Among the most critical laws impacting public corporations passed in years is the Sarbanes-Oxley Act of 2002 — referred to as SOA throughout this paper — enacted on July 30, 2002 and signed into law by President George W. Bush. SOA was created by Congress in the wake of the major corporate accounting scandals that occurred in 2001 and 2002, notably Enron & Tyco, in an effort to restore investor confidence and to improve corporate governance and financial transparency.
There are many elements to SOA, including sections that were intended to enhance and tighten financial disclosures, improve “whistle-blower” processes and the well-known requirement for the corporation’s financial statements to be certified by the CEO and CFO. Very importantly, SOA also creates and expands on existing criminal penalties for misrepresentations. No longer will “I didn’t know” provide any legal protection for management.
The primary focus of this white paper is on the impact of SOA requirements on an organization’s IT systems, practices and controls. Specific IT areas that have relevance to SOA compliance activities include data center operations, system software maintenance, application development and maintenance, business continuity and application software integrity. One further critical area of IT control where the relevance of SOA is particularly high is in the control over application access through the use of identity and access management (IAM) processes and technologies. Given this broad area of potential impact on IT, it is clear that IT organizations often will have an important role to play in meeting the requirements of SOA.
IAM solutions, such as those available from CA help to secure and administer access to enterprise information assets and business applications, including financial systems. IAM systems, in support of business processes, manage the digital identities of users who access assets so that access decisions can be made using the best available information about the user. Essentially, IAM systems bring together people, processes and technologies, enabling organizations to manage the lifecycle of relationships with internal and external users, from identity creation to access termination.
White PaperS arbanes-Oxleyand Its Impact onIT OrganizationsH ow Identity and Access ManagementSystems Can Play an Important Role inSarbanes-Oxley ComplianceJune 2006Untitled DocumentT able of ContentsBackground............................................................................................................................................................................................................3Sarbanes-Oxley: Section 404 ..........................................................................................................................................................................3The COSO Framework........................................................................................................................................................................................4COBIT Control Objectives..................................................................................................................................................................................5Conclusion ............................................................................................................................................................................................................6COBIT Compliance: The CA Solution..............................................................................................................................................................6Appendix................................................................................................................................................................................................................82Untitled DocumentBackgroundAmong the most critical laws impacting public corpora-tions passed in years is the Sarbanes-Oxley Act of 2002 referred to as SOA throughout this paper enactedon July 30, 2002 and signed into law by President GeorgeW. Bush. SOA was created by Congress in the wake of themajor corporate accounting scandals that occurred in2001 and 2002, notably Enron & Tyco, in an effort torestore investor confidence and to improve corporategovernance and financial transparency.There are many elements to SOA, including sections thatwere intended to enhance and tighten financial disclosures,improve whistle-blower processes and the well-knownrequirement for the corporation s financial statements tobe certified by the CEO and CFO. Very importantly, SOAalso creates and expands on existing criminal penalties formisrepresentations. No longer will I didn t know provideany legal protection for management.The primary focus of this white paper is on the impact ofSOA requirements on an organization s IT systems, practicesand controls. Specific IT areas that have relevance to SOAcompliance activities include data center operations,system software maintenance, application developmentand maintenance, business continuity and applicationsoftware integrity. One further critical area of IT controlwhere the