Search
Topics
  Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Feedback
· Forums
· Search
· Statistics
· Surveys
· Top
· Topics
· Web Links
· Your_Account

Current Membership

Latest: LWRX
New Today: 66
New Yesterday: 78
Overall: 143328

People Online:
Visitors: 172
Members: 0
Total: 172

Languages
Select Interface Language:


Major ITIL Portals
For general information and resources, ITIL and ITSM World is the most well known for both ITIL and ITIL Books. A shorter snapshot approach can be found at ITIL Zone

Related Resources
Service related resources
Service Level Agreement
Outsourcing

Note: ITIL is a registered trademark of OGC. This portal is totally independent and is in no way related to them. See our Feedback Page for more information.


The Itil Community Forum: Forums

ITIL :: View topic - The CMDB and SOX Fields?
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The CMDB and SOX Fields?

 
Post new topic   Reply to topic    ITIL Forum Index -> Configuration Management
View previous topic :: View next topic  
Author Message
OhioScott
Itiler


Joined: Oct 29, 2007
Posts: 26

PostPosted: Tue Apr 15, 2008 4:24 am    Post subject: The CMDB and SOX Fields? Reply with quote

Does anyone have information or can point me to information concerning what potential attributes within a CMDB might be considered classified due to a SOX relationship?

I worked with a company that identified IP and DNS as items that needed to be secured attributes (not viewed by the general public) for servers that supported items deemed financially significant under SOX but did not afford the same level of security for non-SOX CIs.

I've not been able to locate any information about this in SOX publications nor have I seen any recommendations for this online from any sources. Could someone enlighten me as to what items should be or shouldn't be secured from an attribute perspective in a CMDB?

Thanks!
Back to top
View user's profile
asrilrm
Senior Itiler


Joined: Oct 07, 2007
Posts: 441
Location: Jakarta, INA

PostPosted: Tue Apr 15, 2008 10:10 am    Post subject: Reply with quote

Hi,

Sorry if I sound naive but isn't CMDB used internally, not to be published openly?
Back to top
View user's profile
UKVIKING
Senior Itiler


Joined: Sep 16, 2006
Posts: 3303
Location: London, UK

PostPosted: Tue Apr 15, 2008 6:08 pm    Post subject: Reply with quote

TO follow up on Asrilrm,

DNS:

If you hide the DNS entries for your web site, how are your customers
supposed to find your web site ?

IP address: Since your company purchases a Class A, B, or C licencse of IP address range from an ISP or whoever, that information itself is public information, how can you hide it ?
............
Now that the obvious questions have been asked,

1 - You can configure your cmdb any way you like. Hide fields etc

However, as the IP address and domain name (FQDN) of every device on your intra/internet needs to be seen by your monitoring and other tools that are used to manage IT networks, how can you determine that the IP address is a piece of information that needs to be secured.

What I suspect you mean is that the combination of the IP address, domain name and the function of the device gives someone an idea whether or not the said device can be exploited

If you are smart, you would have used RFC1918 address space for your internal networks along with firewalls, VLANs and other network tricks to secure your network from the outside

TO hide your IP addresses/DNS records from your own internal staff who needs this information - is quite ridiculous

Where in SOX or CoBIT does it say that you must hide all IP addresses

This sounds like something a non IT or network person who say - especially one who has no clue about the internet

If the company 'security' policy is like that, then in addition to the IP address and DNS being locked away, the following should be as well

MAC Addresses
Phone numbers
Building name, floor and room where the equipment is
the street address
city, county, country
postal code
Latitude and Longitude

now seriously, ITIL says you need to have a CMDB. It is up to you to detrermine what information is in it, who has read. read/write access or no access to the information as well as controls and over sight on the infomations w/in the cmdb
_________________
John Hardesty
ITSM Manager's Certificate (Red Badge)

Change Management is POWER & CONTROL. /....evil laughter
Back to top
View user's profile
UrgentJensen
Senior Itiler


Joined: Feb 23, 2005
Posts: 458
Location: London

PostPosted: Tue Apr 15, 2008 7:05 pm    Post subject: Reply with quote

Hi All,

I've got a problem with this from the purely SOX perspective, forget IT for a moment.

Two key points around SOX controls:

They exist to protect financial data and financial reporting.

Although the goal is always as above, they are generic and should be applied to any given organisation as and where they are appropriate, and more than this, precise control decription is not prescribed but will be designed in relation to your organisation.

