|
|
| (3 intermediate revisions by the same user not shown) |
| Line 18: |
Line 18: |
| <br> | | <br> |
| '''Risk Association Control Activities:'''<br> | | '''Risk Association Control Activities:'''<br> |
| <br>
| | |
| ::'''3.2.1: Infrastructure'''<br> | | ::'''3.2.1: Infrastructure'''<br> |
| :::'''3.2.1.1: Routers'''<br> | | :::[[3.2.1.1: Routers|'''3.2.1.1: Routers''']]<br> |
| :::'''3.2.1.2: Firewalls'''<br>
| | :::[[3.2.1.2: Firewalls|'''3.2.1.2: Firewalls''']]<br> |
| :::'''3.2.1.3: VPN'''<br> | | :::[[3.2.1.3: VPN|'''3.2.1.3: VPN''']]<br> |
| :::'''3.2.1.4: Managed Switches'''<br>
| | :::[[3.2.1.4: Managed Switches|'''3.2.1.4: Managed Switches''']]<br> |
| :::'''3.2.1.5: Intrusion Detection or Prevention System'''<br> | | :::[[3.2.1.5: Intrusion Detection or Prevention System|'''3.2.1.5: Intrusion Detection or Prevention System''']]<br> |
| <br>
| |
| :::'''3.2.2: Operating Systems'''<br>
| |
| :::'''3.2.2.1: UNIX'''<br> | |
| :::'''7. Risk: Unidentifiable users may compromise critical business processes and data.'''<br>
| |
| ::::a. SOX.4.2.1.7: The UNIX system will not allow identical administrator IDs.<br>
| |
| '''Testing Procedures''' | |
| <blockquote style="background: white; border: 1px solid black; padding: 1em;">
| |
| Obtain a copy of the user control file from the system and verify that there are no duplicate system accounts.<br>
| |
| <br> | |
| An example of this might be one of the following:<br>
| |
| <br>
| |
| *Solaris Unix: etc/passwd
| |
| *AIX Unix: etc/passwd
| |
| *Linux Unix: etc/passwd
| |
| <br>
| |
| </blockquote>
| |
| | |
| '''Testing Frequency'''
| |
| <blockquote style="background: white; border: 1px solid black; padding: 1em;">
| |
| Quarterly validation of all systems within scope.
| |
| <br>
| |
| </blockquote>
| |
| | |
| '''Evidence Archive Location'''
| |
| <blockquote style="background: white; border: 1px solid black; padding: 1em;">
| |
| Insert hyperlink or location of evidence archive.
| |
| <br>
| |
| </blockquote>
| |
| | |
| '''Control Stewards Process Narrative'''
| |
| <blockquote style="background: white; border: 1px solid black; padding: 1em;">
| |
| The AIX operating system prevents the addition of duplicate Ids. Furthermore, the regular review of administrator IDs listed above serves as a backstop for this control.<br>
| |
| | |
| '''Control Steward – Steve Somebody'''
| |
| <br>
| |
| </blockquote>
| |
| | |
| '''Process Illustration'''
| |
| <blockquote style="background: white; border: 1px solid black; padding: 1em;">
| |
| Replace this test by inserting a process diagram, flowchart or other visual representation to illustrate the process narrative as necessary. Include a brief description of the process illustration.
| |
| <br>
| |
| </blockquote>
| |
| | |
| '''Control Status and Auditors Commentary'''
| |
| <blockquote style="background: white; border: 1px solid black; padding: 1em;">
| |
| The control is effective. It is technically impossible to establish identical user accounts on a UNIX operating system.<br>
| |
| <br>
| |
| [[Image:greenlock.jpg]]<br> | |
| <br>
| |
| </blockquote>
| |
| | |
| '''Control Exception Commentary'''
| |
| <blockquote style="background: white; border: 1px solid black; padding: 1em;">
| |
| Status is acceptable.
| |
| <br>
| |
| </blockquote>
| |
| | |
| '''Remediation Plan'''
| |
| <blockquote style="background: white; border: 1px solid black; padding: 1em;">
| |
| Remediation is not required at this time.
