SymantecESMPolicy Manualforthe Sarbanes-OxleyAct (OS400) · 2020. 2. 18. · TechnicalSupport...

Symantec ESM Policy

Manual for the

Sarbanes-Oxley Act

(OS400)

Symantec ESM Policy Manual for the Sarbanes-OxleyAct (OS400)

The software described in this book is furnished under a license agreement andmay be used

only in accordance with the terms of the agreement.

Copyright Notice

Copyright © 2005 Symantec Corporation.

All rights reserved.

The product described in this document is distributed under licenses restricting its use,

copying, distribution, and decompilation/reverse engineering. No part of this document

may be reproduced in any form by any means without prior written authorization of

Symantec Corporation and its licensors, if any.

THEDOCUMENTATIONISPROVIDED"AS IS"ANDALLEXPRESSORIMPLIEDCONDITIONS,

REPRESENTATIONS ANDWARRANTIES, INCLUDING ANY IMPLIEDWARRANTY OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,

ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO

BELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTAL

ORCONSEQUENTIALDAMAGESINCONNECTIONWITHTHEFURNISHINGPERFORMANCE,

OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS

DOCUMENTATION IS SUBJECT TO CHANGEWITHOUT NOTICE.

Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 USA

http://www.symantec.com

Trademarks

Symantec, the Symantec logo are trademarks or registered trademarks of Symantec

Corporation or its affiliates in theU.S. and other countries. Other namesmay be trademarks

of their respective owners.

Other brands andproduct namesmentioned in thismanualmay be trademarks or registered

trademarks of their respective companies and are hereby acknowledged.

Technical Support

Symantec Technical Support maintains support centers globally. Technical

Support’s primary role is to respond to specific queries about product feature and

function, installation, and configuration. TheTechnical Support groupalso authors

content for our online Knowledge Base. The Technical Support group works

collaboratively with the other functional areas within Symantec to answer your

questions in a timely fashion. For example, the Technical Support group works

with Product Engineering and Symantec Security Response to provide alerting

services and virus definition updates.

Symantec’s maintenance offerings include the following:

■ A range of support options that give you the flexibility to select the right

amount of service for any size organization

■ A telephone and web-based support that provides rapid response and

up-to-the-minute information

■ Upgrade insurance that delivers automatic software upgrade protection

■ Global support that is available 24 hours a day, 7 days a week worldwide.

Support is provided in a variety of languages for those customers that are

enrolled in the Platinum Support program

■ Advanced features, including Technical Account Management

For information about Symantec’s Maintenance Programs, you can visit our Web

site at the following URL:

www.symantec.com/techsupp/ent/enterprise.html

Select your country or language under Global Support. The specific features that

are available may vary based on the level of maintenance that was purchased and

the specific product that you are using.

Contacting Technical Support

Customers with a current support agreement may contact the Technical Support

group via phone or online at www.symantec.com/techsupp.

Customers with Platinum support agreements may contact Platinum Technical

Support via the PlatinumWeb site at www-secure.symantec.com/platinum/.

When contacting the Technical Support group, please have the following:

■ Product release level

■ Hardware information

■ Available memory, disk space, NIC information


■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description

■ Error messages/log files

■ Troubleshooting performed prior to contacting Symantec

■ Recent software configuration changes and/or network changes

Licensing and registration

If your Symantec product requires registration or a license key, access our technical

support Web page at the following URL:


Select your region or language underGlobal Support, and then select the Licensing

and Registration page.

Customer Service

To contact Enterprise Customer Service online, go to www.symantec.com, select

the appropriate Global Site for your country, then choose Service and Support.

Customer Service is available to assist with the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information on product updates and upgrades

■ Information on upgrade insurance and maintenance contracts

■ Information on Symantec Value License Program

■ Advice on Symantec's technical support options

■ Nontechnical presales questions

■ Missing or defective CD-ROMs or manuals

Please visit ourWeb site for current information onSupport Programs. The specific

features available may vary based on the level of support purchased and the

specific product that you are using.


www.symantec.com

Maintenance agreement resources

If you want to contact Symantec regarding an existing maintenance agreement,

please contact the maintenance agreement administration team for your region

as follows:

■ Asia-Pacific and Japan: [email protected]

■ Europe, Middle-East, and Africa: [email protected]

■ North America and Latin America: [email protected]

Additional Enterprise services

Symantec offers a comprehensive set of services that allow you tomaximize your

investment in Symantec products and to develop your knowledge, expertise, and

global insight, which enable you to manage your business risks proactively.

Enterprise services that are available include the following:

These solutions provide early warning of cyber

attacks, comprehensive threat analysis, and

countermeasures to prevent attacks before they occur.

SymantecEarlyWarningSolutions

These services remove the burden of managing and

monitoring security devices and events, ensuring

rapid response to real threats.

Managed Security Services

Symantec Consulting Services provide on-site

technical expertise from Symantec and its trusted

partners. SymantecConsultingServices offer a variety

of prepackaged and customizable options that include

assessment, design, implementation,monitoring and

management capabilities, each focusedonestablishing

andmaintaining the integrity and availability of your

IT resources.

