Académique Documents
Professionnel Documents
Culture Documents
Axel Buecker
Ann-Louise Blair
Franc Cervan
Dr. Werner Filip
Scott Henley
Carsten Lorenz
Frank Muehlenbrock
Rudy Tan
ibm.com/redbooks
International Technical Support Organization
February 2008
SG24-7531-00
Note: Before using this information and the product it supports, read the information in
“Notices” on page vii.
This edition applies to Version 8.0 of IBM Tivoli Compliance Insight Manager (product number
5724-567).
© Copyright International Business Machines Corporation 2008. All rights reserved.
Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP
Schedule Contract with IBM Corp.
Contents
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
The team that wrote this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Comments welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Contents v
Project scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Key assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
IBM responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Customer responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Deliverables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Completion criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Estimated schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Charges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Additional terms and conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information on the products and services currently available in your area.
Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product, program, or service that
does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document.
The furnishing of this document does not give you any license to these patents. You can send license
inquiries, in writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such
provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION
PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer
of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions of the publication. IBM may
make improvements and/or changes in the product(s) and/or the program(s) described in this publication at
any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any
manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the
materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm
the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on
the capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them
as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the
sample programs are written. These examples have not been thoroughly tested under all conditions. IBM,
therefore, cannot guarantee or imply reliability, serviceability, or function of these programs.
Oracle, JD Edwards, PeopleSoft, Siebel, and TopLink are registered trademarks of Oracle Corporation
and/or its affiliates.
Snapshot, and the Network Appliance logo are trademarks or registered trademarks of Network Appliance,
Inc. in the U.S. and other countries.
ITIL is a registered trademark, and a registered community trademark of the Office of Government
Commerce, and is registered in the U.S. Patent and Trademark Office.
Java, Solaris, Sun, and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United
States, other countries, or both.
Active Directory, Excel, Internet Explorer, Microsoft, Windows, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
Intel, Pentium, Pentium 4, Intel logo, Intel Inside logo, and Intel Centrino logo are trademarks or registered
trademarks of Intel Corporation or its subsidiaries in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.
We discuss the business context of security audit and compliance software for
organizations, and we show a typical deployment within a business scenario.
Figure 1 From left, Werner, Axel, Ann-Louise, Franc, Scott, Rudy, Carsten, and Frank
Besides working on this IBM Redbooks publication, this great team also
developed the Compliance Management Design Guide with IBM Tivoli
Compliance Insight Manager, SG24-7530.
Preface xi
Thanks to the following people for their contributions to this project:
Wade Wallace
International Technical Support Organization, Austin Center
Nick Briers, Koos Lodewijkx, Dimple Ahluwalia, Jose Amado, Bart Bruijnesteijn,
Philip Jackson, Sujit Mohanty, Erica Wazewski
IBM
Your efforts will help increase product acceptance and customer satisfaction. As
a bonus, you will develop a network of contacts in IBM development labs, and
increase your productivity and marketability.
Find out more about the residency program, browse the residency index, and
apply online at:
ibm.com/redbooks/residencies.html
Comments welcome
Your comments are important to us!
Finally, we describe the skills, resources, and everything else you need to
consider and provide in order to make a Tivoli Compliance Insight Manager
services project successful.
1
The Sarbanes-Oxley Act was established in 2002, as a result of corporate scandals (for example,
Enron and Worldcom) about incorrect financial reporting and aims to protect stakeholders from
huge losses and to prevent future shocks to confidence in the financial system in the USA. Since
July 2006, the law applies to all companies listed on the US stock exchanges, including
international or foreign companies. To learn more, go to http://www.soxlaw.com/.
2
Basel II is an accord issued by the Basel Committee on Banking Supervision that summarizes
recommendations about banking laws and regulations with the intent to harmonize banking
regulation worldwide. This second accord introduces matters concerning Operational Risk, which
again includes risks in the area of technology, processes, and people. To learn more, go to
http://www.bis.org/publ/bcbsca.htm.
Technical security controls are the easiest to monitor, as computer systems save
audit trails and configuration files, which can be checked for the fulfillment of
requirements. Security controls on the organizational and the process level
(especially when process steps are not performed with the help of technology)
are harder to check and to control, as they are less persistent, and audit trails are
not created automatically and can be easier manipulated.
Note: Customers are responsible for ensuring their own compliance with
various laws and regulations such as those mentioned above. It is the
customers’ sole responsibility to obtain the advice of competent legal counsel
regarding the identification and interpretation of any relevant laws that may
affect the customer’s business and any actions the customer may need to
take to comply with such laws. IBM does not provide legal, accounting, or
auditing advice, or represent that its products or services ensure that the
customer is in compliance with any law.
