Lead Authors Christian B. Lahti is a computer services consultant with more than 18 years experience in the IT industry. He is an expert and evangelist in the fi eld of Open Source technologies in the IT enterprise and has successfully implemented global IT infrastructures. His focus and expertise lies in cross-platform integration and interoperability, security, database, and web development. Christian currently holds the position of Director of IT at a technology startup in Mountain View, CA and is a frequent speaker at both LinuxWorld and O’Reilly’s OSCON on a wide variety of topics such as Enterprise authentication and infrastructure monitoring and has contributed to several Open Source projects. Christian has a degree in Audio Engineering and has several certifi cations. He is an original co-author of the fi rst edition of this book and served as technical editor and contributing author to Windows to Linux Migration Toolkit (Syngress Publishing, ISBN: 1-931836-39-6). Roderick Peterson has more than 20 years’ experience in the IT industry. He has held various positions with both Fortune 500 public companies and small private companies. Roderick currently holds the position of IT Director at a public technology company in the Silicon Valley. His diverse background includes knowledge of mainframe operations, LAN, Internet, IT infrastructure, business applications, and the integration of emerging technologies. He has successfully led the development and deployment of major appli- cations at several global companies. Roderick also successfully owned and operated his own IT consulting business for more than fi ve years. Along with being original co-author of the fi rst edition of this book, Roderick has lectured on Sarbanes-Oxley IT Compliance and Governance at the SANS Institute Executive Track. v Contributing Authors Steve Lanza has more than 20 years of business experience ranging from fortune 500 enterprises to small private and pubic companies. He has held executive positions of Chief Financial Offi cer at various companies responsible for global business operations, sales, marketing, manufacturing, fi nance and administration, business development and engineering. His current position is Executive Vice President, Business Development and Chief Financial Offi cer at a privately held technology company headquartered in Silicon Valley. Steve has a Bachelors of Science degree in Finance from Cal Poly in San Luis Obispo, an MBA from GGU, and a Certifi cate of Engineering Management from Cal Tech (IRC). He also holds the title of Certifi ed Management Accountant (CMA). Bill Haag, William K. Haag (Retired) has over 43 years in Information Technology. During his career he has held various senior management positions, the most recent being the worldwide position of Senior Director of Information Management Services for the Applied Materials Corporation. Previous to Applied Materials he was the CIO of Racal-Datacom, Vice President of Technology and Systems services for the Healthshare Group, and held senior management positions in ATT Paradyne Corporation, Paramount Communication Corporation and Allied Signal Corporation. His accomplishments with these fi rms include: the development and implementation of both domestic and international information systems to achieve business objectives; signifi cant budget and staff realignments to align MIS with the corporate strategies. His achievements have been recognized in trade and business publications including CIO, CFO, Information Week, LAN World, and Florida Business. He has also been a guest speaker for Bell Atlantic, Information Builders and the Technical Symposium. Bill received his bachelor’s degree in Business Administration from Indiana University and has attended the University of South Florida’s Masters program. vi Rod Beckström is a serial entrepreneur and catalyst. He is the chairman and chief catalyst at TWIKI.NET, an enterprise Wiki company. He recently co-authored the bestseller “The Starfi sh and the Spider: The Unstoppable Power of Leaderless Organizations.” After working as a trader at Morgan Stanley in London, Rod started his fi rst company when he was 24 and grew it into a global enterprise with offi ces in New York, London, Tokyo, Geneva, Sydney, Palo Alto, Los Angeles and Hong Kong. That company, CATS Software, went public and was later sold successfully. He has helped start other fi rms including Mergent Systems and American Legal Net. He has helped launch more than a half dozen non-profi t groups and initiatives including Global Peace Networks which supported the group of CEO’s who helped open the border and trade between India and Pakistan, SV2, and the Environmental Markets Network. Rod serves as a Trustee of Environmental Defense and Director of Jamii Bora Africa Ltd., a micro- lending group with 140,000 members. A Stanford BA and MBA, Rod served as President of the graduate/undergraduate student body and was a Fulbright Scholar in Switzerland. His personal website is www.beckstrom.com. Peter Thoeny is the founder of TWiki and has managed the open-sourced