relevance of SOA is particularly high is in thecontrol over application access through the use of identityand access management (IAM) processes and technol-ogies. Given this broad area of potential impact on IT, it isclear that IT organizations often will have an importantrole to play in meeting the requirements of SOA.IAM solutions, such as those available from CA help tosecure and administer access to enterprise informationassets and business applications, including financialsystems. IAM systems, in support of business processes,manage the digital identities of users who access assetsso that access decisions can be made using the bestavailable information about the user. Essentially, IAMsystems bring together people, processes and technol-ogies, enabling organizations to manage the lifecycle ofrelationships with internal and external users, fromidentity creation to access termination. With regard to IT controls and the IAM processes neededfor SOA compliance, there is limited specificity within theSOA legislation or the final rules adopted by the Securitiesand Exchange Commission (SEC) on June 5, 2003.Therefore, much of SOA compliance regarding IT controlshas been left to interpretation by each company smanagement. This paper provides a review of the IT control environmentthat compliance with SOA will require; the primary focusis on IAM for large companies. This paper also describeshow specific functionality contained in the IAM solutionfrom CA can be used by organizations to meet some ofthe requirements of SOA and do so in a cost effective andleverage-able manner.While the widespread use of IAM solutions for SOArelated compliance projects remain in the early stages,two points are clear: SOA will typically require the use of separate IT controlframeworks to define what are sufficient IT controls,unlike other regulations with specific IT control require-ments, such as HIPAA. Two control frameworks aredescribed in this paper; andSOA will require close collaboration among Security and ITenterprise architects whose focus is on general use of IAMacross an enterprise, and finance, audit and regulatorycompliance professionals and external accounting auditorswho must define, plan, execute and test for SOA compliance.A key point of this paper is that there are important areasof overlap and that these groups should work closelytogether.Sarbanes-Oxley: Section 404 There are many elements to the SOA legislation, butSection 404: Management Assessment of InternalControls is that part that addresses the internal controlover financial reporting, where IAM s related IT controlsneed to be carefully considered. Section 404 is creating achallenge for management and is one area where budgetfor addressing control issues is typically being directed.Compliance with section 404 is also a challenge for theorganization s external auditors who now for the first timemust sign-off on management s assertions regarding thesufficiency of internal controls over financial reporting.This means that IAM related IT controls are one areawhere the external auditors will be focusing closeattention during their audit related activities.Assuming your company must comply with SOA, theinternal control report must address, among other require-ments, management s assessment of the effectiveness ofthe company s internal control over financial reporting. Itmust also include a statement as to whether or not thecompany s internal control over financial reporting iseffective. As will be discussed below, many of the relevantinternal controls can often be best-addressed using IAMsolutions.3Untitled DocumentIf for example, management could not adequately controlwho had access to financial systems or did not know whohad gained access and when through a well-defined anddocumented, highly controlled and auditable IAM process,this could constitute a material weakness in the internalcontrol over financial reporting.There are many policies, procedures and technologies thatmight be part of internal controls over financial reporting that management must assess. What is it about therequirements published by the SEC that suggests that IAMsolutions can contribute directly to SOA processes? The COSO FrameworkAs was mentioned previously, the SOA legislation itselfdoes not provide specific guidelines as to what is or is notan effective internal control. However, to provide someguidance to companies required to comply with SOA, theSEC identified the internal control framework developedby the Committee of Sponsoring Organizations of theTreadway Commission (COSO) as one framework thatmeets its criteria. As seen in Figure 1 below, the COSO framework has threedimensions the nature of the control objectives (e.g.,operations, financial reporting, compliance); theorganizational breadth of the company (e.g., enterprise -level, business unit - level, activity / process - level); andthe five components of effective internal control (e.g.,Control Environment, Risk Assessment, Control Activities,Information and Communication and Monitoring).Using the COSO framework the assessment of controlsfor financial reporting must address all five internalcontrol components at the appropriate entity