Therefore firstly, there is no generic 'right' answer to Scott's question, it depends on your business processes and architecture.

Secondly dns/IP is neither financial data or an access control list (which is a more reasonable security control around financial integrity). It's possible that hiding dns/ip could actually cause failure of a control: say for example if you published financial data online/ by ftp for upload into a ledger over at HQ somewhere else. What if they can't get to the data? It can risk the financial integrity, so would be rediculous. Just a sketchy example, but hopefully you see where I'm coming from.

You can over-do config if you're not careful. Keep it simple.

UJ
_________________
Did I just say that out loud?

(Beige badge)
Back to top
View user's profile
Mark-OLoughlin
Senior Itiler


Joined: Oct 12, 2007
Posts: 306
Location: Ireland

PostPosted: Tue Apr 15, 2008 7:42 pm    Post subject: Reply with quote

Hi,

also have a look at COBIT which focuses on controls and can be helpful in achievin SOX - as UJ stated it is about control around financial data - but also bear in mind that the information under control is not just financial specific. You still have to have control over the IT elements aswell.

Following on from the DNS example you need to ensure that the correct people have access to that data and that anyone else does not. Say the DNS entry allowed you to expolit a dns server that dod not have specific security patches on it and it then allowed you to relay from the DNS box to a financial database and get access to data - big issues and potential SOX issue.

one key thing is that you provice data to the relevant people. Therefore you need to understand and identify who the "relevant" people are and set up you systems with tis in mind - in the DNS issue you need to look at security around certain field sbased on roles and user assigments to roles.

There is a lot more to SOX and COBIT and this just comments on the specifics of this post.
_________________
Mark O'Loughlin
ITSM / ITIL Consultant
Back to top
View user's profile
OhioScott
Itiler


Joined: Oct 29, 2007
Posts: 26

PostPosted: Wed Apr 16, 2008 12:41 am    Post subject: Reply with quote

Thanks for your responses. I neglected to mention that the data would be available to various users based upon their individual roles (Service Desk, NOC, etc.) but not available to all IT support areas. And again, this was only for those CIs designated as SOX significant.

I think what I'm taking away from your responses is: assess the company's exposure in order to understand potential weaknesses, these then form the basis for security requirements that may or may not be associated with data within the CMDB.

Is that a fair assessment of the responses?
Back to top
View user's profile
UKVIKING
Senior Itiler


Joined: Sep 16, 2006
Posts: 3303
Location: London, UK

PostPosted: Wed Apr 16, 2008 1:50 am    Post subject: Reply with quote

Basically yes.

The other thing that you need to take away from this is that the IP addresss and the DNS name in your own internal DNS servers are used by tools such as your monitoring tools.

Ask yourself the question,

does (insert person/role/group) need the information to do its function

if the answer is yes or maybe or i dont know, then hiding the IP address or DNS is nto a good idea

For example, the exchange servers send email to people within your company. Should the domain name/IP address that is used by users when they create their email account be 'internally available' or not

The tool that you use may give people the ability to see the information but change management shoudl be used to change the information
_________________
John Hardesty
ITSM Manager's Certificate (Red Badge)

Change Management is POWER & CONTROL. /....evil laughter
Back to top
View user's profile
UrgentJensen
Senior Itiler


Joined: Feb 23, 2005
Posts: 458
Location: London

PostPosted: Wed Apr 16, 2008 6:39 pm    Post subject: Reply with quote

Scott,

Also.... do you have access to your IT Risk Register?

It should all be acknowledged in there, including SOX controls because they an aspect of overall IT risk and not a separate entity (despite the separate processes for audit blah blah).

For example we have Risk Category called Data Security and against that are a series of controls including SOX - but to emphasise the point that it's not only SOX. Therefore your CIs would be better off being linked to the holistic register entry and then SOX.

Cheers,

UJ
_________________
Did I just say that out loud?

(Beige badge)
Back to top
View user's profile
OhioScott
Itiler


Joined: Oct 29, 2007
Posts: 26

PostPosted: Thu May 01, 2008 5:45 am    Post subject: Reply with quote

Our risk register is not that detailed. The organization is not very mature in that respect.

I appreciate all the responses. They've given me much to think about.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    ITIL Forum Index -> Configuration Management All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.8 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

Logos/trademarks property of respective owner. Comments property of poster. Rest 2004 Itil Community for Service Management & Foundation Certification. SV
Site source copyright (c)2003, and is Free Software under the GNU / GPL licence. All Rights Are Reserved.