Consulting Services

Educational Services provide a full array of technical

training, security education, security certification,

and awareness communication programs.

Educational Services

To access more information about Enterprise services, please visit our Web site

at the following URL:

www.symantec.com

Select your country or language from the site index.

[email protected]

[email protected]

[email protected]

www.symantec.com

Symantec Software License Agreement

Symantec ESM Policy Manual for the Sarbanes-OxleyAct (OS400)

SYMANTECCORPORATIONAND/ORITSSUBSIDIARIES("SYMANTEC") IS WILLING TO LICENSE THESOFTWARECOMPONENT ("COMPONENT") TOYOUASAN INDIVIDUAL, THE COMPANY, OR THE LEGALENTITY THATWILL BE UTILIZING THE COMPONENT(REFERENCEDBELOWAS "YOU"OR "YOUR") ONLYONTHE CONDITION THAT YOU ACCEPT ALL OF THETERMS OF THIS LICENSE AGREEMENT SUPPLEMENT("SUPPLEMENT") AND THE LICENSE AGREEMENTACOMPANYING THE SYMANTEC PRODUCTWITHWHICH THIS COMPONENT IS UTILIZED ("LICENSEAGREEMENT"). READ THE TERMS AND CONDITIONSOFTHELICENSEAGREEMENTANDTHISSUPPLEMENTCAREFULLY BEFORE USING THE COMPONENT. THISISALEGALANDENFORCEABLECONTRACTBETWEENYOUANDTHELICENSOR.BYOPENINGTHISPACKAGE,BREAKING THE SEAL, CLICKING THE "ACCEPT" OR"YES" BUTTON OR OTHERWISE INDICATING ASSENTELECTRONICALLY,ORLOADINGTHESOFTWARE,YOUAGREE TO THE TERMS AND CONDITIONS OF THISSUPPLEMENT. IF YOU DO NOT AGREE TO THESETERMS AND CONDITIONS, CLICK THE "I DO NOTACCEPT,"OR"NO"BUTTON,OROTHERWISE INDICATEREFUSAL ANDMAKE NO FURTHER USE OF THECOMPONENT.

In addition to the License Agreement, the followingterms and conditions apply to You for use of theComponent.

1. License:

The software and documentation that accompanies thisSupplement (collectively the "Component") is theproprietary property of Symantec or its licensors and isprotected by copyright law. While Symantec continuesto own the Component, you will have certain rights touse theComponent after your acceptance of this license.This license governs any releases, revisions, orenhancements to the Component that the Licensor mayfurnish to you. Except as may be modified by anapplicable Symantec license certificate, license coupon,or license key (each a "License Module") thataccompanies, precedes, or follows this license, yourrights and obligations with respect to the use of thisComponent are as follows:

You may:

A. use the number of copies of the Component asrequired for utilization with the applicable Symantecproducts as have been licensed to youbySymantec undera License Module. Your License Module shall constituteproof of your right to make such copies. If no LicenseModule accompanies, precedes, or follows this license,

you may make one copy of the Component you areauthorized to use on a single machine.

B. use theComponent in combinationwith anySymantecrecognized product that specifies use with theComponent;

C. use the Component in accordance with any writtenagreement between You and Symantec.

2. Limited Warranty:

Symantecwarrants that themedia onwhich theSoftwareis distributed will be free from defects for a period ofsixty (60) days from the date of delivery of the Softwareto You. Your sole remedy in the event of a breach of thiswarrantywill be that Symantecwill, at its option, replaceany defective media returned to Symantec within thewarranty period or refund the money You paid for theSoftware. Symantec does not warrant that the Softwarewill meet Your requirements or that operation of theSoftware will be uninterrupted or that the Software willbe error-free.

TO THE MAXIMUM EXTENT PERMITTED BYAPPLICABLE LAW, THE ABOVEWARRANTY ISEXCLUSIVEANDINLIEUOFALLOTHERWARRANTIES,WHETHER EXPRESS OR IMPLIED, INCLUDING THEIMPLIEDWARRANTIES OF MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE, ANDNONINFRINGEMENT OF INTELLECTUAL PROPERTYRIGHTS.THISWARRANTYGIVESYOUSPECIFICLEGALRIGHTS. YOUMAY HAVE OTHER RIGHTS, WHICHVARY FROM STATE TO STATE AND COUNTRY TOCOUNTRY.

3. Disclaimer of Damages:

SOMESTATESANDCOUNTRIES, INCLUDINGMEMBERCOUNTRIESOFTHEEUROPEANECONOMICAREA,DONOT ALLOW THE LIMITATION OR EXCLUSION OFLIABILITY FOR INCIDENTAL OR CONSEQUENTIALDAMAGES, SO THE BELOW LIMITATION OREXCLUSION MAY NOT APPLY TO YOU.

