Sarbanes-Oxley IT Compliance Using Open Source Tools 2nd Ed.

A Toolkit for IT Professionals

Christian B. Lahti, Roderick Peterson

Publisher: Syngress, 2007, 445 pages

ISBN: 978-1-59749-216-4

Keywords: Finance, Open Source

Last modified: April 5, 2021, 3:18 p.m.

Synopsis

The Sarbanes-Oxley Act (officially titled the Public Company Accounting Reform and Investor Protection Act of 2002), signed into law on 30 July 2002 by President Bush, is considered the most significant change to federal securities laws in the United States since the New Deal. It came in the wake of a series of corporate financial scandals, including those affecting Enron, Arthur Andersen, and WorldCom. The law is named after Senator Paul Sarbanes and Representative Michael G. Oxley. It was approved by the House by a vote of 423-3 and by the Senate 99-0.

This book illustrates the many Open Source cost-saving opportunities that public companies can explore in their IT enterprise to meet mandatory compliance requirements of the Sarbanes-Oxley act. This book will also demonstrate by example and technical reference both the infrastructure components for Open Source that can be made compliant, and the Open Source tools that can aid in the journey of compliance. Although many books and reference material have been authored on the financial and business side of Sox compliance, very little material is available that directly address the information technology considerations, even less so on how Open Source fits into that discussion.

The format of the book will begin each chapter with the IT business and executive considerations of Open Source and SOX compliance. The remaining chapter verbiage will include specific examinations of Open Source applications and tools which relate to the given subject matter, and last a bootable "live" CD will have fully configured running demonstrations of Open Source tools as a valuable technical reference for implementation of the concepts provided in the book.

  • Only book that shows companies how to use Open Source tools to achieve SOX compliance, which dramatically lowers the cost of using proprietary, commercial applications.
  • Only SOX book with a bootable-Linux CD containing countless applications, forms, and checklists to assist companies in achieving SOX compliance.
  • Only SOX compliance book specifically detailing steps to achieve SOX compliance for IT Professionals.

