Security Controls
for Sarbanes-Oxley
Section 404 IT
Compliance:
Authorization,
Authentication,
and Access
Dennis C. Brewer



Security Controls
for Sarbanes-Oxley Section 404
IT Compliance: Authorization,
Authentication, and Access



Security Controls
for Sarbanes-Oxley
Section 404 IT
Compliance:
Authorization,
Authentication,
and Access
Dennis C. Brewer


Security Controls for Sarbanes-Oxley Section 404 IT Compliance: Authorization, Authentication,
and Access

Published by
Wiley Publishing, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com
Copyright © 2006 by Wiley Publishing, Inc.

Published simultaneously in Canada
ISBN-13: 978-0-7645-9838-8
ISBN-10: 0-7645-9838-4
Manufactured in the United States of America
10

9

8

7

6

5

4

3

2

1


1MA/QU/RQ/QV/IN
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as
permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior
written permission of the Publisher or authorization through payment of the appropriate per-copy fee
to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax
(978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department,
Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355,
or online at />Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or
warranties with respect to the accuracy or completeness of the contents of this work and specifically
disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No
warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the
publisher is not engaged in rendering legal, accounting, or other professional services. If professional
assistance is required, the services of a competent professional person should be sought. Neither the
publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or
Website is referred to in this work as a citation and/or a potential source of further information does
not mean that the author or the Publisher endorses the information the organization or Website may
provide or recommendations it may make. Further, readers should be aware that Internet Websites
listed in this work may have changed or disappeared between when this work was written and when
it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993
or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may
not be available in electronic books.
Library of Congress Cataloging-in-Publication Data
Brewer, Dennis C., 1949Security controls for Sarbanes-Oxley section 404 IT compliance : authorization, authentication, and
access / Dennis C. Brewer.
p. cm.
Includes index.

ISBN-13: 978-0-7645-9838-8 (pbk.)
ISBN-10: 0-7645-9838-4 (pbk.)
1. Computer security. 2. Data protection. 3. Computers--Access control. 4. Computer architecture.
I. Title.
QA76.9.A25B7597 2005
005.8--dc22
2005023678
Trademarks: Wiley and related trade dress are registered trademarks of Wiley Publishing, Inc., in the
United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any
product or vendor mentioned in this book.


This book is dedicated to all the people who played a role in my
education, both the book learning and the harder-to-learn life lessons.



About the Author

Dennis C. Brewer holds a Bachelor of Science degree in Business Administration from Michigan Technological University in Houghton, Michigan. He is a
network engineer and information technology solutions specialist for the State
of Michigan with more than 12 years of experience in the computer technology
field. His most recent experience includes a portfolio of computer security
responsibilities, including identity management, identity provisioning, and
privacy protection initiatives for state government. Over the last 10 years,
Dennis has worked on networking and computer technology from the level of
hands-on personal computer repair all the way to up to setting policy and
charting future direction. During his career with the State of Michigan, he
supported end users, networks, and computer systems at the Department of
Military Affairs, led a technology team at the state’s Consolidated Network

Operations Center, and provided technology research for the Office of Information Technology Solutions at the Department of Management and Budget.
He has authored numerous enterprise-level information technology and
telecommunications policies, procedures, and standards currently in use by
the State of Michigan, and was a technology consultant to the team that created the award-winning e-Michigan consolidated Web presence.
When not involved with computer technology, Dennis enjoys camping in
Michigan’s numerous state parks, bicycling, and taking writing courses. He is
planning on returning soon to his hometown of Calumet in Michigan’s Upper
Peninsula, which he says “. . . is a great sanctuary for anyone wanting to write
more books!”

vii



Credits

Acquisitions Editor
Carol Long
Development Editor
Maryann Steinhart
Production Editor
Pamela Hanley
Copy Editor
Joanne Slike

Project Coordinators
Erin Smith
Michael Kruzil
Graphic and Layout Technicians
Carrie A. Foster

Stephanie D. Jumper
Alicia South

Editorial Manager
Mary Beth Wakefield

Quality Control Technicians
David Faust
Jessica Kramer
Carl William Pierce

Vice President & Executive Group
Publisher
Richard Swadley

Proofreading and Indexing
David Faust
TECHBOOKS Production Services

Vice President and Publisher
Joseph B. Wikert

ix



Contents

About the Author


vii

Acknowledgments

xix

Introduction

xxi
xxii
xxii

Offering a Strategy
How This Book Is Organized
Chapter 1

The Role of Information Technology Architecture
in Information Systems Design
Meeting the SOX Challenge