TO THE MAXIMUM EXTENT PERMITTED BYAPPLICABLE LAW AND REGARDLESS OFWHETHERANY REMEDY SET FORTH HEREIN FAILS OF ITSESSENTIALPURPOSE, INNOEVENTWILL SYMANTECBE LIABLE TO YOU FOR ANY SPECIAL,CONSEQUENTIAL, INDIRECT, OR SIMILARDAMAGES,INCLUDING ANY LOST PROFITS OR LOST DATAARISINGOUTOF THEUSEOR INABILITY TOUSE THESOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISEDOF THE POSSIBILITY OF SUCH DAMAGES.

IN NO CASE SHALL SYMANTEC'S LIABILITY EXCEEDTHE PURCHASE PRICE FOR THE SOFTWARE. Thedisclaimers and limitations set forth above will applyregardless of whether or not You accept the Software.

4. U.S. Government Restricted Rights:

RESTRICTED RIGHTS LEGEND. All Symantec productsand documentation are commercial in nature. Thesoftware and software documentation are "CommercialItems," as that term is defined in 48 C.F.R. section 2.101,consisting of "Commercial Computer Software" and"Commercial Computer Software Documentation," assuch terms are defined in 48 C.F.R. section252.227-7014(a)(5) and 48 C.F.R. section252.227-7014(a)(1), and used in 48 C.F.R. section 12.212and 48 C.F.R. section 227.7202, as applicable. Consistentwith 48 C.F.R. section 12.212, 48 C.F.R. section252.227-7015, 48 C.F.R. section 227.7202 through227.7202-4, 48 C.F.R. section 52.227-14, and otherrelevant sections of the Code of Federal Regulations, asapplicable, Symantec's computer software and computersoftware documentation are licensed to United StatesGovernment end userswith only those rights as grantedto all other end users, according to the terms andconditions contained in this license agreement.Manufacturer is Symantec Corporation, 20330 StevensCreek Blvd., Cupertino, CA 95014, United States ofAmerica.

5. Export Regulation:

Certain Symantec products are subject to export controlsby the U.S. Department of Commerce (DOC), under theExport Administration Regulations (EAR) (seewww.bxa.doc.gov). Violation of U.S. law is strictlyprohibited. Licensee agrees to comply with therequirements of theEARandall applicable international,national, state, regional and local laws, and regulations,including any applicable import and use restrictions.Symantec products are currently prohibited for exportor re-export to Cuba,NorthKorea, Iran, Iraq, Libya, Syriaand Sudan or to any country subject to applicable tradesanctions. Licensee agrees not to export, or re-export,directly or indirectly, any product to any countryoutlined in the EAR, nor to any person or entity on theDOC Denied Persons, Entities and Unverified Lists, theU.S. Department of State's Debarred List, or on the U.S.Department of Treasury's lists of Specially DesignatedNationals, Specially Designated Narcotics Traffickers,or Specially Designated Terrorists. Furthermore,Licensee agrees not to export, or re-export, Symantecproducts to any military entity not approved under theEAR, or to any other entity for anymilitary purpose, norwill it sell any Symantec product for use in connectionwith chemical, biological, or nuclearweapons ormissilescapable of delivering such weapons.

6. General:

This Supplement and the Software License Agreementare the entire agreement governing the use and licensing

of this Component. In the event of any conflict betweentheSupplement and theLicenseAgreement,with regardto the Component, the Supplement shall control. Allother terms and conditions of the License Agreementremain in full force and effect.

7. Additional Uses and Restrictions:

Notwithstanding any of the terms and conditionscontained in this Supplement, the following additionalterms apply to the product you have licensed.

A. The SSL certificate accompanying this Componentwill expire within one (1) year of installation of theComponent. You may use a self-signed certificate or aseparately acquired certificate froma third party vendor.

B. The use of Netscape LDAP SDK for Java is governedby the Netscape Public License (NPL), the full text ofwhich can be found atwww.mozilla.org/MPL/NPL-1.1.html<http://www.mozilla.org/MPL/NPL-1.1.html>. You areentitled to a copy of the source code of this third partysoftware, which can be found in the Component.

C. The use of SNIA CIMOM is governed by the SNIAPublic License (SPL), the full text of which can be foundat www.snia.org/English/Resources/Code/OpenSource.html<http://www.snia.org/English/Resources/Code/OpenSource.html>. You are entitled to a copy of the sourcecode of this third party software, which can be found inthe Component.

Technical Support

Chapter 1 Symantec ESMPolicyManual for the Sarbanes-OxleyAct (OS400)

Introducing the policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

About the Sarbanes-Oxley Act ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

SEC Final Rule ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

About COSO and CobiT .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Components of Internal Control for COSO .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Control Objectives for CobiT .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Where to get more information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Installing the policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Before you install the regulatory policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Installing the regulatory policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Chapter 2 Mappings to Policies

Change Notification policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Account Integrity ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Device Integrity ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Network Integrity ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Program Find (Queries) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Resource Review policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23


Login Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25


Password Strength .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27


SysVal - Security ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Controls Compliance policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28



OS Patches ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Password Strength .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30


Startup Files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Contents

SysVal - Control ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

SysVal - Security ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Contents10

Symantec ESM

Policy Manual for

the Sarbanes-Oxley

Act (OS400)

This chapter includes the following topics:

■ Introducing the policies

■ About COSO and CobiT

■ Installing the policies

Introducing the policiesEach Symantec ESM policy addresses different aspects of the IT process that

relates to compliance with the Sarbanes-Oxley Act. You should run the policies

at the specified time intervals, which are based on operational efficiencies.