Table of Contents

  • Chapter 1 Overview — The Goals of This Book
    • IT Manager Bob — The Nightmare
      • What This Book Is
      • What This Book Is Not
        • Disclaimer
      • Conventions Used in this Book
        • The Transparency Test
        • Lessons Learned
        • Tips and Notes
        • VM Spotlight
        • Case Study
    • Why Open Source?
      • Open Source Licensing: A Brief Look
        • GNU General Public License
        • GNU Library or "Lesser" General Public License
        • The New Berkeley Software Distribution License
      • Open and Closed Source in Contrast
      • The Business Case for Open Source
        • Free != No Cost
        • Does It Really Save Money?
        • Platform-agnostic Architecture
        • Open Source and Windows
        • Mixed Platforms
        • Migration: a Work in Progress
          • VM Spotlight: CentOS GNU/Linux Distribution
      • A Word on Linux Distributions in General
        • Linux Distributions and References
      • CentOS in Detail
      • Case Study: NuStuff Electronics, an Introduction
        • IT Infrastructure
          • Server Room (General, Sales, Support, and Executive)
          • Server Room (Engineering and Design)
          • Desktops (Sales, Support, Executive, Finance, and HR)
          • Desktops (Engineering and Design)
          • Network Topology
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  • Chapter 2 Introduction to the Companion DVD
    • The DVD Redux
      • Installing the ITSox2 Toolkit VM
        • Host System Requirements
        • Installing the VMware Player
          • Windows Installation
          • Linux Installation
        • Installing the ITSox2 Toolkit VM
        • Launching the ITSox2 Toolkit VM
        • Uninstalling the ITSox2 Toolkit VM
      • Exploring the CentOS Linux Desktop
        • Selecting your Window Manager
        • Adding Packages and Staying Current
        • Other System Setup Opportunities
    • VM Spotlight – eGroupware
      • eGroupware Applications
        • SiteManager
        • Home
        • Preferences
        • Administration
        • FelaMiMail Email Client
        • Calendar
        • AddressBook
        • InfoLog
        • ProjectManager
        • Wiki
        • General Wiki Concepts
        • Bookmarks
        • Resources
        • TimeSheet
        • Tracker
        • NewsAdmin
        • KnowledgeBase
        • WorkFlow
        • Other Applications
    • Case Study: NuStuff Electronics, Setting the Stage
      • The Portal
        • Main and Headers
        • Launch Pad
        • Reference
      • The Cast of Characters
        • Employee Listing
        • SOX Auditor Listing
        • IT SOX Consultant Listing
        • Group Listing
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  • Chapter 3 SOX and Compliance Regulations
    • What is PCAOB
    • PCAOB Audit Approach
    • SOX Overview
      • What Will SOX Accomplish?
        • Section 302
        • Section 404
      • SOX Not Just a Dark Cloud
      • Good News/Bad News
        • Good News
        • Bad News
    • Sustainability Is the Key
    • Enough Already
      • Other US Regulations/Acts In Brief
      • Compliance Around The Globe
    • VM Spotlight: Desktop Tools
      • OpenOffice
        • Write
        • Calc
        • Impress
        • Base
        • Draw
      • Firefox
      • Evince
    • Case Study: Workflow Concepts
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  • Chapter 4 What’s In a Framework?
    • PCAOB Endorses COBIT?
      • The Six COBIT Components
      • Entity Level Controls versus Control Objectives
      • What Are the Four COBIT Domains?
        • Planning and Organization
        • Acquisition and Implementation
        • Delivery and Support
        • Monitoring
    • Are the Developers of COBIT Controls Crazy? Is this Practical?
      • What’s Controls Should I Use?
        • Server Room (General, Sales, Support and Executive)
        • Desktops (Sales, Support and Executive)
        • Network Topology
        • Planning and Organization
        • Acquire and Implement
        • Delivery & Support
        • Monitor & Evaluate
    • The Top Contenders
      • ITILv2
      • There Is No Panacea
    • VM Spotlight: Project Plan
    • Case Study: Framework Selection
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  • Chapter 5 The Cost of Compliance
    • SOX and IT
        • Section 404
      • Why Comply?
    • Compliance Issues
      • The Human Factor
      • Walk the Talk
      • Who Are You and What Do You Need
    • What’s In A Framework?
    • Assessing Your Infrastructure
      • Open Source to Support Proprietary Systems
    • VM Spotlight: Fedora Directory Server
      • LDAP Overview
      • Fedora Directory Server in Detail
      • The Fedora Directory Server Console
        • Managing Fedora Directory Server
        • Configuring Fedora Directory Server
        • Viewing and Updating the Directory
      • Managing Users and Groups