TWiki.org project for the last nine years. Peter invented the concept of structured Wiki’s, where free form Wiki content can be structured with tailored Wiki applications. He is now the CTO of TWIKI.NET, a company offering services and support for TWiki. He is a recognized thought-leader in Wiki’s and social software, featured in numerous articles and technology conferences including Linux World, Business Week, The Wall Street Journal and more. A software developer with over 20 years experience, Peter specializes in software architecture, user interface design and web technology. Peter graduated from the Swiss Federal Institute of Technology in Zurich, lived in Japan for 8 years working as an engineering manager for Denso building CASE tools, and managed the Knowledge Engineering group at Wind River for several years. He co-authored the Wiki’s for Dummies book, and is currently working on a Wiki’s for the Workplace book. Matt Evans has had a long career in various software development and software quality assurance positions, most of these positions were in early vii stage startups. Matt graduated from University of Oregon with a Bachelor of Science degree in Computer Science. Currently he holds the position of Senior Director of Engineering Services at a software development startup that specializes in automated test generation tools for the Java Enterprise. Matt has taken advantage of Open Source tools and technologies over the years and is a fi rm believer in their value and effectiveness for software development and IT infrastructure. Erik Kennedy has 15 years of experience in the IT industry. His background is in the areas of UNIX/Linux architecture and deployment and IT Security. He has held various positions at Fortune 500 public companies and is currently a Senior Systems Engineer at a public technology company in the Silicon Valley. John T. Scott has 15 years experience in IT. His background includes end-to-end infrastructure design, implementation and support for PC platforms, IP networks and the security of both for all business models of all sizes. He currently leads an information security incident response team for a global fortune 50 company. He holds CISSP and GIAC certifi cations and has a bachelor’s degree in IT. viii Chapter 1 Overview – The Goals of This Book Solutions in this chapter: ■ IT Manager Bob – The Nightmare ■ What This Book Is ■ What This Book Is Not ■ Why Open Source ■ VM Spotlight: CentOS Linux Distribution ■ Case Study: NuStuff Electronics, an Introduction ˛ Summary ˛ Solutions Fast Track ˛ Frequently Asked Questions 1 2 Chapter 1 (cid:129) Overview – The Goals of This Book IT Manager Bob – The Nightmare “There’s no doubt that 404 goes too far, you end up documenting things for the sake of documenting them, even if your judgment says you’ve gone a bit overboard”.” –Bruce P. Nolop. CFO, Pitney Bowes The above quote refers to Pitney Bowes’s fi rst year audit effort in which they developed testing of 134 processes and more than 2,000 controls in 53 locations and ultimately found no signifi cant weaknesses. We can just imagine the onerous task of managing this huge compliance effort, and can sympathize and agree with Mr. Nolop’s fi nal assessment of the outcome. Rather than jump ahead with the language and jargon of compliance, let’s step back for a moment and consider a day in the life of Information Technology (IT) Manager, Bob. It’s Monday morning and you have barely had enough time to get your fi rst cup of coffee and log in to check server availability before it starts—your fi rst user call—the Human Resources (HR) Manager system won’t boot. After going through the usual—making sure that the correct power button is being pressed, checking to see that it’s plugged in, checking the outlet, and so on, you decide, since the HR Manager has a tendency to escalate problems to the Chief Executive Offi cer (CEO), you will go to the HR Manager’s desk to see if you can determine what the problem might be. After querying the HR Manager more intently, you quickly determine the cause of the problem. Apparently, in an attempt to be “Green,” the HR Manager turned off the power strip for her PC the Friday before she left work. Well, you guessed it, although she checked to see that everything was plugged in, she never noticed her power strip was off. As you’re walking back you think to yourself, well, looks like this Monday is not going to be any different from any other Monday—or so you think. After returning back from the HR Manager’s desk, you take a quick look at your calendar to see what is on your agenda for the day (Figure 1.1). As usual there are more tasks than time to complete them. www.syngress.com Overview – The Goals of This Book (cid:129) Chapter 1 3 Figure 1.1 IT Manager Bob’s Calendar You’re halfway through your second meeting when your cell phone rings. You look down at the number and immediately realize it is the CEO’s admin. You think about the user this morning, and think, great, she can’t switch on a power strip and she still escalates to the CEO. To your surprise, the CEO has