levels (e.g.,enterprise - level, business unit - level) and the activity/process levels that relate to financial reporting. CertainIT processes, including what COSO defines as AccessSecurity Controls , clearly part of the IAM domain, mustalso be assessed under COSO.In COSO, the access security control (the AM of IAM)processes that should be evaluated for sufficiency includecritical activities such as: how individuals establish digitalidentities, how access rights are granted and monitored,how individuals are authenticated, and how passwords orother authentication mechanisms are used and managed.Only evaluating the IAM controls of the financial systemsthat directly generate the financial reports is often notenough. Access to the other systems that are integratedwith and directly feed the financial system typically needalso be assessed. This broader view of access control isnecessary due to the increased exposure and inter-dependency of IT systems in typical large organizations.In the past IAM controls were fairly simple from a designperspective consisting of access control lists or simplepassword approaches. The business world in whichorganizations must compete today is vastly different thanit was just a few short years ago. IT has evolved fromproviding relatively closed, centralized systems with fewusers, to providing open, decentralized, Web-basedsystems that are used by many more customers, partnersand employees. This evolution, not surprisingly, has placeda strain on existing IAM policies, procedures andtechnologies. As the need for access to information from applicationsand databases by an ever increasing set of internal users,external users and other IT systems (e.g., via Webservices) has increased, the simple IAM process designs,practices and controls of the past are no longer able tomeet what management should consider as adequate aspart of its SOA mandated assessment of internal controlsover financial reporting.Senior management must provide reasonable assurancesthat the identified risks associated with IAM processes,which continue to increase with time, have been addressedthrough these new control designs. Furthermore, manage-ment must regularly validate the operational effectivenessof these new IAM related controls over time. 4Control EnvironmentRisk AssessmentControl ActivitiesInformation andCommunicationMonitoringOperationsComplianceFinancial ReportingFigure 1. COSO Framework (source: COSO Internal Controls Integrated Framework).Untitled DocumentEnsure System Security COBIT controls (Source: COBIT3rd Edition):" Manage Security Measures" Identification, Authentication and Access*" Security of Online Access to Data*" User Account Management*" Management Review of User Accounts*" User Control of User Accounts*" Security Surveillance*" Data Classification" Central Identification and Access Rights Management*" Violation and Security Activity Reports*" Incident Handling" Re-accreditation" Counterpart Trust*" Transaction Authorization*" Non-repudiation*" Trusted Path" Protection of Security Functions" Cryptographic Key Management*" Malicious Software Protection, Detection andCorrection" Firewall Architectures and Connections with PublicNetworks" Protection of Electronic Value*Directly related to identity and access management systems It is reasonable to suggest that management will need toassess controls at this level of granularity before they feelthat they can assert that controls regarding access tocritical financial information have, in fact, been properlydesigned and are operating in an effective manner. As noted earlier, the organization s external auditor mustattest to (i.e. sign-off on) management s assertions aboutinternal control over financial reporting. Therefore, it isalso reasonable to anticipate that this level of granularitywill be what the external auditors will expect to evaluateand test as part of an audit, especially in an IT controlarea as critical as how user identities are managed andhow related access controls are provided for financialrelated systems.COBIT Control ObjectivesDespite the summary-level guidance discussed above,there is little in the COSO framework related to specific ITcontrols that are required to meet the goals of what COSOrefers to as Control Activities. Given this, managementshould either look to industry best practices , which areoften subjective, or look to another controls-orientedframework from an authoritative source. To answer this problem many companies have begun tolook to the Control Objectives for Information and relatedTechnology (COBIT) framework published by the ITGovernance Institute. The IT Governance Institute isaffiliated with the Information Systems Audit and ControlAssociation (ISACA). The focus of COBIT is to research, develop, publicizeand promote an authoritative, up-to-date, internationalset of generally accepted information technology controlobjectives for day-to-day use by business managers andauditors. Now in its 3rd edition, COBIT contains a broadset of IT control objectives that provide statements of thedesired result or purpose to be achieved by implementingcontrol procedures in a particular IT activity. Amongthese IT