1Chapter

Description and schedulingPolicy name

Run the Change Notification policy daily. This

policy identifies changes to systemresources such

as system files, services, network connections,

registry entries, and other parameters that are

related to the “effectiveness of internal controls”

that are critical to sustaining the integrity of

information that is used for financial reporting:

■ Monitors and detects changes to controls that

could have a material impact on financial

reporting

■ Provides management with sufficient, timely,

and accurate reports about changes to meet

real-time issuer disclosure requirements

Change Notification

Run the Resource Review policy weekly. This

policy provides information about critical system

resources that support the “effectiveness of

internal controls” that are critical to sustaining

the integrity of information that is used for

financial reporting:

■ Continuously monitors and records the state

of critical system resources that require

manual review, which could have an impact

on the integrity of the financial reporting

process

■ Validates and mitigates risks identified in the

manual review

■ Assists your company with periodic

assessment andmonitoring of administrative

and technical controls that are needed for

compliance with the Act

Resource Review

Symantec ESM Policy Manual for the Sarbanes-Oxley Act (OS400)Introducing the policies

12

Description and schedulingPolicy name

Run the Controls Compliance policy at least twice

per month. This policy checks system-wide

configuration settings that are related to the

“effectiveness of internal controls” that are

critical to sustaining the integrity of information

that is used for financial reporting:

■ Determines if the actual environment is in

compliance with the desired state of control

■ Monitors the state of control for compliance

with the desired state of control

■ Records the results of the monitoring

■ Provides management with sufficient, timely,

and accurate reports on which to base the

quarterly and annual certifications

Controls Compliance

About the Sarbanes-Oxley Act

The Sarbanes-Oxley Act of 2002, also known as the Public Company Accounting

Reform and Investor Protection Act, was introduced as House Resolution 3763,

passed by the 107th Congress, and signed into law by President George W. Bush

on July 30th, 2002.

The Sarbanes-Oxley Act is unlike other recently introduced regulations and

standards that contain explicit security requirements relating to confidentiality,

integrity and availability. The purpose of the law is to ensure accountability and

integrity of the financial reporting process for public companies.

Title IV, section 404 and Title III, section 302 of the Act require annual and

quarterly management reporting and certification of the adequacy of controls.

In addition,material changesmust be reported in accordancewith Title IV, section

409, “Real Time Issuer Disclosures.”

The following fundamental activities comply with the Sarbanes-Oxley Act:

■ Achieving and maintaining compliance as an ongoing process

■ Reporting on the current state of compliance; for example, for an audit or

examination

Symantec ESM policies for the Sarbanes-Oxley Act assess compliance with many

of the components of internal control in COSO and control objectives in CobiT

that may be reviewed by your public auditor during your annual attestation of

compliance required by the Sarbanes-Oxley Act.

13Symantec ESM Policy Manual for the Sarbanes-Oxley Act (OS400)Introducing the policies

There are two regulatory bodies responsible for overseeing compliance with the

Act:

The SEC is the regulatory body responsible for enforcing the

Act.

Securities and Exchange

Commission (SEC)

Title I section 101 of the Act established the Public Company

Accounting Oversight Board (PCAOB) "to oversee the audit of

public companies that are subject to the securities laws.” The

only assigned duties of the Boardwith direct relevance to public

company compliance with Sarbanes-Oxley is to "establish or

adopt, or both, by rule, auditing, quality control, ethics,

independence, and other standards relating to the preparation

of audit reports for issuers, in accordance with section 103.”

Public Company

Accounting Oversight

Board (PCAOB)

SEC Final Rule

The SEC Final Rule is published as:

Management's Reports on Internal Control Over Financial Reporting and

Certification of Disclosure in Exchange Act Periodic Reports (17 CFR PARTS 210,

228, 229, 240, 249, 270 and 274).

As directed by section 404 of the Act, the SEC has adopted a rule (the Final Rule)

requiring companies that are subject to the reporting requirements of the

Securities Exchange Act of 1934, other than registered investment companies, to

include in their annual reports a report from management on the company's

internal control over financial reporting. The internal control reportmust include

the following:

■ A statement ofmanagement's responsibility for establishing andmaintaining

adequate internal control over financial reporting for the company

■ Management's assessment of the effectiveness of the company's internal

control over financial reporting as of the end of the company's most recent

fiscal year

■ Astatement identifying the framework that is used bymanagement to evaluate

the effectiveness of the company's internal control over financial reporting

■ A statement that the registered public accounting firm that audited the

company's financial statements (included in the annual report) has issued an

attestation report on management's assessment of the company's internal

control over financial reporting

■ An evaluation of any change in the company's internal control over financial

reporting:

Symantec ESM Policy Manual for the Sarbanes-Oxley Act (OS400)Introducing the policies

14

■ that occurred during a fiscal quarter

■ that has materially affected the company's internal control over financial

reporting

■ that is reasonably likely tomaterially affect the company's internal control

over financial reporting

■ The following statement:

“The company's certifying officer(s) have disclosed, based on our most recent

evaluation of internal control over financial reporting, to the company's

auditors and the audit committee of the company's board of directors (or

persons performing the equivalent functions):

(a) All significant deficiencies and material weaknesses in the design or

operation of internal control over financial reporting which are reasonably

likely to adversely affect the company's ability to record, process, summarize

and report financial information; and

(b) Any fraud, whether or not material, that involves management or other

employees who have a significant role in the company's internal control over

financial reporting.”