    • Case Study: Costs
    • Old Habits Are Hard To Break
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  • Chapter 6 What’s First?
    • The Work Starts Here
    • What Work?
    • Planning and Organization
      • 8. Ensure Compliance with External Requirements
      • 9. Assess Risks
      • 11. Manage Quality
    • Working The List
    • Policy Definition and Management
      • NuStuff Corporate Policy Documents
      • Administrative Access Control Policy
      • Change Management Policy
      • Data Backup and Restore Policy
      • Firewall and Intrusion Detection Policy
      • Malicious Software Policy
      • Network Device Confi guration Backup Policy
      • Network Security Monitoring and Controls Policy
      • Oracle New User Account Creation and Maintenance Policy
      • Oracle New User Password Policy
      • Password Control Policy
      • Physical Building Access and Budging Policy
      • Server Room Access Policy
      • Server Room Environmental Policy
      • System Security Policy
      • Generic Template
    • Spotlight: KnowledgeTree Document Management
      • KnowledgeTree Web Interface
        • The Dashboard View
        • DMS Administration View
          • Users and Groups
          • Security Management
          • Document Storage
          • Document Metadata and Workflow Configuration
          • Miscellaneous
        • DMS Administration View
          • Folder Details and Actions
          • Document Information and Actions
          • Other Actions
        • A Document Class Example
    • Case Study: NuStuff Electronics
      • Defining your own policies
      • Policy Approval Workflow
        • Workflow Roles
        • Workflow Activities
      • Defining your own policy approval workflows
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  • Chapter 7 What’s Second
    • Definition of Information Requirements
    • Evaluating Open Source In-House Expertise
      • Deployment and Support Proficiency
      • Addressing Deficiencies
    • Automation is the Name of the Game
      1. Identify Automated Solutions
      2. Acquire and Maintain Application Software
      3. Acquire and Maintain Technology Infrastructure
      4. Develop and Maintain Procedures
      5. Install and Accredit Systems
      6. Manage Changes
    • Working The List
      • Project Management is Key
    • VM Spotlight – Webmin
      • Webmin Users
        • Adding Users
        • Applying Security Rights
      • Fedora-DS Administrator, a Webmin Module
        • Managing Users
        • Managing Groups
        • Managing Hosts
      • Webmin Audit Trail
    • Case Study: Automation and Workflow
      • NuStuff Electronics Example Implementation: Intrusion
        • Detection System
        • Availability and Security
        • Sustainability and Accountability
      • Infrastructure Change Request Workflow
        • Workflow Roles
        • Workflow Activities
      • Implementation Planning
        • NuStuff Electronics Snort IDS
          • Test Procedure
          • Production Procedure
          • Rollback Procedure
      • Implementation
      • Documentation
      • Other Change Management Workflow Examples
        • Firewall Change Request
          • Workflow Roles and Activities
        • Oracle Change Request
          • Workflow Roles and Activities
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  • Chapter 8 Are We There Yet?
    • All About Service
    • Delivery & Support
      1. Define and Manage Service Levels
      2. Manage Third-Party Services
      3. Manage Performance and Capacity
      4. Ensure Continuous Service
      5. Ensure Systems Security
      6. Identify and Allocate Costs
      7. Educate and Train Users
      8. Assist and Advise Customers
      9. Manage the Configuration
      10. Manage Problems and Incidents
      11. Manage Data
      12. Manage Facilities
      13. Manage Operations
    • Working The List
    • Service Level Agreements
      • What is a Service Level Agreement?
        • Template: Internal Service Level Agreement
        • Signoff and Approval
    • Managing The Infrastructure
      • Performance, Capacity and Continuity
        • Service and System Virtualization
          • Xen Virtual Machine
          • VMWare Server
        • High Availability and Load Balancing
        • Fault Tolerance
        • Uninterruptible Power
        • Security Considerations
      • Configuration Management and Control
        • Applying Changes
        • Rollback to Previously Known Good Configuration
      • Managing Systems and Applications
        • Identity Management
          • Password & Shadow Text File System
          • Network Information Systems (NIS)
          • Lightweight Directory Access Protocol
          • Kerberos
        • Systems and Network Devices
        • Databases and File Shares
        • Backup and Data Retention
        • Security Considerations
    • VM Spotlight – Subversion