controls are many that are directly related toIAM processes and systems.COBIT draws upon other business control frameworksfor key definitions and principles, including COSO. As aresult, COBIT provides an additional useful level of detailunder the broad umbrella of the COSO framework. TheCOBIT control objectives are organized into four areasincluding: Planning and Organization, Acquisition andImplementation, Delivery and Support and Monitoring. One of the key activities within the Delivery and Supportarea of COBIT that is highly relevant to SOA requirementsin particular is an activity entitled Ensure SystemsSecurity . As is stated in COBIT, the purpose of thisactivity is to provide controls that safeguard informationagainst unauthorized use, disclosure or modification,damage or loss through logical access controls that ensureaccess to systems, data and programs is restricted toauthorized users. Within Ensure Systems Security there are 22 discretecontrol objectives that COBIT has identified (see the listbelow). These objectives range from firewalls, virusprotection and incident response, to user management,authentication and authorization control objectives. Ofthese 22 controls, over half relate directly to IAM systemsand the IT control processes that they support. 5Untitled DocumentConclusionMany organizations are wrestling with the level of effortthat will be required for SOA compliance. Armed with theinformation in this report you should be in a good positionto help address the IT control challenges your companyfaces and understand how IAM solutions, like those avail-able from CA, can provide the foundation for the properIT control environment in line with COBIT and COSO. Fortunately, in addition to assisting with SOA requirements,there is a compelling business case for the implemen-tation of IAM solutions that includes lower administrativecosts, accelerated revenue growth, greater IT agility,improved application and data security and enhancedend-user satisfaction and productivity. In the near-term,however, the clear value in implementing an enterpriseIAM system is in helping organizations to quickly andefficiently comply with recently enacted laws andregulations, such as SOA.COBIT Compliance: The CA SolutionThe control objectives within COBIT provide a sufficientlevel of detail to address the Control Activities componentof COSO. IAM solutions, such as those from CA, should beevaluated at this level of detail if they are being consideredas a part of SOA compliance program.The relevance to COBIT is best understood by mappingthe functionality of the company s IAM solution to therelevant control objectives found in the COBIT framework.The Appendix to this white paper provides a table of thespecific control objectives for each of the IAM controlsnoted in the above list and describes briefly how our IAMsolution addresses the requirements. It is important to note that determining the specific COBITcontrols objectives that might be adopted for SOA is adecision to be made by each company based on its specificbusiness, existing systems and SOA interpretation.However, the COBIT list and the Appendix at the end ofthis paper do provide a baseline from which to begin thisdetermination process.CA provides an integrated IAM solution that is compre-hensive in scope for legacy, web and service-orientedarchitectures. The CA IAM solution includes all the keytechnologies for a comprehensive, robust IAM solution.These include identity administration, resource provisioning,access management, and auditing/monitoring. Thesesolutions constitute the most comprehensive IAM solutionin the industry because they provide:" Full integration across components" Very broad platform support, from Web to mainframe" Broad functional capabilities" Extremely high scalability to even the largest customerenvironmentsThe CA IAM solution can be graphically represented asfollows:6Figure 2. The CA Identity and Access Management Solution.InternetIdentityAdministrationProvisioningAccessManagementHelp DeskHR SystemDirectoryAuditing/MonitoringEnterprise InfrastructurePhysical AssetsMobile PhoneBadgesPDATelephonePlatformsSystemsSystem ServicesMainframesSystem FilesApplicationsSCMERPSAPCustomEvent LogSupply ChainCustomersPartnersEmployeesContractorsCommon Roles, Policies, Reporting, WorkflowIntranetUntitled DocumentThe solutions in the CA IAM suite include:Identity Management and ProvisioningCA Identity Manager. CA Identity Manager s advanceduser management and provisioning capabilities supportthe rapid development, deployment and management of asophisticated user and entitlement management softwaresystems, enabling the efficient and secure delivery ofessential web applications.Access Management eTrust SiteMinder . The eTrust SiteMinder advancedsecurity policy and management capabilities, provenreliability and scalability supports rapid development,deployment and management of sophisticated websecurity software systems, enabling the delivery ofessential information and applications to employees,partners, customers and other users across the enterprise.eTrust TransactionMinder . Similar to eTrust SiteMinderin architecture, eTrust TransactionMinder provides