SOX And PCI Compliance

Network security, internal controls, data integrity — these are obvious and essential goals for companies. Yet in the past few years, the demands associated with these basic goals have taken on a whole new level of importance – and stringency – due largely to the following two compliance standards:

The Sarbanes-Oxley Act (SOX) — Enacted in 2002, Section 404 of this law requires IT organizations of publicly-traded companies to focus on the establishment of internal controls over the creation of financial reports

The Payment Card Industry Data Security Standard (PCI DSS) — Mandated in 2004, this standard evolved from the 2001 Visa Cardholder Information Security Program (CISP). It is now considered the security compliance standard for all major US credit cards.

• SOX / PCI Consulting Services Data Sheet [PDF]
• SOXS / PCI Compliance FAQs [PDF]
• Professional Services Consulting Services Data Sheet [PDF]

Whether your organization is

• Working toward compliance with any or all of the above standards programs
• Concerned about maintaining compliance in the face of your next audit
• Focusing on remediation for non-compliant features

Xinuos offers the following pre-packaged services to assist you in realizing your compliance goals:

• Secure centralized user account administration
• Secure log consolidation, rotation and integration into MySQL database
• Host-based intrusion detector for Xinuos operating systems
• Automatic updating of security supplements and other important software, distribution to Xinuos systems on a network, and logging of changes

Xinuos can also assist with consultation services tailored to your specific needs.

Secure, Centralized User Account Administration

• Xinuos will provide customized Account Management tools specifically suited to your needs, allowing central administration and consolidation of user accounts, passwords, password-aging, discretionary access control, access control lists (DAC ACLs), user home directories and other data.
• Xinuos will provide secure transport/tunnel technology through IPsec, customized for the Xinuos operating systems you are running, to seamlessly encrypt all IP packets within your Xinuos-based network.
• Xinuos will provide detailed configuration assistance through customized written documentation and, if desired, onsite assistance, demonstration, and training.

Secure Log Consolidation and Rotation

• Xinuos will provide a customized package that couples to an external, independent MySQL 4 or 5 database. The logging subsystem will consolidate syslog output onto a central server in real time, with built-in reporting and archiving capabilities.
• Xinuos will supply technology to consolidate other external, independent logging subsystems, such as process accounting or webserver logs, into a database repository such as MySQL
• Xinuos will customize the solution to meet your specific requirements
• Configuration assistance through written documentation or onsite assistance/training can be provided.

Host-Based Intrusion Detector for Xinuos Systems

• Xinuos will customize or port a file integrity monitor for your SOX or PCI needs.
• File integrity monitoring as specified under item #11 of the latest official PCI standard.
• Configuration assistance through written documentation can be provided, including sample rulesets and templates.

Automatic Updating Of Security Supplements And Other Important Software

• Xinuos will customize Xinuos's tools to automatically detect and install security patches on the server.
• The solution can be used in standalone mode or as a patch/supplement distribution service to remote clients on your network.
• Customizable to monitor the system security, operating system and/or third party software maintenance and updates.
• Configuration assistance through written documentation can be provided

NOTE: Any of the constituent features of the above packages can be offered separately or in combination to suit your needs. Please contact Xinuos Professional Services for more information.

Contact Consulting Services Directly

eMail	consulting@sco.com
US Toll Free:	800.366.UNIX (800.366.8649)
EMEIA Tel:	+44 8700 994 992 (UK)
UK Toll:	+44 (0) 1707226 014

What Is The Sarbanes-Oxley Act?

The Sarbanes-Oxley Act was signed into law on 30 July 2002. The Act is designed to oversee the financial reporting landscape for finance professionals. Its purpose is to review legislative audit requirements and to protect investors by improving the accuracy and reliability of corporate disclosures. The act covers issues such as establishing a public company accounting oversight board, auditor independence, corporate responsibility and enhanced financial disclosure. It also significantly tightens accountability standards for directors and officers, auditors, securities analysts and legal counsel. The law is named after Senator Paul Sarbanes and Representative Michael G. Oxley.

The Sarbanes-Oxley Act affects corporate governance in publicly owned companies in the areas of ethics, reporting and auditing. The Act was created to protect the interests of investors and further the public interest in the preparation of informative, truthful, and independent audit reports. Section 404 of the Sarbanes-Oxley mandates that companies document, control, and secure business processes that directly and materially contributes to reported financial results.

The Sarbanes-Oxley legislation has created a greater need for businesses to have controls of both manual and automated processes used to generate financial reports.

Appropriate controls must be in place so that secure and well-managed access to business information wherever it resides is protected, trusted, and ensured. Information technology controls are needed to assure the reliability of automated systems used in the collection and reporting of financial information.

What Is The PCI DSS?

In 2004, the credit card associations Visa USA, Mastercard International, American Express and Discover aligned their individual policy protection programs to create the Payment Card Industry Data Security Standard (PCI DSS). This alignment in standards provided an industry-wide framework that complemented each association’s individual security policies— MasterCard’s Site Data Protection program (SDP), Visa’s Cardholder Information Security Program (CISP), American Express Data Security Operating Policy (DSOP), Discover Information Security and Compliance (DISC).

The Payment Card Industry Data Security Standards are a multi-faceted approach to the protection of cardholder data. The requirements provide a list of mandates designed to increase the overall level of security in the Payment Services Industry. The objective of these requirements is to encourage companies to enact measures that protect cardholder information.

While all of the requirements are strict, there are four major categories of requirements that often cause turmoil in the compliance project. They are Auditing and Logging, Standard Configurations (Application and Host Integrity), Access Controls, and Encryption.

*Lengths of consulting engagements are averages, and may vary from the actual length of your professional services engagements.