1
1

Understanding the New Definition of Adequate
High Stakes for Compliance Failures

2
3

Examining the Role of Architecture


3

Looking Forward
Blending Science and Art
Seeing the Whole Picture
Document, Document, Document
Seeing Caution Flags
Increased Technical Complexity

4
4
5
6
6
7

Architecture Basics
Stepping Back
Stepping Forward
Process and Result
Applying Architecture to Legacy Systems
Staffing the IT Architecture Design Team

8
8
9
9
10
10


xi


xii

Contents
Creating, Documenting, and Enforcing Architectural Design
Creating Value with Architecture
Documenting for the Desired Design
Enforcing Design Vision through Documentation
No Legal Enforcement
Security Issues Always in Sight

Chapter 2

13
14
15
16
17

Summary

17

Understanding Basic Concepts of Privacy
and Data Protection
Classifying Data


19
20

Understanding Public Domain or Open Information
Understanding Protected Information
Understanding Restricted Information
Keeping It Simple

Chapter 3

12

20
21
22
22

Essential Elements of Privacy and Data Protection

23

Protecting against Disclosure
Controlling What Is Disclosed
Controlling to Whom Details Are Exposed
Controlling How Details Are Used Once Shared
Controlling the Condition of Disclosure
Controlling When Data Is Disclosed
Controlling Where to Share, Store, and Move Data
Controlling Why Data Is Disclosed
Controlling Compensation for Disclosure


23
24
25
26
27
28
31
31
32

Summary

34

Defining and Enforcing Architecture
Examining Documentation for IT Architecture

35
36

Substantiating Business Objectives
Substantiating Guiding Principles
Substantiating Policies
Substantiating Standards
Substantiating Procedures
Substantiating Best Practices
Substantiating Reference Lists
Substantiating Guidelines
Substantiating Security Policy Domain Definitions


Examining Diagrams for IT Architecture
Diagramming Locations
Diagramming Hierarchical Infrastructure
Diagramming Networks
Diagramming Logical Grouping N-Tiers
Diagramming Device Interfaces
Diagramming Application Logic
Diagramming Host-to-Host Data Flow
Diagramming Contained Process Flow

37
38
40
40
41
41
42
43
43

45
46
48
50
52
52
55
55
56



Contents
Diagramming Web Sites
Diagramming Security Sectors
Diagramming Security Policy Domains

Chapter 4

Summary

65

Combining External Forces, Internal Influences,
and IT Assets
Examining Framework Influences

67
68

Evaluating the Public For-Profit Environment
Evaluating the Privately Held For-Profit Setting
Evaluating the Government Sector
Evaluating the Nonprofit Sector
It’s All in the Details
Sizing Up the Framework

68
69
69

70
70
71

Understanding Business Drivers
Using Security Controls as Business Drivers
Using Increased Efficiency as a Business Driver
Using Profit as a Business Driver
Using Competitive Advantage as a Business Driver
Using Risk Reduction as a Business Driver
Using Values as Drivers and Boundaries

Understanding Infrastructure
Assessing Device Life Cycles
Applying Security Policies
Evaluating Physical Access Controls

Exploring Infrastructure Categories
Assessing Handheld Devices
Assessing Notebooks and Portables of All Sizes
Assessing Desktop and Tower Computers
Assessing Host Systems
Assessing Networking Components

Chapter 5

58
61
62


72
72
73
74
74
75
75

76
77
77
78

78
79
79
80
80
80

Summary

81

Simplifying the Security Matrix
Understanding Identification

83
84


A Case of Mistaken Identity
Exploring Paper Credentials
Vetting All New Users
Exploring Digital Identity
Identifying Devices

85
85
86
87
88

Understanding Authentication
Using Username, Password, and PIN
Using Token Card and PIN
Using Software Tokens
Using Biological Scans
Using Digital Certificates

Understanding Authorization

89
91
92
93
94
94

94


xiii


xiv

Contents
Understanding Access Control
Understanding Administration
Understanding Auditing
Using Logging
Using Monitors
Using Detection
Using Reporting

Chapter 6

106
107

Developing Directory-Based Access Control Strategies
Exploring Multiple- versus Single-Directory Paradigms
Examining Directory Services

109
111
113

Understanding LDAPv3
Understanding the Meta-Directory (Meta-Functionality)
Using the Aggregated View of Multiple Directories

Using the Information Exchange Point

Revisiting Security Policy Domains
Using a Checklist
Fictional Case Study: Governor’s Brew Coffee Shop
Exploring Solution Options
Looking for Patterns