asecure and centralized, policy-based authentication andauthorization management capability for Web services.eTrust TransactionMinder integrates with standard Webservices frameworks and provides fine-grained accesscontrol for XML documents across multi-step businesstransactions.eTrust Access Control. Delivers a consistently strongaccess policy across distributed platforms and operatingsystems. This solution provides policy-based control ofwho can access specific systems, applications and files;what they can do within them; and when they are allowedaccess. It also provides capabilities for management of root privileges for greater administrative security.eTrust CA-ACF2 Security and eTrust CA-Top SecretSecurity. eTrust CA-ACF2 Security and eTrust CA-TopSecret Security enable controlled sharing of your mainframecomputers and data, while preventing accidental or delib-erate destruction, modification, disclosure and/or misuseof computer resources. It allows you to control who usesthese resources, and provides you with the facts you needto monitor your security policy effectively. Unauthorizedattempts to access resources are automatically deniedand logged. Any authorized use of sensitive resourcesmay also be logged for subsequent review.eTrust Cleanup for CA-ACF2 Security and eTrustCleanup for CA-Top Secret Security (eTrust Cleanup).eTrust Cleanup provides automated, continuous andunattended security file cleanup by monitoring securitysystem activity to identify security definitions that areused and unused. It identifies access unused beyond aspecified threshold and generates commands to removethat access. Auditing/MonitoringeTrust Security Command Center is essential toproactively managing the complexities of an organization ssecurity environment. Its technology enables securityadministrators to visualize, in near-real time, threats tofinancial systems or other systems, to identify vulnera-bilities to financial systems and to provide a Chief SecurityOfficer or compliance officer with an integrated view ofIT assets (for example, accounting or payroll).eTrust Audit. eTrust Audit collects enterprise-widesecurity and system audit information and stores it in acentral database for easy access and reporting. It consol-idates data from UNIX and Windows NT servers as wellas other eTrust products. Administrators use eTrust Auditfor monitoring, alerting, and reporting information aboutuser activity across platforms. eTrust Vulnerability Manager. eTrust VulnerabilityManager offers automated services and technologies thatcombine vulnerability assessment, patch remediation andconfiguration remediation in an easily deployableappliance with a web-based user interface.7Untitled DocumentAppendixCOBIT IAM Related Controls and How CA IAM Addresses Them8COBIT Control ActivityCOBIT Control ObjectiveRelevant FunctionalityIdentification,Authorization andAccessThe logical access to and use of ITcomputing resources should berestricted by the implementation ofadequate identification, authenticationand authorization mechanisms, linkingusers and resources to access rules.Such mechanisms should preventunauthorized personnel, dial-upconnections and other system(network) entry ports from accessingcomputer resources and minimize theneed for authorized users to usemultiple sign-ons. Procedures should also be in placeto keep authentication and accessmechanisms effective (e.g., regularpassword changes).CA Identity Manager provides identity creationand management services through delegated useradministration, user self-service, integratedworkflow, and a structured administrative modelto enable role-based access control thus providingan effective mechanism for managing user saccess to protected resources.eTrust SiteMinder provides control over what typeof authentication method is used to protect aresource and how that authentication method isdeployed and managed. By centrally managing allauthentication systems and using the eTrustSiteMinder advanced authentication policymanagement capabilities, companies can deploymixed authentication methods based on resourcevalue and business needs, thus providing the rightlevel of resource protection for a given resource.eTrust Access Control provides strong accessmanagement for host-based resources, protectingservers from unauthorized access to files, data-bases, and system repositories. It also providesstrong login controls (the mechanism and locationused to login) and password controls (policies forthe format, length, and re-use of user passwords.eTrust Access Control also provides granularassignment of superuser ( root or Administrator)access rights to each individual, so that thesecurity risks inherent in excessive administratorentitlements are eliminated.Security of OnlineAccess to DataIn an online IT environment, ITmanagement should implementprocedures in line with the securitypolicy that provides access securitycontrol based upon the individual sdemonstrated need to view, add,change or delete data.CA s eTrust IAM solution provides security andaccess management based on policies that arebuilt around the user and his/her role with theorganization and his corresponding need tointeract with protected