Under the SEC Final Rule, a company is required to file the registered public

accounting firm's attestation report as part of the annual report. The SEC has

adopted amendments to their rules and forms under the Securities Exchange Act

of 1934 and the Investment Company Act of 1940 to revise the section 302

certification requirements and to require issuers to provide the certifications that

are required by section 302 and Title IX section 906 of the Sarbanes-Oxley Act of

2002 as exhibits to certain periodic reports.

The SEC has stated:

“We recognize that our definition of the term ‘internal control over financial

reporting’ reflected in the final rules encompasses the subset of internal controls

addressed in the Committee of Sponsoring Organizations of the Treadway

Commission (COSO) (Internal Control Framework report) that pertains to financial

reporting objectives.”

See “SEC Final Rule” on page 14.

About COSO and CobiTThe SEC requires organizations to select and implement an internal control

framework. COSO has become the most commonly adopted framework.

SEC registrants and others found that additional details regarding IT control

considerations were needed beyond those provided in COSO. The Public Company

Accounting Oversight Board (PCAOB) indicates the importance of IT controls but

15Symantec ESM Policy Manual for the Sarbanes-Oxley Act (OS400)About COSO and CobiT

does not provide further detail. As a result, the Control Objectives for Information

and relatedTechnology (CobiT), which is published by the ITGovernance Institute,

was used as the basis to access expand IT control details to produce and document

these Symantec ESM policies.

Components of Internal Control for COSO

The Institute of Internal Auditors (IIA) identifies the following five relevant

components of internal control within the COSO framework:

The foundation for effective internal control, establishes the

“tone at the top,” and represents the apex of the corporate

governance structure.

Control environment (CE)

The identification and analysis by management of relevant

risks, to achieve predetermined objectives that form the basis

for determining control activities.

Risk assessment (RA)

Activities that make up the policies, procedures and practices

that are adopted to ensure that business objectives are achieved

and risk mitigation strategies are followed.

Control activities (CA)

Information that is needed at all levels of the organization to

run the business and achieve control objectives.

Information and

communication (IC)

The oversight of internal control by management through

continuous and point-in-time assessment processes.

Monitoring (M)

Control Objectives for CobiT

The Information Technology Governance Institute (ITGI) defines the following

four domains within CobiT:

Covers strategy and tactics. PO identifies the way

IT can best achieve the business objectives.

Twelve control objectives from five processes are

addressed by these policies.

Planning and Organization (PO)

Describes identification, development or

acquisition, implementation, and integration of

IT solutions into the business process. Three

control objectives fromoneprocess are addressed

by these policies.

Acquisition and Implementation (AI)

Symantec ESM Policy Manual for the Sarbanes-Oxley Act (OS400)About COSO and CobiT

16

Covers the actual delivery of required services.

Services can range from traditional operations

with security and continuity aspects to training.

Thirteen control objectives from four processes

are addressed by these policies

Delivery and Support ((DS)

Addresses management's oversight of the

organization's control process.Monitoring covers

independent assurance that is provided by either

an internal or external audit or through

alternative resources. Four control objectives

from two processes are addressed by these

policies.

Monitoring (M)

Where to get more information

The Securities and Exchange Commission (SEC) is the regulatory body that is

responsible for enforcing the Act. For more information, go to the following web

sites:

http://www.law.uc.edu/CCL/SOact/soact.pdfSarbanes-Oxley Act (full text)

http://www.sec.govSEC Final Rule

http://www.pcaob.comPCAOB Auditing Standard #2

http://www.erm.coso.org/Coso/coserm.nsf/vwWebResources/

PDF_Manuscript/$file/COSO_Manuscript.pdf

COSO framework

http://www.isaca.org/cobit.htmCobiT control objectives

Installing the policiesTo use these policies, a Symantec Enterprise Security Manager OS/400 Agent

must be registered to a Symantec ESM 6.0 or 6.5 manager.

Before you install the regulatory policies

You must decide which Symantec ESMmanagers require the policy. Policies run

onmanagers anddonot need to be installed on agents. The policies can be installed

on the following operating systems:

■ IBM® AIX® 5.x

■ Hewlett-Packard® HP-UX® 10/11

17Symantec ESM Policy Manual for the Sarbanes-Oxley Act (OS400)Installing the policies

■ Sun™ Solaris™ 2.7 or higher

■ Microsoft® Windows Server™ 2003

■ Microsoft® Windows 2000 Professional/Server/Advanced Server with service

pack 1.0 and higher

Installing the regulatory policies

The standard installationmethod is to use the LiveUpdate feature in the Symantec

ESM console. An alternative method is to use files from a Symantec ESM CD or

the Internet to install the policies manually.

