Recently, a fellow IT geek was complaining about Microsoft"s lack of information regarding the compliance bogeyman. His face flushed, he practically spit the last drops of his beer across the table at me, snapping "Where is Microsoft"s Sarb-Ox [Sarbanes-Oxley] compliance guide? You can"t find anything on their site."
I calmed him down with another Bass and pointed out a few things:
First, Microsoft spokespeople have told me that Redmond doesn"t as yet "do" compliance directly. And even if the company did, they think it would be a natural fit for their army of partners.
That said, however, you can find within Microsoft"s Web vault the information you need to help stem the storm of a Sarb-Ox audit. You just can"t look for it using the search criteria of "compliance." (I"ll get to those documents in a moment.)
Like most compliance regulations, Sarb-Ox is fairly vague in the specifics of what it demands from IT security personnel. Vague enough that if you"re paying a reasonable amount of attention to IT security and matching that up against your business process, you"ve probably already passed the Sarb-Ox requirements, at least from an IT standpoint.
But like I said, the trick, really, is in matching security against your business process. An example might be a medical office. Let"s say the IT guru does the strong-password thing, the secure-firewall thing, and the strict-permissions-on-electronic-health-records thing. But after all that, he doesn"t tell the company"s phone operators not to give medical details to strangers over the phone. Pow! He"s still going to fail his HIPAA (Health Insurance Portability and Accountability Act) audit.
What makes Sarb-Ox and similar regulations so scary (and yet tantalizingly lucrative) to consultant folks like me isn"t the IT security part. Frankly, that"s pretty easy. It"s the analysis and documentation that makes things difficult -- especially for consultants who might have several dozen customers with completely different types of businesses. We can"t just lock down the PCs, servers, and firewalls and expect to have done our compliance-consulting gig. We need to spend varying amounts of time with each client, making sure we understand what they"re doing, and even more important, how they"re doing it. Then we backtrack to how the network and IT infrastructure fit in, and only then can we make sure we"ve really locked everything down and do our final documentation for the vultur--, er, auditors.
Let me point out to my froth-launching buddy that he actually is in a better position than he thinks; he just needs to buckle down and do his homework. He"s in-house IT. He"s only got one business process to worry about. So drink a little less beer, schedule some meetings with frontline business managers and supervisors, and start mapping out who"s doing what and when.
For its part, Microsoft has quite a bit of Windows-specific security documentation available even for non-TechNet subscribers. A great document that was just recently made available is " The Services and Service Accounts Security Planning Guide." Available for open download from Microsoft"s Web site, this large document lets IT administrators understand the details of Windows services permissions under Windows 2003 Server and Windows XP. The doc shows you how to identify services that are unnecessary as well as those that are running with default permissions that are simply too global -- and then shows you how to lock those down. This is not only a great help against the Sarb-Ox storm, but is also a real help when planning large deployments of new applications.
Another great document Microsoft published earlier this month is " The Security Monitoring and Attack Detection Planning Guide." This is a really practical document, so you"ll certainly need some IT experience to make the most of it. But within that framework, it"s a great support document for IT staffers looking to lock down their Windows-based infrastructure using tools already inherent in the platform. It"s chock-full of best practices, methods for detecting and stopping security violations, and ways to find potentially dangerous applications on your network and what to do about them.
OK, none of these documents has the word "compliance" in the title, but they"re certainly enough to get IT administrators on the right track fast, as long as they know their network as well as their business. Now that"s getting to the bottom of it all.