resources.eTrust Access Control also controls access to allfiles and databases residing on host systems.Untitled Document9COBIT Control ActivityCOBIT Control ObjectiveRelevant FunctionalityUser AccountManagementManagement should establishprocedures to ensure timely actionrelating to requesting, establishing,issuing, suspending and closing of useraccounts. A formal approval procedureoutlining the data or system ownergranting the access privileges shouldbe included. The security of third-party accessshould be defined contractually andaddress administration and non-disclosure requirements. Outsourcing arrangements shouldaddress the risks, security controls andprocedures for information systemsand networks in the contract betweenthe parties.CA Identity Manager is designed specificallyto address the challenges of user management(requesting, establishing, issuing, suspendingand closing of user accounts). Once a user has adigital identity, whether it is a company officer,a business partner, an employee, or a casuallyinterested customer, access to corporateresources can be managed while safeguardingproprietary resources. CA Identity Manager provides an integratedworkflow capability that is used to manage useraccess requests through a formal and efficientapproval process. CA Identity Manager alsoprovides a flexible, role-based, delegated useradministration capability that is used to moreefficiently manage changes, suspensions andterminations to user access.Using eTrust SiteMinder, security policies can bedefined and be enforced centrally to make surethat third-party access to applications aresufficiently controlled.Federated IAM environments (including theintegration with outsourcers) are expanding toprovide a trusted environment, including thirdparties. CA s solutions support these federatedmodels through SAML and through initiativessuch as the Liberty Alliance and others.Management Review ofUser AccountsManagement should have a controlprocess in place to review and confirmaccess rights periodically. Periodiccomparison of resources with recordedaccountability should be made to helpreduce the risk of errors, fraud, misuseor unauthorized alterationSignificant auditing and reporting capabilitiesenable the review of user access privileges andhow they have used those privileges in the past.As an example, eTrust SiteMinder audits all userand site activity, including all authentications andauthorizations, as well as administrative activity. In addition, CA Identity Manager provides dataand reports regarding the current entitlementlevel of a user or groups of users. Cumulativelythese reports can be used to help reduce the riskof errors, fraud, misuse, or unauthorizedalteration.User Control of UserAccountsUsers should systematically controlthe activity of their proper account(s).Also information mechanisms shouldbe in place to allow them to overseenormal activity as well as to be alertedto unusual activity in a timely manner.Through user self-service and detailed reporting,users can be aware of the systems and data theyhave access to and whether their identities andauthentication have been compromised. Also,administrators can be alerted to any unusualbehavior concerning protected resources.Untitled Document10COBIT Control ActivityCOBIT Control ObjectiveRelevant FunctionalitySecurity SurveillanceIT security administration shouldensure that security activity is loggedand any indication of imminentsecurity violation is reportedimmediately to all who may beconcerned, internally and externallyand is acted upon in a timely manner. The company s IAM solution provides in-depthauditing and reporting capabilities to supportgranular information collection and analysis onaccess and user entitlements. Activity, intrusionand audit information are provided to enable thetracking of imminent and past security violations.As an example, eTrust SiteMinder tracks usersessions so administrators can monitor theresources being accessed, how often usersattempt access to particular resources and howmany users are accessing certain applications.eTrust Access Control provides extensive andconfigurable logging capability, so that all accessevents and administrator actions can be auditedand tracked.eTrust Security Command Center can also providean automated vulnerability analysis of thenetwork, so that un-remediated vulnerabilitiescan be isolated and corrected.Central Identificationand Access RightsManagementControls are in place to ensure thatthe identification and access rights ofusers as well as the identity of systemand data ownership are establishedand managed in a unique and centralmanner to obtain consistency andefficiency of global access control. Centralized controls and processes can beestablished to manage the creation andmanagement of identities and the creation andmanagement of fine-grained access managementusing roles-based access control (RBAC).Centralized identity management and accesscontrol provides both greater efficiency andgreater security.eTrust Access Control provides centralized role-based management of all user access policies forhost-based resources. It also prevents excessivesuperuser entitlements by providing granularassignment