December 6th ,

2005

A Sarbanes-Oxley (SOX)
Compliance Driven Risk
Assessment Model

Team:
Mahesh Babu
Chetak Sirsat
Sarbanes-Oxley Act of 2002

"To protect investors by improving

the accuracy and reliability of
corporate disclosures made
pursuant to the security laws,
and for other purposes."
 Sarbanes-Oxley Act of 2002

• Government’s Response to Enron,

WorldCom
• Intended to restore investor trust in US
corporations
• Changes how companies manage:
– Auditors
– Financial Reporting
– Executive Responsibility
– Internal Controls
 SOX Section 302, 404

• Corporations required to:

– assess internal controls around
financial reporting system
– Report effectiveness of controls to SEC
– Assessment must be reviewed and
judged by an outside auditing firm
 Information Security and SOX

• Financial reporting systems heavily dependent on well

controlled IT environment (ITGI, 2004).
• Internal controls include information security controls
• ITGI identified security controls required by SOX in the
following areas:
– Security Policy
– Security Standards
– Access and Authentication
– Network Security
– Monitoring
– Segregation of Duties
– Physical Security
• Companies required to assess and report the
effectiveness of these controls to be compliant
 Risk Assessment

• Important step in an effective

information security strategy
• Used to:
– evaluate risk associated with security
related threats
– Identify controls to minimize risk
• Can be modified to assess SOX
security controls
NIST Risk Assessment Methodology
 Why need a SOX driven Risk
Assessment?
• Companies required by SOX to assess and report the
effectiveness of security controls to be compliant
• Current methods are proprietary
• Risk assessment is important to company’s information
security strategy
• Current risk assessment methods do not consider SOX
compliance.
 Proposed Solution

• Leverage NIST methodology as framework. The following modifications

will be made
– The scope of the assessment would be the IT infrastructure associated
with the financial reporting process.
– The asset identification process would involve analyzing:
• User Authentication
• User provisioning/de-provisioning
• Segregation of Duties
• Audit Logging/Reporting
– The threat identification step will be modified to identify non
compliance with SOX regulations as a threat.
– Threats associated with the financial reporting process itself will be
identified along with the threats associated with the IT infrastructure.
– The financial reporting process will also be assessed for
vulnerabilities.
– The control analysis step will be modified to test for specific
security controls associated with the financial reporting process
of the organization.
– A control checklist will be developed to test the level of
compliance of the organization’s financial reporting process.
– The impact of non compliance will be factored in during the
impact analysis step.
– Compliance specifications and deadlines will be factored in
when formulating and prioritizing control recommendations. If a
recommended control would address a threat related to non
compliance, it would receive a higher priority than a control
that would not address non compliance.
 Step 1: Scope Identification

1. Break down IT infrastructure into (no more than 5)

categories.
2. identify the categories that are involved with the
organization’s financial reporting process.
3. Assign a value (CIA-SOX score) for the impact to
CIA and SOX compliance if each category is
compromised.
4. Rank categories based on CIA-SOX score
5. Categories with highest rank will fall into
scope.
 Step 2: Asset Identification

1. Build Asset Classification Model.

Example:
 Step 2: Asset Identification

Application Assessment Interview

– For each category, analyze:
• User Authentication
• User provisioning/de-provisioning
• Segregation of Duties
• Audit Logging/Reporting
– Produce Application Definition Document
 Step 3: Threat Identification

• Threat Definition
– Source, Motivation, Action, Resource,
Capability
• Threat Categorization
• Threat Evaluation
• SOX compliance related threats
identified based on previous audit
findings and the results of the
application assessment from Step 1.
 Step 4: Vulnerability Identification

• This step involves identifying three kinds of

vulnerabilities:
– Technical vulnerabilities
– Non-technical vulnerabilities
– SOX compliance related vulnerabilities
• To identify SOX compliance vulnerabilities:
– Complete the vulnerability checklist
– Complete the application assessment questionnaire
 Step 5: Control Analysis

• The following contain the basic standards that

will be used to systematically evaluate
compliance and noncompliance to those
standards (NIST 800-30, 17.)
– The vulnerability checklist
– Appendices A, B and C of IT Control
Objectives for Sarbanes-Oxley by ITGI
– the application assessment questionnaire in
appendix B (also used in the previous step)
 Step 6: Impact Analysis

• The adverse impact of a threat was examined

along five (5) axes:
– Confidentiality: A loss in confidentiality is the
unauthorized disclosure of information.
– Integrity: A loss of integrity is the unauthorized
modification or destruction of information.
– Availability: A loss of availability is the disruption of
access to or use of information or an information
system.
– Reputation: A loss in reputation is the loss in the
esteem and respect that the public and peer
institutions have.
– Compliance: Noncompliance would have severe
legal and financial implications.
 Step 7, 8, 9: Likelihood
Determination, Risk Determination
and Documentation
The concluding steps of the risk
assessment will identically follow the
NIST 800-30 risk assessment
methodology with the one following
exception:
– Compliance specifications and
deadlines will be factored in when
formulating and prioritizing control
recommendations.
 Benefits

• Findings can be used when evaluating current level of

SOX compliance.
• It would reduce the costs associated with performing
separate risk assessments as part of the organization’s
information security strategy.
• It would bring information security related risks into the
focus of the organization’s leadership because of its
association with SOX compliance.
• It would lay the groundwork for developing a generalized
compliance driven risk assessment model that could
incorporate any set of regulations or specifications.
• It could be the first step in developing a risk management
program for organizations that have to be SOX compliant.