113
113
115

116
117
117
118

120
121
122
124
125

Summary

126

Integrating the Critical Elements
Putting Security First


127
128

Evaluating Security Features
Increasing Regulations
Controlling by Data Element
Improving Accountability

128
130
130
132

Understanding Identity Management
Understanding Authoritative Sources
Using Unique Population Information
Exploring the Risks of Self-Enrollment Identities

Chapter 8

101
102
103
105

Understanding Assessment
Summary

Using Hard-Copy Directories
Using Digital Directories

Examining the Interoperability Challenge

Chapter 7

97
99
100

132
133
135
135

Understanding Identity Vaults
Understanding Service Directories
Understanding Identity Provisioning
Summary

136
138
139
141

Engineering Privacy Protection into Systems
and Applications
Basing Designs on Asset Values
Protecting Open Public Information
Shielding Protected Information and Data

143

143
144
146


Contents
Defending Restricted Information
Securing Legacy Applications
Correcting Current Application Development Efforts
Securing New Applications
Seeking Management Support and Funding
Profiling Hackers
Building a Case for Security
Seeking a Benchmark

148
149
150
151
153
154
154
155

Summary

155

The Value of Data Inventory and Data Labeling
Comparing Value Protection Ratios

Understanding Data Inventory
Examining the Basic Data Inventory Model
Labeling (Tagging) Data
Summary

157
158
159
160
163
163

Chapter 10 Putting It All Together in the Web Applications
Environment
Using DEALS
Foiling OS Attacks with Web Proxy Appliances
Choosing and Using Authoritative Sources

165
166
167
168

Chapter 9

Linking to an Existing Identity Data Source
Allowing Distributed Administrative Entry as a
Identity Data Source
Avoiding Self-Enrollment as an Identity Data Source


Unlocking Identity Vaults
Serving Up Applications with Service Directories

168
170
170

171
172

Exploring How It Works
Looking at an Access Control Sequence
Examining Other Capabilities

173
175
177

Understanding Key Design Considerations
Summary

177
179

Chapter 11 Why Federated Identity Schemes Fail
Understanding Federated Identity Schemes

181
181


Affording Convenience to Customers
Risks Are Complex
Acknowledging Benefits

Exploring the Five Stars of Federated Identity
Looking at the Identified User
Looking at the Identity and Authentication Provider
Looking at the Service Provider
Looking at Transfer of Trust
Looking at the Circle of Trust
Seeing the Fundamental Flaws

182
182
183

184
184
184
185
185
185
185

xv


xvi

Contents

Exploring Options
Creating a National Standard
Moving Forward
Examining Third-Party Certification of Standards of Practice

Summary
Chapter 12 A Pathway to Universal Two-Factor Authentication
Heading toward a Single Identity Credential
Finding the Magic Key
Looking for a Vision

Examining the Challenges in a Global Access
Controls Strategy
Seeking Common Goals
Seeking Cooperation
Understanding the Consumers’ Part
Understanding the Government’s Part
Needing Government to Contribute
Finding Everyone
Understanding the Private and Nonprofit Sector’s Part
Understanding the Technology Vendors’ Part
Understanding the Standards Bodies’ Part
Understanding the Token Card Manufacturers’ Part

Exploring a Future with Global Access Controls
Going with Biology
Checking Out the Paracentric Approach
Checking Out the Endocentric Approach
Looking at Prospective New Roles for Directories


Examining a Standard Approach and Terms
for Data Access Rights
Understanding Standard Data-Related Access Rights
Exploring First-Person Access Roles and Rights
Exploring Second-Person Access Roles and Rights
Exploring Third-Person Access Roles
Exploring Subordinate Roles
Looking at Interim Steps

Recognizing Responsibilities
Using Third-Party Security Review
Summary

186
186
186
187

188
189
190
190
190

191
191
192
192
193
194

194
195
195
195
196

196
197
197
198
200

200
201
201
202
202
203
205

205
206
207

Appendix A WWW Resources for Authentication, Authorization,
and Access Control News and Information

209

Appendix B Important Access Control and Security Terms


213

Appendix C Critical Success Factors for Controls Design

219


Contents
Appendix D Sample Policy Statements for Compulsory Access
and Security Controls
Administration
Why You Need an Administration Policy
What to Include in an Administration Policy
Sample Administrative Policy Statements

Access Control
Why You Need an Access Control Policy
What to Include in an Access Control Policy
Sample Access Control Policy Statements

Authorization
Why You Need an Authorization Policy
What to Include in an Authorization Policy
Sample Authorization Policy Statements

Authentication
Why You Need an Authentication Policy
What to Include in an Authentication Policy
Sample Authentication Policy Statements


