Auditing and Reporting Regulatory Compliance using MOM and ECC ECAR

Published: June 14, 2006

by Robert Williams and Mark Walla, Managing Partners, Enterprise Certified Corporation

See other Security MVP Article of the Month columns.

Dealing with the specter of regulatory compliance has become a standard part of IT operations. As regulators make their way through their exhaustive check lists, IT professionals commonly find themselves combing through volumes of log files and other archival data to prove compliance. The CIO of a large system integrator confided about a recent experience in which a young brash examiner ordered a series of random checks on a sample set of servers and users. In order to respond, the IT department had to dedicate several weeks of staff time to pull the needed data from event logs. Fortunately, the audited Microsoft Windows Servers and related applications had produced the log data required to generate a forensic trail, justifying the account creation and deletion for the sampled user accounts. However, the associated cost of manual retrieval brings into question not only the availability of the data, but how it is organized for future reference and mapped to regulatory compliance requirements.

In this article, we examine the management of event log data when responding to regulatory auditors. Specifically, organizations can audit and report IT security–related events when complying to regulations like Sarbanes-Oxley (SOX), FISMA, HIPAA, and GLBA with tools like Microsoft Operations Manager (MOM) and SQL Server Reporting Services combined with third-party applications like Enterprise Certified Corporation’s Enterprise Compliance Auditing and Reporting (ECC ECAR™).

These domestic regulations, together with their international counterparts, all assume that organizations will apply IT security best practices. Before venturing further, IT professionals should familiarize themselves with at least several of the practices defined by the NIST 800 (specifically SP 800-53 and 800-66), ISO 17799, CoBits, and the COSO framework. Applying these standard and associated regulations to the daily environment should provide a foundation to build a sound compliance response mechanism.

The key objective in establishing compliance auditing and reporting is to develop a process that is measurable, sustainable, and repeatable.

Translating Vague Requirements to Specific Events

IT managers are confronted with the responsibility for compliance that often involves guesswork to determine precisely what might be expected. This is particularly true with Sarbanes Oxley 404. Other regulations are much better defined, such as FISMA (Federal Information Security Management Act), which is supported by the NIST SP 800-53 recommendations. NIST breaks down security controls into three safeguard families: management, operational, and technical. The protection of the confidentiality, integrity, and availability of systems and information is the overriding objective. Among these safeguards, the technical and some of the operational recommendations provide a strong framework to organize IT security–related event auditing and reporting for compliance purposes.

Even with the benefit of these specifications, the use of IT events is not trivial. It is possible to map these recommendations to known IT security events to measure current compliance levels and track compliance-related activities providing historic trend analysis. Let’s look at two examples using FISMA:

  • FISMA/NIST Recommendation AC-2 deals with Access Management Controls that manages “information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts.” What does these mean in terms of IT security events generated by Windows Server? Out of the more than 175 possible Windows Server security-related events, 15 appear to have a direct relationships to account management, including Event ID 645 (computer account was created) and Event ID 646 (computer account was changed).

  • FISMA/NIST Recommendation AC-3 deals with Access Control that seeks to make sure that the “information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy.” This differs from AC-2 in that it assumes the systems were properly created and configured and that AC-3 access to these systems are then properly managed. Again, Windows Servers as local systems and as part of an Active Directory infrastructure create event logs that can help establish the type of requirement are in place. There are 28 Windows IT Security Events that can commonly be associated with AC-3 recommendations such as Event ID 621 (system Access was granted) and Event ID 622 (system Access was removed).

The logical mapping of Windows Server IT Security–related events to each of the regulatory compliance requirements provides a framework for assessment. Unfortunately, this process is not as clean as the examples above and will need to be modified for each regulation. Once you categorize events for each regulation, you will then need to determine which servers, organizational units, and domains are covered by the specific regulation. Then the issue of collecting and managing the event data comes into play. The end is achievable, but will a database structure coherently manage the output and appropriate reports in a meaningful way? This is where MOM and ECC ECAR can streamline the process.

Using MOM and ECC ECAR

The selection and employment of appropriate security controls for an information system is fundamental. A major challenge for IT professionals is to measure SOX compliance with repeatable audits and processes that produce measurable and accurate reports. The Windows Server platform can be configured to generate security events as users access electronic data and perform job-related activities for manual review in log files. However, this process is time-consuming and ad hoc.

What is required is a method to collect events in a central repository (categorized around regulations and best practices), to secure the data for archival integrity, and to offer a consistent reporting facility that can be of equal value to internal review teams and government examiners. Ideally, this framework should also support a knowledge base that identifies the applicable regulatory requirements, related and supportive best practices, and the actions tracked by the individual security event.

The Microsoft Operations Manager monitors Windows Server health and collects event information. Working in conjunction with SQL Server, MOM provides both tactical and archival storage facilities. If an administrator decides to track Security Event ID 621 (system access was granted), for example, MOM will collect the event based on criteria established in an Event Rule. This rule is then associated with a server, groups of systems, or domains. Event Rules are organized around a framework known as Rule Groups, which permit a logical segmentation of compliance events. The MOM Administrative Console is used to create and organize Rule Groups and Event Rules and associate them with Computer Groups (see Figure 1). The collection process will begin as the MOM agent is deployed to the selected servers. The event data is initially stored in a staging database using SQL Server for real-time monitoring of server health. Periodically the event data is directed to another database for long-term archival and reporting purposes. This information can be used to demonstrate compliance during spot checks and external audits using SQL Server Reporting Services to generate Web-based forms for sorting and filtering. Selected data may also be exported to a variety of formats, including paper printout.