      • Getting Data into your Repository
      • Using Apache to Expose Your Repository
      • Using the ViewVC Web Interface
    • Case Study: NuStuff Electronics Segregation of Duties
      • Operations Workflows
        • Account Activation Request
          • Workflow Roles
          • Workflow Activities
        • Account Termination Request
          • Workflow Roles
          • Workflow Activities
        • Oracle Account Activation Request
          • Workflow Roles
          • Workflow Activities
        • Oracle Account Termination Request
          • Workflow Roles
          • Workflow Activities
        • Data Access Request
          • Workflow Roles
          • Workflow Activities
        • Data Restoration Request
          • Workflow Roles
          • Workflow Activities
        • Report a Virus or Spyware
          • Workflow Roles
          • Workflow Activities
        • VPN Access Request
          • Workflow Roles
          • Workflow Activities
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  • Chapter 9 Finally, We’ve Arrived
    • Never Truly Over
    • Monitoring In Theory
      • PDCA – Deming
        1. Monitor the Processes
        2. Assess Internal Control Adequacy
        3. Obtain Independent Assurance
        4. Provide for Independent Audit
    • Working The List
    • Monitoring In Practice
      • System Monitoring
      • Configuration Monitoring
        • Syslog
        • Tripwire and AIDE
        • Kiwi Cat Tools
      • Compliance Monitoring
        • Annual Oracle Admin Review
        • Bi-Annual IT Policy Review
        • Monthly Data Restoration Test
        • Monthly Offsite Backup
        • Monthly Oracle Active User Review
        • Quarterly AV Inventory Review
        • Quarterly Environmentals Review
        • Quarterly File Permissions Review
        • Quarterly Infrastructure Change Review
        • Additional Workflows
    • VM Spotlight – Zabbix Monitoring System
      • Zabbix Architecture
      • Zabbix Example Linux Template
      • Zabbix Web Front End
        • Administration
        • Configuration
        • Monitoring
        • In Conclusion
    • Case Study: NuStuff – Oops, Still Not Right
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  • Chapter 10 Putting It All Together
    • Analysis Paralysis
    • Organization – Repositioning
    • Policies, Processes and SLAs
      • SOX Process Flow
    • Control Matrices, Test Plan & Components
      • Control Matrix
      • Gap and Remediation
      • Test Plan
        • What Makes a Good Test Plan
    • Return On Investment (ROI)
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  • Appendix A COBIT Control Objectives
    • Planning & Organization
    • Acquisition & Implementation
    • Delivery & Support
    • Monitoring
  • Appendix B ITIL Framework Summary
    • The Five ITIL Volumes
      • Service Strategy
      • Service Design
      • Service Transition
      • Service Operation
      • Continual Service Improvement
    • Service Support
    • Service Delivery
  • Appendix C GNU General Public Licenses
    • GPL Version III
      • GNU General Public License
      • Preamble
      • Terms And Conditions
        1. Definitions
        2. Source Code
        3. Basic Permissions
        4. Protecting Users’ Legal Rights From Anti-Circumvention Law
        5. Conveying Verbatim Copies
        6. Conveying Modified Source Versions
        7. Conveying Non-Source Forms
        8. Additional Terms
        9. Termination
        10. Acceptance Not Required for Having Copies
        11. Automatic Licensing of Downstream Recipients
        12. Patents
        13. No Surrender of Others’ Freedom
        14. Use with the GNU Affero General Public License
        15. Revised Versions of this License
        16. Disclaimer of Warranty
        17. Limitation of Liability
        18. Interpretation of Sections 15 and 16
    • GPL Version II
        • GNU General Public License
        • Preamble
      • Terms And Conditions For Copying, Distribution And Modification
        • 0
        • 1
        • 2
        • 3
        • 4
        • 5
        • 6
        • 7
        • 8
        • 9
        • 10
      • No Warranty
        • 11
        • 12

Reviews

Sarbanes-Oxley IT Compliance Using Open Source Tools

Reviewed by Roland Buresund

OK ***** (5 out of 10)

Last modified: June 9, 2008, 1:30 a.m.

Opinion

More OSS primer than serious SOX book.

Granted, SOX (and in parts COBIT) are the red thread in this book, but it is more about describing great OSS-programs and how they incidentally may help you fulfill SOX. It will most definitely not learn you anything useful about SOX or the traps and possible failures an implementation may bring.

It is nicely written, and some stories has been used to make it accessible, but it wont get more than a passing grade, as you must be a convert (to SOX and OSS) before you even try this one.

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required

captcha

required