-
Isolate servers that
handle financial transactions and reporting. This focuses on any
finance or production or sales systems. Any system that is
involved in generating corporate numbers or to which tampering could
result in fraud or incorrect financial reporting.
-
Keep all
systems up to date with the latest service packs and hot fixes.
-
Be
prepared to demonstrate that Anti-Virus software is in place and up to
date.
-
Be
prepared to show logs of nightly backups of data affected by Sarbanes
Oxley
-
Create written policies that are related to changes
to the operating system or software riding on the operating system.
Keep documentation of any changes to these systems especially reasons
for changes and the approvals obtained.
-
Harden these systems as if they were internet
systems. This includes applying ALL service packs and hot fixes to
both operating systems and applications. Document these updates
and be prepared to demonstrate patch levels. Review any registry
or group policy related security tweaks and apply them. This would
include getting rid of null sessions, and any information that can be
obtained by anonymous users.
-
Change NTFS permissions on all directories to get
rid of the default everyone full control permission. Be prepared
to demonstrate that non administrators are prevented from accessing file
systems.
-
If remote access to systems is a factor secure and
audit these connections and be prepared to show that you audit.
-
Ensure that logging is enabled and of a size that
is useful. Create a formal policy of the review of all logs that
affect the systems you've isolated. Be prepared to show your
Sarbanes Oxley auditors that your logs are reviewed. Try to create
a deliverable product based on these reviews that can be given to your
auditors. The addition of centralized logging will go along way in
demonstrating to Sarbanes Oxley auditors that you can actually
retrieve useful data from various server logs.
-
Have a
defined password policy and enforce it for all applications.
Suggestions for this policy would include changing passwords every
60-90 days, enforcing complex passwords and using strict account
lockout policies. Use Windows Group Policies where possible to
ensure all servers adhere to your password policy.
-
Conduct
an audit of all user accounts. Verify that users with admin
rights need them and prepare a report explaining a reason for each
account. Get rid of generic account and ensure that only
accounts exist for users and services currently employed. Be
prepared to show information such as last logon date from a random
sample of users. Create an ongoing policy of periodic review of
accounts and be prepared to demonstrate such a policy exists.
-
Expect
to screen print or provide reports of proof of processes or controls
under Sarbanes Oxley. Keep this in mind as you change processes
or tighten your server in anticipation of a Sarbanes Oxley audit.