Another valuable function of MOM is its ability to monitor and alert in real time on key events. Working through the Operations Console, Event Views can be created for one or a collection of events that can be associated with the alert, task, state functionality of MOM. This is also important relative to compliance in that it is possible to demonstrate a proactive environment that is set up to mitigate activities of potential harm.

The process of creating Event Rules is a straightforward process. However, the task of understanding the nuances of the regulations and then associating them with more than 175 Windows IT Security Event is daunting. The creation of appropriate reports will also involve the engagement of SQL Server development talent. However, an alternative to internal development is to use the MOM-based ECC Enterprise Compliance Auditing and Reporting packages for Sarbanes Oxley, GLBA, HIPAA, and FISMA. ECAR is designed to assist organizations subject to SOX to collect and report on Microsoft Windows Server platform IT events. The goal is to facilitate a more consistent, comparable, and repeatable approach that is consistent with recommended minimum security controls for information systems as categorized by Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems. Through the use of the MOM infrastructure, ECAR promotes a dynamic, extensible catalog of security controls for information systems.

Figure 1

Figure 1. MOM Administrative Console Showing ECC ECAR Rules Groups for FISMA

The availability of information that provides instructions and best practice recommendations is also valuable asset to administrating compliance. MOM provides a knowledge base authoring tool that is used by software vendors to provide appropriate guidance and may be expanded by organizations as needed. As shown in Figure 2, ECC ECAR offers extensive information about the regulation, best practices, and individual security event detail.

Figure 2

Figure 2. MOM Administrative Console Showing ECC ECAR™ Compliance Knowledgebase

Another challenge when collecting thousands of events is to organize the information around reports that are comprehensive, consistent, and reflective of the regulation. The requirement for customization is inherent, because it is not possible to understand in advance what data a government examiner might require. It is possible that comprehensive volumes of information will be requested. It is just as likely that a proof of adherence may only involve a request for a list of all Event ID 621 events for a given server or a particular date. Fortunately, MOM supports the development of SQL Server Reporting Services output. With the more than 75 SQL Server Web-based reports provided by ECC ECAR, this level of customization tied directly to the regulation is provided for Detail Event Reports, Event Summary Table Reports (see Figure 3), and Expanded Event Reports. Graphical comparative and trend analysis report templates are also provided.

Figure 3

Figure 3. SQL Server Reporting Services–based ECC ECAR™ Summary Table Report

Moving Beyond OS Security Events

Many events at the application and network layer also have security related implications. Fortunately, Microsoft products like ISA 2004, SQL Server and Exchange Server product event log information. This is also true for many third party applications that support the Windows OS platforms. Windows Server 2000 and 2003 capture many network events that tie directly to regulatory compliance requirements. As you consider expanding compliance auditing, it is recommended that efforts be undertaken to expand event collection to both key applications and networks as shown in Figure 4: ECC ECAR ISA Administrator Console.

Figure 4

Figure 4: ECC ECAR ISA Administrator Console


The road to regulatory compliance will continue to be a pressure-filled one for IT professionals. Organizations must employ security controls to meet the requirements of laws, directives, policies, and other regulations. The creation of a security control catalog and collection of associated events can be augmented by the use of Microsoft Operations Manager together with SQL Server data management and SQL Server Reporting Services. The road toward compliance can further be streamlined by employing specialized auditing and reporting systems like ECC ECAR. This effort will remain subject to governmental additions, deletions, and modifications.

Corporate assets must be tied together with regulations and standards that have been scoped to an organization. A monitoring system can then independently collect and measure compliance related activity according to each of these compliance requirements. Accurately reflecting the status of controls regarding corporate governance enables external auditors and internal decision makers the ability to monitor the risk posture and react to weaknesses and vulnerabilities. Up to date reporting and comprehensive audit trails provide a basis for sound compliance and confidence of an improving business process enhancing the bottom line performance of an organization. Figure 5 illustrates how ECC ECAR utilizes Microsoft MOM and SQL Reporting services to achieve this end result.

Figure 5

Figure 5: ECC ECAR Event Collection, Auditing and Reporting Process

Failure to comply with regulations may result in very significant administrative sanctions, fines, and even possible imprisonment. However, IT professional should look beyond punitive actions. When properly applied, the information that is organized and gathered around industry best practices should ultimately improve operations. Therefore, the process of engagement involves basic steps that begins with a baseline understanding of the regulation(s) affecting your organization together with the associated best practices. The next critical step involves the identification of the key servers that are deemed covered by the regulation. While home brewed solutions can be development, consider the engagement tools that will help streamline the effort such as MOM, SQL Server, and ECC ECAR. Finally, work with management to establish a consistent, repeatable, and sustainable approach for internal reviews and response to government examiners.

© Copyright 2006 Enterprise Certified Corporation. All Rights Reserved.