To install the policies by using LiveUpdate

1 Connect the Symantec ESM Enterprise Console to managers that you want

to update.

2 Click the LiveUpdate icon to start the LiveUpdate wizard.

3 In the wizard, ensure that Symantec LiveUpdate (Internet) is selected, and

then click Next.

4 In the Welcome to LiveUpdate dialog box, click Next.

5 Do one of the following:

■ To install all checked products and components, click Next.

■ To exclude a product from the update, uncheck it, and then click Next.

■ To exclude a product component, expand the product node, uncheck the

component that you want to exclude, and then click Next.

6 Click Next.

7 Click Finish.

8 Ensure that all managers that you want to update are checked.

9 Click Next.

10 Click OK.

To obtain files for a manual installation

1 Connect the Symantec ESM Enterprise Console to managers that you want

to update.

2 Go to the Security Response Web site at:

http://securityresponse.symantec.com

3 Download the executable files for Microsoft Windows:

■ OS400_SOA_Change_Notification_20051115.exe

Symantec ESM Policy Manual for the Sarbanes-Oxley Act (OS400)Installing the policies

18

■ OS400_SOA_Controls_Compliance_20051115.exe

■ OS400_SOA_Resource_Review_20051115.exe

To avoid conflicts with updates that are performed by standard LiveUpdate

installations, copy or extract the files into the LiveUpdate folder (usually Program

Files/Symantec/LiveUpdate).

To install the policies manually

1 On a computer that is running Windows NT/2000/XP/Server 2003 that has

network access to theUNIXmanager, run the executable that you downloaded

from the Symantec Security Response Web site.

2 Click Next to close the Welcome dialog box.

3 In the License Agreement dialog box, if you agree to the terms of the

agreement, clickYes.

4 ClickYes to continue installation of the best practice policy.

5 Type the requested manager information.

6 Click Next.

If the manager's modules have not been upgraded to Security Update 18 or

later, the install program returns an errormessage and aborts the installation.

Upgrade the manager to SU 18 or later, and then rerun the install program.

7 Click Finish.

19Symantec ESM Policy Manual for the Sarbanes-Oxley Act (OS400)Installing the policies

Symantec ESM Policy Manual for the Sarbanes-Oxley Act (OS400)Installing the policies

20

Mappings to Policies

This chapter includes the following topics:

■ Change Notification policy

■ Resource Review policy

■ Controls Compliance policy

Change Notification policyThemodules that are included in this policy are described belowwith information

about the checks that are enabled in each module. The following details are

provided for individual security checks:

■ References to the COSO components of internal control

■ References to the CobiT control objectives

■ Brief rationale for enabling the check

■ Associated templates (if applicable)

■ Associated name lists (if applicable)

■ Keyword lists (if applicable)

■ Word lists (if applicable)

This policy is read-only. To meet your company's security policy needs, you must

change thedefault values by copying and renaming thepolicy files. For instructions

and more information about specific checks and messages, see the current

Symantec ESM Security Update User's Guide.

Note: Default values for specific security checks are based on industry best

practices. Control objectives do not identify specific values.

2Chapter

Account Integrity

The Account Integrity module reports profile and privilege information. It also

creates andmaintains user and group snapshot records to detect account changes

between policy runs.

RationaleCOBiTCOSOCheck

Changes should be reviewed

to ensure they are

authorized.

PO4.9, DS5.4,

DS5.5

CE, CA, IC, MChanged user

profile


to ensure they are

authorized.

PO4.9, DS5.4,

DS5.5

CE, CA, IC, MChanged group

profile


to ensure they are

authorized.

PO4.9, DS5.4,

DS5.5

CE, CA, IC, MNew user profile


to ensure they are

authorized.

PO4.9, DS5.4,

DS5.5

CE, CA, IC, MNew group profile

This check must be enabled

for proper operation of ESM.

N/AN/ARetrieve OS/400

profile details

Device Integrity

The Device Integrity module identifies changes in device ownership and ID on an

AS/400 network.



to ensure they are

authorized.

PO4.9, AI3.6CE, IC, CAChanged devices


to ensure they are

authorized.

PO4.9, AI3.6CE, IC, CADeleted devices

This policy is set to examine

workstation devices by

default.

N/AN/ADevice types to

include

Mappings to PoliciesChange Notification policy

22



to ensure they are

authorized.

PO4.9, AI3.6CE, IC, CANew devices

Network Integrity

The Network Integrity module examines security settings on an AS/400 system.

The Network Integrity module reports the vulnerabilities of domains, including

global security groups and folder and printer shares.




N/AN/ASystem

distribution

directory


to ensure they are

authorized.

DS5.17CA, MNew entries


to ensure they are

authorized.

