[Nottingham] Sarbannes Oxley experiences

Robert Postill robert at grinning-cat.com
Wed Sep 7 15:25:47 BST 2005 

Hi,
Ages ago an e-mail from Matt Bunter landed about this, as it happens
I've recently started a contract for a bank and have had to talk a deal
of Sarbanes Oxley with other folk while trying to get an LMS (Learning
Management System) up and running...I can't say too much as I'm under
NDA but some things I have noticed are:
* It seems that SOX compliance for a system is based on the following:
	+Auditing: nothing should happen without it being logged.
	+Encryption: No more telnet for you :)
	+Verification: You can't authenticate too many times...sigh.
*Training turns out to be a massive piece, you need to be able to prove
no-one is ignorant (hence the LMS).  This turns out to be time consuming
and tricky, because of both the amount of training to be delivered and
the number of people you need to give it to (pretty much everyone).
*This is one of those areas where the big firms (PWC,CGEY, Accenture,
KPMG et al) are raking it in, frankly the stench of consultancy overload
hangs heavy in the air at most places (I'll hasten to add that I'm
possibly part of that stench) and I can't see it getting better for a
while yet.  It's likely that people will be taken to the cleaners for a
few years yet.

Now in the realm of my own speculation I can say that I thought
seriously about SOX compliance for the LMS and the following may apply
and hopefully spark a few ideas for you :)  Bear in mind here I'm
talking about a J2EE app on Unix though so YMMV:
Auditing:
Have you seen the honeynet project
(http://www.honeynet.org/index.html) ?  I read Know Your Enemy (the book
they publish) recently and that had some interesting network topologies
and logging solutions that may help your auditing thoughts.
Particularly I loved the idea around firewall connections and combining
snort, firewall and syslog.
Encryption:
SSL is a start but PKI
(http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/ospki-book.htm) is really where you need to be heading. Now I'm not sure which DB you're using but Oracle has an OSA (it's extra even for enterprise customers but don't ask me how much) module that will allow that kind of work.

Verification:
I found this by far to be the toughest ask, I'm convinced that
practically we're stuffed for a couple of years yet but I believe with
the recent stuff
(http://www.schneier.com/blog/archives/2005/06/more_md5_collis.html)
about one-way hashes expect any MD5/SHA-1 stuff not to fly for too long,
SHA-512 is where I'd aim.  If you've got an app that needs to be SOX
compliant a harsh auditor make you use something other than MD5/SHA-1. 

Hope that helps.
Robert.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.lug.org.uk/pipermail/nottingham/attachments/20050907/c7c40636/attachment.bin

More information about the Nottingham mailing list