asked that you attend a meeting with him, the Chief Information Offi cer (CIO), and the Controller to discuss this “SOX” thing. You look down to make sure your socks are matching, wondering why on earth they would be concerned with such a nonsensical thing as you enter the meeting. The expected crowd is there as you settle in, along with a couple of those slightly familiar faces you have seen fl oating about. “Bob, this is Bill and Jane from WeHelpU Consulting, and they have been spending the past couple of months helping us to prepare for our Sarbanes-Oxley compliance audit,” says the CEO by way of introduction. The consultants go on to explain that they are there to help fi nance analyze their business processes and reporting structures for the fi nancial chain. After a few minutes, your eyes begin to glaze over so you decide to read your e-mail. After all, meetings seem like the best time to catch up on this sort of thing. You nod a few times when your name is mentioned, catching phrases here and there like “control objectives” and “material weakness”… say that doesn’t sound too good. Wait a minute! You suddenly realize these people have been here for several months and you are just now getting sucked into something that you instantly know you really don’t want any part of, but it is becoming apparent that unfortunately you will have no choice in the matter. To top it off, these people are all acting like you have been clued in from day one! www.syngress.com 4 Chapter 1 (cid:129) Overview – The Goals of This Book “Okay, no problem,” you say after listening to them intently. “We will just revamp the old audit material from last year and add to it what we need.” Everyone agrees that it sounds like a reasonable place to start, and the meeting is adjourned, but somewhere in the back of your mind something tells you this is going to be anything but an ordinary IT audit. In this particular instance, you decide that it would be unwise for you to ignore that feeling, and that you better fi nd out more about this Sarbanes-Oxley thing and PDQ (Pretty Darn Quick). Just then you realize this whole thing seems like a nightmare, and you are right. Whether as a result of your quickened heartbeat, sweating palms, or throbbing headache, you snap out of your Sarbanes-Oxley-induced nightmare back to the realization that you’ve passed your fi rst year Sarbanes-Oxley compliance audit. You now breathe a sigh of relief as you revel in the knowledge that the worst is over. Or is it? Just as you begin to relax again, you hear the sound of your CEO’s voice asking you, “What is the impact of AS5 on our Sarbanes-Oxley compliance? How does our ITIL activities impact Sarbanes-Oxley?” You think to yourself, the nightmare continues. Whether this story is similar to yours, the simple fact is that as an IT professional, whether you are a system administrator or a CIO, at some point Sarbanes-Oxley compliance should be a major concern if you work for a publicly held company. Therefore, as part of this 2nd edition of Sarbanes-Oxley IT Compliance Using COBIT and Open Source, we will endeavor to provide information that is useful not only for fi rst year Sarbanes-Oxley compliance, but subsequent years’ compliance as well. So, what exactly is this Sarbanes-Oxley, and why do I care? Although we won’t delve into this topic in excruciating detail just yet, we will give you some of the highlights. As for what is Sarbanes-Oxley, after various corporate scandals, in order to restore public faith in the U.S. stock market, on July 30, President Bush signed into law the Sarbanes-Oxley Act of 2002 (SOX). The SOX signifi cantly changed the federal regulations for all public companies with respect to corporate governance, fi nancial reporting, and accountability for directors, offi cers, auditors, securities analysts, and legal counsel. ■ The New York Stock Exchange (NYSE) and the National Association of Securities Dealers Automated Quotation (NASDAQ) will not list any public company whose audit committee does not comply with auditor appointment criteria, compensation, and oversight. The audit committee must be comprised of independent directors. ■ CEOs and Chief Financial Offi cers (CFOs) must certify to the validity of their fi nancial reporting and the IT systems that were germane in the process. ■ Insiders must report any trading of their companies’ securities within two business days after the date of execution for transaction. ■ A company must disclose any and all additional information about the company’s fi nancial condition or operations that the Securities & Exchange www.syngress.com Overview – The Goals of This Book (cid:129) Chapter 1 5 Commission (SEC) determines is necessary or useful to investors or in the public interest. ■ All annual reports fi led with the SEC containing fi nancial statements must include all material corrections identifi ed by a public accounting fi rm. Now that you have a better idea about what SOX is and how it has and/or will change life in publicly traded companies, we will now touch on the fi nancial impact: ■ According to