DS5.17CA, MDeleted entries

Program Find (Queries)

The Program Find module reviews specified libraries on your system and looks

for potential security problems based on the selected options.


Changes to adopt owner

programs should be

examined to ensure they are

authorized.

PO9.3, M2.4RA, MNew adopt owner

Resource Review policyThemodules that are included in this policy are described below,with information

about the checks that are enabled in each module. The following details are

provided for individual security checks:

23Mappings to PoliciesResource Review policy







■ Word lists (if applicable)







Account Integrity






to ensure they are

authorized.

PO4.9, DS5.4,

DS5.5

CE, CA, IC, MDeleted user

profile


to ensure they are

authorized.

PO4.9, DS5.4,

DS5.5

CE, CA, IC, MDeleted group

profile

A misconfigured attention

program could be a

vulnerability or indication of

compromise.

DS5.2CA, IC, MAttentionprogram

not default

A misconfigured attention

program could be a

vulnerability or indication of

compromise.

PO9.3, DS5.6CA, IC, RA, MAttentionprogram

adopts authority

Mappings to PoliciesResource Review policy

24


System level privileges

should be reviewed

frequently to ensure they are

authorized.

PO4.9, PO4.10,

DS5.5

CE, CA, IC, MProfiles with

specific special

authorities


should be reviewed


authorized.

PO4.9, PO4.10,

DS5.5

CE, CA, IC, MProfile with user

class

Limited capabilies are

required to help prevent

unauthorized changes to

profiles.

PO4.9, PO4.10,

DS5.5

CE, CA, IC, MProfile without

limited capabilities


should be reviewed


authorized.

DS11.30CE, CA, IC, MPrivileged users

and groups




profile details

This check reports on a

variety of important profile

configuration errors and

risks.

PO6.8,DS5.7,M2.4CE, CA, IC, MSign on details

By default, ESMexamines all

profiles.

N/AN/AProfiles to check

The security officer role is

highly privileged and should

be reviewed to ensure all

users with this role are

authorized.

PO4.9, DS5.7CE, CA, IC, MUser profiles by

group

Login Parameters

The Login Parameters module examines profile sign-on parameters.



Users must be able to see

their sign-on information in

order to monitor their own

account for misuse.

DS5.6CA, IC, MDisplay signon

information

Expired passwords are

usually an indicator of

unused accounts that should

be deleted.

PO7.8, DS5.17CE, CA, IC, MExpired password

Group profiles should not

have sign-on passwords.

DS5.15CA, IC, MGroups with

password

Unused accounts should be

deleted.

PO7.8, DS5.4,

DS5.17

CE, CA, IC, MInactive profiles

Profiles without passwords

are probably configuration

errors.

PO9.7, DS5.2,

DS5.17

RA, CA, MNo password




profile details


profiles.

N/AN/AProfiles to check

Network Integrity







N/AN/ASystem

distribution

directory

Remote access should be

controlled with an explicit

logon process.

PO9.7, DS13.8RA, CA, ICRemote sign on

Mappings to PoliciesResource Review policy

26

Password Strength

The Password Strength module reports passwords that do not conform to this

policy.


Controls to authenticate and

permit access only to

authorized individuals

require effective password

management. Passwords that

match the user name are

easy to guess and could

compromise the integrity of

information that is used for

financial reporting.

PO9.7, DS5.2,

DS5.17

CA, RA, MPassword =

username

Profiles without passwords

are probably configuration

errors.

PO9.7, DS5.2,

DS5.17

CA, RA, MProfiles without

password




profile details





Bydefault, ESMexamines the

QGPL library.

N/AN/ALibraries

These programs should be

carefully examined to ensure

they are not a vehicle for

unauthorized access.

PO9.3, M2.4RA, MProgram adopts

owner

SysVal - Security

The SysVal - Security module reports a problem if the agent is not using specified

system security system values.



Excessive login failures could

indicate attempts to gain


PO6.8, DS5.7CE, CA, IC, MMax sign on

attempts

Controls Compliance policyThe Sarbanes-Oxley Controls Compliance policy monitors the configuration of

an operating system or database for compliance with the recommended state of

control.

The modules that are included in this policy are described below with the checks

that are enabled in the module. The following details are provided for individual

security checks:













Account Integrity








profile details

Mappings to PoliciesControls Compliance policy

28

Network Integrity





Agent requests can be used

to overwrite data without

explicit authorization.

DS5.2CA, IC, MClient request

access

Agent requests can be used

to overwrite data without

explicit authorization.

DS5.2CA, IC, MDDM request

access



N/AN/ASystem

distribution

directory

OS Patches

This module reports the status of OS patches (PTFs) that effect system security.


The template file contains

information on OS/400

patches.

PO9.3, DS5.19,

M2.4

CA, RA, MTemplate file list

OS Patches (Patch) template file

Symantec uses LiveUpdate every two weeks to update the template files loaded

on your system.

Note: Do not edit, move, or change your patch template files.

The Patch module uses the following template files:

Template nameFile nameOS

OS Patchespatch.po4OS/400

29Mappings to PoliciesControls Compliance policy

Password Strength

The Password Strength module reports passwords that do not conform to this

policy.