The trend to use compliance management beyond its initial purpose is reflected
in some of the regulations. For example, in Basel II, the excellence of risk
management for IT systems, which is part of the operational risk complex, has an
impact on the competitive advantage of banks. The level of excellence
determines how much money a bank can use to provide credit to their customers
and how much it has to keep in reserve to cover risks, which again affects the
interest rates a bank can offer its customers. So today, even the external
3
For more information about HIPAA, go to http://www.hhs.gov/ocr/hipaa/.
4
For more information about PCI, go to https://www.pcisecuritystandards.org/.
If you have ever been audited (or audited someone), you probably know that
there is a difference between being:
In compliance: All your systems and processes are operated and delivered
according to the security policies and standards (and you have evidence
for compliance).
In control: You know what is in compliance and what is not, you know why,
and you have a plan of action (and you have evidence for control).
Now, what is more important? Being in control is. Because you could be in
compliance by accident. Further, if you are compliant, but not in control,
chances are high that you will not stay compliant for very long.
If you are in control, you will end up being compliant eventually. Or at least you
will have it on record why you are not compliant.
And if you are not compliant and not in control, gaining control should be your
primary goal.
This is the reason why regulations shift more and more from compliance to
control objectives.
Most organizations do not stop after they have met the basic principles set out in
their policies, as they want to understand how efficiently this level of compliance
was achieved or even exceeded. Customers also want to identify indicators
about how stable and consistent the current compliance achievement is and
whether the state of compliance can be maintained.
The key dimensions listed above can be derived by considering the following
secondary factors:
Business environment of the organization
Is corporate espionage or other business crime an issue? Does the company
use outsourcing services? How dependent is the business on its IT systems?
Regulatory and legal obligations
In which industry is the business operating? In which countries is the
business operating? Which laws and regulatory requirements exist in each
country for this industry that influence information security? What level of
scrutiny is executed by the regulators?
Organizational complexity
The size and setup of the organization influences the speed of the reaction to
deviations from the desired security level. Furthermore, it will have a
significant impact on the requirements on an IT security compliance
management solution, such as the administration approach.
Technological complexity
Obviously, the existing IT environment defines the scope of the operating
system, middleware, and business applications that need to be supported by
any IT security compliance management solution. Also, the level of
standardization, centralization, and consolidation has a significant influence
on the IT security compliance management solution.
Shifting the focus from the resulting status to evoking proactive behavior puts the
focus closer to the root cause.
1.5 Conclusion
As a result of the influencing factors discussed above, a security compliance
management solution must provide a flexible yet comprehensive framework that
can be configured and customized to the specific organization in question and
takes a holistic approach on collecting and controlling the information security
compliance of an organization. Such business requirements for compliance
management set the boundaries for functional and non-functional requirements
of a technical compliance management solution.
Tivoli Compliance Insight Manager has the ability to archive normalized log data
for forensic review and to provide consolidated viewing and reporting through a
central dashboard. It also provides specific forensic capabilities for searching
and retrieving the original log data.
Tivoli Compliance Insight Manager uses the Generic Event Model (GEM) and the
W7 language to consolidate, normalize, and analyze vast amounts of user and
system activity. These models are discussed in further detail in “The W7 model”
on page 35. Tivoli Compliance Insight Manager is able to deliver alerts and
reports on who touched what information and how those actions may violate
external regulations or internal security policies. By revealing who touched what
within the organization and comparing that activity to an established internal
policy or external regulation defining appropriate use, security specialists can
successfully implement the first layer of defense for information protection,
thereby accelerating compliance efforts.
Figure 2-1 on page 15 illustrates the high level Tivoli Compliance Insight
Manager product architecture.
Standard
Server
The sections that follow outline the major functional capabilities of each of these
servers.
Centralized forensics
The Enterprise Server also provides forensic search capabilities. The Enterprise
Server allows you to search the archived logs for evidence without using the
GEM and W7 tools. Sometimes you may want to look for the raw traces without
going through the report preparation process.
Note: The GEM and W7 tools are used by Tivoli Compliance Insight Manager
for mapping and loading the data. They are described in detail in 2.3.2,
“Mapping and loading” on page 33.
The security status of the audited systems can be viewed through the
Web-based reporting application called iView. iView is described in 2.2.6, “iView
Web portal” on page 20.
Another main component of the Tivoli Compliance Insight Manager system is the
Management Console, which is used to manage and configure the system. Each
Standard Server has its own configuration database managed by the
Management Console. The Management Console is described further in 2.2.5,
“Management Console” on page 19.