Identity
Why You Need an Identify Management Policy
What to Include in an Identity Policy
Sample Identity Policy Statements

Assessment
Why You Need an Assessment Policy
What to Include in an Assessment Policy
Sample Assessment Policy Statements

Audit
Why You Need an Audit Policy
What to Include in an Audit Policy
Sample Audit Policy Statements

223
224
225
225
225

226
226
226
227

228
228
228

229

229
229
230
230

230
231
231
232

232
232
232
233

233
233
234
234

Appendix E Documentation Examples
Guiding Principles
Policies
Standards
Procedures
Best Practices
Guidelines
Go with the Flow


235
235
236
236
237
237
238
238

Appendix F Sample Job Description for Directory Engineer/
Schema Architect

239

Index

241

xvii



Acknowledgments

Thanks to my fiancé, Penny, for her constant encouragement; my friend Peggy
for her sage advice and compliments; my older son, Jason, for setting the standard to reach for in technical writing; and my younger son, Justin, for reminding me that nearly everything worthwhile, writing included, is at least part art
and not all science. Many thanks to my mother, Verna, who convinced me at an
early age that you could accomplish most things you are willing to work at
with some tenacity.

Thanks to my literary agent, Carole McClendon at Waterside Productions,
for believing I had something to offer as a technical author; Carol Long, Acquisitions Editor at Wiley Publishing, for taking a chance on a new writer; and
Maryann Steinhart, the Development Editor, for making this book turn out far
better than it began. Thanks to everyone else at Wiley for their excellent work
and for always being so pleasant to work with. Thank you all!

xix



Introduction

Identity theft and fraudulent access is a huge global problem. IT systems managers are charged with protecting privacy and personally identifying financial
information, and are responsible for building access controls capable of protecting the integrity of financial statements and safeguarding intellectual
property in a strong and growing regulatory environment against a worldwide threat force that never sleeps. Systems designers are challenged to create
authentication strategies and access controls that work, and after end users are
authenticated, to provide discerning authorizations to system resources. These
are the critical elements in creating quality systems designs.
This book was written to move the discussion of authentication, authorization, and access controls in a direction intended to meet current and expected
regulatory requirements, and is intended for IT systems architects, directory
engineers, technology consultants, systems analysts and designers, applications developers, and systems integrators. It also will benefit IT systems managers and decision makers in government and the private sector, including
chief information officers, chief security officers, project managers, and anyone in the public or private sector who may be held accountable in any way for
making sure systems designs protect personally identifying, medical, and
financial information or protect the systems that house that information to
meet external regulatory requirements. Others who would gain from reading
this book include college-level course instructors and students; policy makers
on the federal, state, and local levels; IT system auditors; inspectors general;
and accountants.
Anyone wanting to know enough to hold the trustees of his or her personally identifying, medical, and financial information accountable for providing
adequate protections could also learn something by reading this book, as


xxi


xxii

Introduction

would principals in publicly traded companies who attest to the adequacy of
or rely on IT controls. IT consultants who have products and services to offer
will gain valuable insights into their customers’ needs from this book.

Offering a Strategy
This book presents a strategy for developing architecture that private-sector
and government systems designers can use for identity controls where privacy
or protected information is shared and used online.
Consumers of information technology services and systems designers and
implementers will be exposed to a design concept for appropriately dealing
with end-user identities, authentication, and access controls that are intended
to meet the regulatory requirements of Sarbanes-Oxley Section 404 criteria for
adequate controls. This book explains how to leverage existing technologies
through proper design combinations and discusses the elements of architecture documentation needed to realize implementation. It presents the critical
concepts necessary to design and create a system that integrates the elements
of the controls architecture for the following:
■■

Identity management (dealing with identity in the modern enterprise)

■■


Meta-directories (leveraging to reduce administration and improve
access controls)

■■

Identity provisioning (value provided, accuracy gained)

■■

Authentication (options and limits)

■■

Access controls (fine-grained controls necessary to protect data and
privacy)

Readers will learn what it takes to design an information technology infrastructure capable of protecting the privacy and access integrity of computer
data, particularly in the Web applications environment.

How This Book Is Organized
The book is set up in such a way that each chapter’s information provides the
necessary background information for ideas that are discussed further or used
in subsequent chapters. Skipping chapters or reading them out of order isn’t
advised unless you are already familiar with the earlier chapters’ content.
Chapter 1 begins with a discussion of what IT architecture is and is not, and
Chapter 2 introduces the eight concepts that constitute privacy of information
and examines the protection of the data housed in your computer systems.