Controls to authenticate and

permit access only to

authorized individuals

require effective password

management. This policy

ships with a default setting

of 60 days.

PO9.7, DS5.2,

DS5.17

CA, RA, MDays until

expiration

Limiting reuse of previously

used passwords reduces the

risk of discovery. This policy


of 4 prior passwords.

PO9.7, DS5.2,

DS5.17

CA, RA, MPassword reuse

count

Easily guessed passwords do

not meet the CobiT/COSO

requirement for adequate

authentication and access

controls. Repeated

characters make passwords

easy to guess. This policy


of 2 characters.

PO9.7, DS5.2,

DS5.17

CA, RA, MRestrict repeated

characters

Forcing users to select

passwords that conform to

theminimumcharacter class

requirements helps to ensure

passwords cannot be easily

guessed. This policy ships

with a default setting of 1.

PO9.7, DS5.2,

DS5.17

CA, RA, MNumeric character

required

Easily guessed passwords do

not meet the CobiT/COSO

requirement for adequate

authentication and access

controls. Short passwords

are easily guessed. This

policy ships with a default

setting of 8 characters.

PO9.7, DS5.2,

DS5.17

CA, RA, MCheck password

length restrictions


30





profile details


profiles.

PO9.7, DS5.2,

DS5.17

CA, RA, MProfiles to check





These programs should be

carefully examined to ensure

they are not a vehicle for


PO9.3, M2.4RA, MAdopt owner

profile

These commands are risky

and should be examined to

ensure they are needed and

authorized.

PO9.3, M2.4RA, MSensitive

commands

Startup Files

The Startup Files module examines jobs (services) that automatically start when

the computer is turned on.


Anonymous FTP is a

frequently exploited

vulnerability. The

mechanismdoesnotproperly

authenticate users.

DS5.2, DS13.8CA, IC, MCheck if

AnonymousFTP is

allowed

This check reports a possible

system compromise.

PO9.3, DS5.17,

DS5.19

CA, RA, MUsers can change

library content

The template file contains a

list of mandatory and

forbidden services.

AI3.7, DS5.17CA, IC, MServices


Services template files

Mandatory, prohibited, and optional services for OS/400 are defined in Services

templates.

Symantec uses LiveUpdate every two weeks to overwrite the default template

files that are loaded on your system.

The Startup Files module uses the following default template files.

Template nameFile nameOS

Servicesbasic.so4OS/400

SysVal - Control

The SysVal - Control module reports a problem if the agent is not using specified

system values.


Setting autoconfiguration of

remote devices to OFF is

prudent.

AI5.12, DS5.2CA, IC, MAutoconfigure

devices

Setting autoconfiguration of

remote controllers to OFF is

prudent.


remote controllers

Virtual devices should be

configured deliberately, not

automatically.


virtual devices

Forced conversion is not

recommended by Symantec

and IBM.

DS5.19CA, IC, MForce conversion

on restore

Symantec recommends5000

for this setting. Your

business context may

demand a different setting.

DS5.17CA, MMaximum history

log size

Remote IPL should not be

permitted.

DS13.8CA, ICRemote power on

and IPL

Remote analysis should not

be permitted.

DS13.8CA, ICRemote service

attribute


32


Unauthorized libraries can

be an indication of system

compromise.

DS5.7, DS5.19,

DS9.5

CA, IC, MSystem part of

library list

Unauthorized libraries can

be an indication of system

compromise.

DS5.7, DS5.19,

DS9.5

CA, IC, MUser part of

library list

SysVal - Security

The SysVal - Security module reports a problem if the agent is not using specified

system security system values.


While *NONE is the safest

setting, some environments

may need to use

*ALWPGMADP.

AI3.6CAAllow object

restore

This check ensures that

auditing is properly enabled.

DS5.7, DS5.10CA, MAuditing Control

This check determineswhich

events are to be audited.

DS5.7, DS5.10CA, MSecurity auditing

level

If audit logging fails for any

reason the SYSOP should be

notified rather than shutting

down the system.

DS5.7, DS5.10CA, MAuditing end

action

Audit journal entries must

not be lost on abnormal

termination.

PO4.10, AI3.7,

DS5.10

CE, CA, IC, MAudit journal

cache size

Public users should not be

able to change newly created

objects.

DS5.7, DS5.10CA, MCreate default

public authority

Changes to objects should be

audited by default.

DS5.7, DS5.10CA, MCreate object

auditing

Permissions, especially high

privilege permissions, must

be assigned explicitly.

PO9.3, PO9.7,

AI3.3

RA, CAPrivileged user

access



Excessive login failures could

indicate attempts to gain


PO6.8, DS5.7CE, CA, IC, MFailed sign-on

action

This setting establishes

requirements for

authentication.

DS5.2CA, MSystem security

level


34

Date post:	01-Oct-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

SymantecESMPolicy Manualforthe Sarbanes-OxleyAct (OS400) · 2020. 2. 18. · TechnicalSupport...

Documents