| |
| <br>
| |
| </blockquote>
| |
| | |
| :::'''8. Risk: Insufficient security standards may allow unauthorized access to production systems and business data stores.'''<br>
| |
| ::::a. SOX.4.2.1.8: UNIX passwords are required for each system ID. Password configuration is based on Corporate IT standards.<br>
| |
| '''Testing Procedures'''
| |
| <blockquote style="background: white; border: 1px solid black; padding: 1em;">
| |
| Obtain a copy of the configuration file enforcing the password parameters as defined by the corporate policy document: '''Technical Standard – Access Controls.'''<br>
| |
| <br>
| |
| An example of this might be one of the following:<br>
| |
| <br>
| |
| *Solaris Unix: etc/passwd
| |
| *AIX Unix: etc/security/user
| |
| *Linux Unix: etc/login.defs
| |
| <br>
| |
| </blockquote>
| |
| | |
| '''Testing Frequency'''
| |
| <blockquote style="background: white; border: 1px solid black; padding: 1em;">
| |
| Quarterly validation of all systems within scope.
| |
| <br>
| |
| </blockquote>
| |
| | |
| '''Evidence Archive Location'''
| |
| <blockquote style="background: white; border: 1px solid black; padding: 1em;">
| |
| Insert hyperlink or location of evidence archive.
| |
| <br>
| |
| </blockquote>
| |
| | |
| '''Control Stewards Process Narrative'''
| |
| <blockquote style="background: white; border: 1px solid black; padding: 1em;">
| |
| Passwords on all platforms adhere to companies corporate policy document: '''Technical Standard – Access Controls'''.<br>
| |
| | |
| The password complexity standards include the following:<br>
| |
| | |
| *Password Length: 8 characters
| |
| | |
| *Password Complexity: At least one each of alpha (a - z), numeric (0 - 9) and special characters (#, $ and @)
| |
| | |
| *Passwords may not be reused again for nine months.
| |
| | |
| *Password must be changed every thirteen weeks.
| |
| <br>
| |
| '''Control Steward – Pat Manager'''
| |
| <br>
| |
| </blockquote>
| |
| | |
| '''Process Illustration'''
| |
| <blockquote style="background: white; border: 1px solid black; padding: 1em;">
| |
| Replace this test by inserting a process diagram, flowchart or other visual representation to illustrate the process narrative as necessary. Include a brief description of the process illustration.
| |
| <br>
| |
| </blockquote>
| |
| | |
| '''Control Status and Auditors Commentary''' | |
| <blockquote style="background: white; border: 1px solid black; padding: 1em;">
| |
| The control is effective at this time because the appropriate password parameters are automatically enforced and they meet or exceed corporate information technology password standards.<br>
| |
| <br>
| |
| [[Image:greenlock.jpg]]<br>
| |
| <br>
| |
| Continued ongoing random sample testing of all UNIX systems on a quarterly basis is advised.
| |
| <br>
| |
| </blockquote>
| |
| | |
| '''Control Exception Commentary'''
| |
| <blockquote style="background: white; border: 1px solid black; padding: 1em;">
| |
| Status acceptable. Control exceptions do not exist at this time.
| |
| <br>
| |
| </blockquote>
| |
| | |
| '''Remediation Plan'''
| |
| <blockquote style="background: white; border: 1px solid black; padding: 1em;">
| |
| Status acceptable. Remediation not required at this time.
| |
| <br>
| |
| </blockquote>
| |
|
| |
|
| :::'''3.2.2.2: WINDOWS'''<br> | | ::'''3.2.2: Operating Systems'''<br> |
| :::'''3.2.2.3: MAINFRAME'''<br> | | :::[[3.2.2.1: Unix|'''3.2.2.1: Unix''']]<br> |
| :::'''3.2.2.4: AS/400'''<br> | | :::[[3.2.2.2: Windows|'''3.2.2.2: Windows''']]<br> |
| | :::[[3.2.2.3: Mainframe|'''3.2.2.2: Mainframe''']]<br> |
| | :::[[3.2.2.4: OS/400|'''3.2.2.4: OS/400''']]<br> |