of specific superuser rights to eachadministrator.Violation and SecurityActivity ReportsIT security administration shouldensure that violation and securityactivity is logged, reported, reviewedand appropriately escalated on aregular basis to identify and resolveincidents involving unauthorizedactivity. The logical access to thecomputer resources accountabilityinformation (security and other logs)should be granted based on theprinciple of least privilege, orneed-to-know.The company s IAM solution provides bothpreventive and detective methods of controlthrough fine-grained policy deployment,authentication and authorization functionality and detailed auditing and reporting functionality. Access to the accountability information can becontrolled and access to protected resources canbe granted based on the role of the person. Rolesand the application entitlements that come withthem can be granted based on whatever principlemeets the organization s requirements.Untitled Document11COBIT Control ActivityCOBIT Control ObjectiveRelevant FunctionalityCounter Party TrustOrganizational policy should ensurethat control practices are implementedto verify the authenticity of thecounter-party providing electronicinstructions and transactions. This can be implemented throughtrusted exchange of passwords, tokensor cryptographic keys.eTrust SiteMinder provides for the managementof many authentication technologies includingpasswords, tokens, X.509 certificates, customforms and biometrics, as well as combinations ofauthentication methods. Thus, eTrust SiteMinder can be used to match theappropriate authentication mechanism to theresources importance to the organization. Providingjust the type of authentication to meet theorganization s requirements.TransactionAuthorizationOrganizational policy should ensurethat, where appropriate, controls areimplemented to provide authenticity oftransactions and establish the validityof a user s claimed identity to thesystem. This requires use of cryptographictechniques for signing and verifyingtransactions.eTrust TransactionMinder secures Web servicestransactions to ensure that the requestor isproperly authorized. In addition, the eTrust IAM Solutions supportstrong encryption of data and control informationthat they process.Non-RepudiationOrganizational policy should ensurethat, where appropriate, either partycannot deny transactions and controlsare implemented to provide non-repudiation of origin or receipt, proofof submission and receipt oftransactions. This can be implemented throughdigital signatures, time stamping andtrusted third parties, with appropriatepolicies that take into account relevantregulatory requirements.eTrust SiteMinder supports a wide range ofauthentication approaches to ensure thatrepudiation is not a problem. eTrust SiteMinderauthentication policies give security administratorsunique management capabilities to mix andmatch authentication methods and brand/customize the authentication form. Both eTrust TransactionMinder and eTrustSiteMinder ensures transaction non-repudiationby recording every transaction so that a completeaudit trail, including authentication informationthat is provided, is available in situations whererepudiation could be an issue.Untitled DocumentCopyright 2006 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informationalpurposes only. To the extent permitted by applicable law, CA provides this document AS IS without warranty of any kind, including, without limitation, any implied warranties of merchantability,fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits,business interruption, goodwill or lost data, even if CA is expressly advised of such damages.MP276100606COBIT Control ActivityCOBIT Control ObjectiveRelevant FunctionalityCryptographic KeyManagementManagement should define andimplement procedures and protocolsto be used for generation, change,revocation, destruction, distribution,certification, storage, entry, use andarchiving of cryptographic keys toensure the protection of keys againstmodification and unauthorizeddisclosure.If a key is compromised, managementshould ensure this information ispropagated to any interested partythrough the use of Certified RevocationLists or similar mechanisms. eTrust SiteMinder supports integration withHSMs (hardware storage modules) for greatersecurity in encryption key storage and use.In addtion, eTrust SiteMinder supports CertificateRevocation List (CRL) processing. Typically, thisrequires finding the CRL in a directory andsearching it to ensure the current certificate hasnot been revoked. Furthermore, eTrust SiteMindersupports the use of OCSP for real-time certificatevalidation.Malicious SoftwarePrevention, Detection,and CorrectionManagement should define andimplement procedures to ensure thatcritical systems are not vulnerable tomalicious software such as viruses andother attacks.eTrust Integrated Threat Management providescomprehensive antivirus and anti-spywarecapabilities. Anti-Spam is also available throughthe CA Secure Content Manager.eTrust Access Control also provides self-integritychecking, so that Trojan horse access controlcomponents cannot be introduced into anenvironment.