Warren Buffett, the CEO of Berkshire-Hathaway spent $24 million on auditing this year; a fi gure he says would have been closer to $10 million without SOX. (DealBreaker – A Wallstreet Tabloid, March 2007) ■ Investors are taking companies private at a record pace. On Monday, it was Sallie Mae, the mammoth school-loan company, in a $25 billion deal. Do private equity fi rms know something the rest of us don’t? (Investor’s Business Daily, April 2007) ■ 100,000 fans fl ock to Shelbourne, Vermont, each year to tour the factory of the Vermont Teddy Bear Company. Although they can buy the bears, they can no longer buy the fi rm’s shares. That’s because Vermont Teddy Bear went private in September 2005, after 12 years as a public company. The company’s CEO, Elisabeth Robert, says a major reason was the SOX. Had the fi rm remained public, she estimates the cost of complying with the law would have doubled to about $600,000 a year. (Nightly Business Report, April 2007) ■ Financial Executives International, a professional association, suggested that the cost of complying with Section 404 has been falling as companies become more effi cient, but is still substantial. The survey showed that companies with a market capitalization greater than $75 million spent an average of $2.9 million in fi scal 2006 to comply. That was a 23 percent decrease from the 2005 fi gure. — Michael Hardy (Quote.com, July 2007) So what does this mean? You might surmise from the fi gures above that SOX compliance is proving to be an expensive, resource-intensive undertaking, and that IT plays an integral role in that process. N OTE Although compliance methodologies and requirements other then SOX will be presented in this 2nd edition of “Sarbanes-Oxley IT Compliance Using COBIT and Open Source,” in keeping with the previous book, SOX will be used as the basis for compliance. www.syngress.com 6 Chapter 1 (cid:129) Overview – The Goals of This Book What This Book Is In reading the next few chapters, you might get the feeling that this book has very little to do with implementing open source, since the subject matter seems very geared toward explaining the business aspect of SOX compliance. However, due to the inevitability that SOX compliance will permeate your organization, this fact makes it a requirement that IT staff, from the CIO down, have a certain level of understanding of what SOX compliance means, some of the how’s and why’s of business processes, and the impact this will have in their daily jobs. In fact SOX is so far reaching, that virtually every person in your organization will be affected to some degree. So as a reader, one could almost view this as two books in one. On one hand we delve into the business processes and organizational considerations surrounding SOX compliance, and in the next breath we talk about specifi c open source tools and implementation strategies on how best to exploit the applicable open source technologies. By way of analogy, we can compare the SOX compliance audit experience with training for a marathon. During the months preceding the race, you can choose not to change your daily routine, ignore your coaches by eating the wrong foods, and not exercising. That is certainly your right; however, once race day comes, those extra 20 pounds and the shortness of breath after ten minutes of effort are going to make for a very long and unpleasant uphill climb. Or you could do the opposite and prepare yourself as much as possible by eating healthy, performing weight training, and running several miles daily. As with anything in life, these activities are no guarantee that you will have an easy and cheery marathon or even win the race. However, you are certainly guaranteeing an unpleasant, if not terrible, experience if you do not adequately prepare. The point is that you at least want to fi nish without having a heart attack in the process. We hope this book serves as a guide for your SOX compliance, by illustrating open source technologies and demonstrating concepts to help you survive compliance activities with your sanity, and enable you to better manage compliance costs. What This Book Is Not Honestly, it would be impossible to write a book on how to pass your SOX audit. Every business is different in operation and philosophical approach, and we could not begin to write a do-this, do-that, and voila, somehow the auditor’s magically accept your IT infrastructure at face value and give you three gold stars. Speaking of IT, if you are looking for advice on anything remotely related to your fi nances, this is also not the book for you. Disclaimer The authors of this book and its publisher, Syngress/Elsevier, do not assert that the use of this book or technologies presented within it will affect your compliance efforts positively or negatively, and the contributors make no representation or warranties that the use of principles provided by this body of work will, by its nature, infl uence the outcome of an audit. Although many examples of IT controls, policies, procedures, and tests have been presented, these are www.syngress.com