2.2.4 Actuators
Depending on the platform, Actuator software is installed on audited systems as
a service or daemon. Each Actuator consists of an Agent and numerous
Actuator scripts. The Agent is responsible for maintaining a secure link with the
Agents running on the Tivoli Compliance Insight Manager Server and other
audited systems. The Actuator scripts are invoked by the Agent (at the request of
the Tivoli Compliance Insight Manager Server) to collect the log for a particular
event source. There is a different script for every supported event type. The
Actuator is depicted in Figure 2-3 on page 19.
Actuator
Scripts
Agent
The Actuator software can be installed locally on the target system or remotely.
You can use the Management Console to perform numerous tasks related to the
configuration and management of the Tivoli Compliance Insight Manager
servers:
Activate the Agents and have them collect audit trails from different platforms.
Define the security policy and attention rules.
Define users and their access rights.
Start the preparations of the reports.
All the actions on the Management Console are performed by the Tivoli
Compliance Insight Manager server. You can think of the Management Console
as being the user interface for the Tivoli Compliance Insight Manager server.
After the reports have been prepared by the server, a Tivoli Compliance Insight
Manager user may generate the specific reports using the iView component.
Depot
Collected logs are stored in the log Depot, which is a compressed, online, and
file system based log repository.
Reporting database
Data that has been mapped into the W7 format is stored in an instance of an
embedded database. These reporting databases are also known as GEM
databases. They are periodically emptied and then filled with more recent data.
Typically, this refresh cycle is done on a daily scheduled basis, meaning that data
from the previous period is present and available for analysis and reporting. Data
from a Depot can be mapped and manually loaded into the reporting database
for processing.
Aggregation database
The aggregation process takes a large number of individual events and
duplicates them into a more manageable set of information. In addition, the
aggregation process creates statistical data that can be used to provide
management level trending data, charts, and reports. It takes multiple events that
have a relationship and consolidates them into a single event. The aggregation
process involves two key operations:
A statistical database of events, exceptions, failures, and attentions is
created. The events are used to generate management charts, reports, and
trending information. For example, users can report on policy exception
trends over a selected time period.
Consolidation database
The consolidation database consolidates all the aggregation databases in a
Tivoli Compliance Insight Manager cluster. This provides an overall view of all
servers in the cluster for trending and statistical purposes.
Configuration Database
The Configuration Database for each Standard Server is managed through the
Management Console. Each Configuration Database includes information such
as the Actuator configuration, collect schedules, location of audit log data,
available GEM databases, the list of audited machines, and so on.
Figure 2-5 on page 23 encapsulates the key components and processes in the
Tivoli Compliance Insight Manager environment. Each of the components and
the role that they play in the Tivoli Compliance Insight Manager environment will
be discussed in further detail throughout the remainder of the chapter.
Event data is retrieved from the audited systems through a process called
collect. It is then stored on the Standard Server in the Depot.
For analysis, the data is taken from the Depot and normalized into a data model
called General Event Model (GEM). This process is called mapping.
Subsequently, the mapped data is loaded into a reporting database called a
GEM database.
In order to check and investigate the information security status, the Tivoli
Compliance Insight Manager system offers a large number of reports. These are
produced on request by a Web-based application called iView. It can be used to
view GEM databases as well as the aggregation database.
Figure 2-6 shows the key processes performed by a Tivoli Compliance Insight
Manager server. A Tivoli Compliance Insight Manager Enterprise Server also
performs two extra processes, namely indexing and consolidation.
The reliable, verifiable collection of original log data is a key part of the process
required for compliance. Through Tivoli Compliance Insight Manager, you can
automate the collection process from your audited machines. Security audit data
is collected in its native form, transferred securely from the target, and stored in
the server’s Depot in the form of a chunk. The term chunk is used to refer to a set
of compressed logs and is the unit of collection in Tivoli Compliance Insight
Manager.
Tivoli Compliance Insight Manager provides a set of tools to verify that the
collection process is operating and to detect if collection failures have occurred.
Tivoli Compliance Insight Manager alerts selected administrators if a collection
failure occurs so that immediate action can be taken to prevent possible loss of
log data.
The Agent listens continuously on a reserved port for collect requests issued by
the Tivoli Compliance Insight Manager server. When a request is received, the
Agent invokes the appropriate script to gather the logs. After the Actuator has
collected the security audit log for a particular event source, the Agent
compresses and transfers the logs to the centralized Depot. The Agent maintains
an encrypted channel for all communication between the target machine and the
Tivoli Compliance Insight Manager server. That is, it provides a secure and
guaranteed transmission service.
Note:
1. The audited system often acts as the target system for event sources.
2. In regards to audit configurations, the audited system and the target
system can be described as the audited system, a system on which the
audited instance of the event source is hosted.
3. The Tivoli Compliance Insight Manager server can act as a Point of
Presence in some configurations. If this is the case, no Actuator needs to
be installed, because it is already included in the server installation.
