (options and limits)
■■
Access controls (fine-grained controls necessary to protect data and
privacy)
Readers will learn what it takes to design an information technology infrastructure capable of protecting the privacy and access integrity of computer
data, particularly in the Web applications environment.
How This Book Is Organized
The book is set up in such a way that each chapter’s information provides the
necessary background information for ideas that are discussed further or used
in subsequent chapters. Skipping chapters or reading them out of order isn’t
advised unless you are already familiar with the earlier chapters’ content.
Chapter 1 begins with a discussion of what IT architecture is and is not, and
Chapter 2 introduces the eight concepts that constitute privacy of information
and examines the protection of the data housed in your computer systems.