Otherwise, an Actuator corresponding to the operating system running on
the Point of Presence needs to be installed.
For the examples throughout the remainder of this chapter, in the event that the
audited systems also act as the target systems for the Tivoli Compliance Insight
Manager server to access the audit trail, the term audited system will be used.
Note that:
1. The collection schedule is automatically triggered based on configured
settings. Alternatively, a manual collect command is given to the Tivoli
Compliance Insight Manager server through the Management Console.
2. The Tivoli Compliance Insight Manager server issues an audit trail
collect command to the Actuator. This command activates the Actuator on
the audited machine.
3. The appropriate Actuator script reads the security log and collects only those
new records since the last collection.
4. The Actuator formats the collected records into chunk format and compresses
the chunks. A chunk can contain many different log types from the audited
machine.
5. The Agent reads the chunk log data.
6. The Agent securely sends the chunk data in encrypted form to the Agent on
the Tivoli Compliance Insight Manager server.
Agentless collection
Tivoli Compliance Insight Manager supports agentless collection on Windows,
Novell, and UNIX® platforms. When using agentless remote collection, the
picture is slightly different than agent-based collection, but the steps remain the
same. This Point of Presence establishes the secure connection to the Tivoli
Compliance Insight Manager server, sending all agentless collected data
securely to the Depot.
Note: In the case of Windows, the agentless data collection requires one Point
of Presence per domain.
Note that:
1. The collection schedule is automatically triggered based on site specific
settings. Alternatively, a manual collect command is given to the Tivoli
Compliance Insight Manager server through the Management Console.
2. The Tivoli Compliance Insight Manager server issues a collect log
command to the Actuator. This command activates the Actuator on the target
machine.
3. The actuator reads the security log from the remote server(s) using a
NetBIOS connection, collecting only those new events since the last
collection cycle.
4. The log data is processed and sent to the Depot on the Tivoli Compliance
Insight Manager server.
Tivoli Compliance Insight Manager uses a PuTTY client to establish the SSH
connection, which needs to be appropriately configured. The UNIX server also
needs to be running an SSH daemon, set up with the appropriate privileges, as
per the Tivoli Compliance Insight Manager documentation.
Tivoli offers a toolkit that shows how to configure an event source to collect
arbitrary log data. This method allows the collection of log data that meets the
following criteria:
File based
Record oriented
Text
You can refer to the IBM Tivoli Compliance Insight Manager User Reference
Guide Version 8.0, SC23-6545 for further information about how to customize
ubiquitous collect event sources for forensic search and analysis.
Similar to the ubiquitous log collection, the W7LogSDK gives you the ability to
collect custom log files. Furthermore, the W7LogSDK allows you to map and load
the data. This toolkit is described in 2.4, “The W7LogSDK” on page 46.
When a chunk is placed in the Depot, it is indexed using the specific indexer that
has been configured for that event source. Indexers do not normalize the data,
only split it into fields. The fields, or terms, are indexed using a proprietary
technique so the data can be easily searched using the forensic investigation
user interface.
You can build your own indexers using the Generic Scanning Language (GSL)
Toolkit to include collected arbitrary log data in forensic investigations or in cases
where the default indexer does not provide the analysis required.
A simple query language is available that supports Boolean operators (AND, OR)
and allows the grouping of terms through parentheses.
The forensic tools operate over all of the Standard Servers associated with the
Enterprise Server. They access the Depots through normal Windows file share
protocols.
The Tivoli Compliance Insight Manager mapping process for each and every
platform is coded using the Generic Scanning Language (GSL) and the Generic
Mapping Language (GML) in files that reside on the Tivoli Compliance Insight
Manager server. The chunks are sorted based on their timestamps and are
processed sequentially by the appropriate mappers. These mappers determine
the field translation values. That is, the mapper interprets the original log data
and translates the chunk data into the GEM database model.
For more information about GSL/GML, refer to the IBM Tivoli Compliance Insight
Manager User Reference Guide Version 8.0, SC23-6545.
Determine attributes
Security log data consists of records. Each record usually describes one event
that happened on the audited system. Central to GEM is the classification of
these events according to their W7 attributes. This is the process of normalizing
the data. W7 is an English Language format that describes: Who did What,
When, Where, From Where, Where To, and on What. The use of W7 formatted
information enables security specialists and non-technical personnel, including
auditors, to interpret audit information without the need for detailed knowledge of
each source. Most operating systems, infrastructure applications, and almost
every security device produces log data that is not readily understandable,
therefore mapping to the W7 format translates data into powerful audit
information.
The process of adding meta information from the currently active policy to the
GEM records using the W7 classification scheme for the assets is often referred
to as grouping (or filtering).
The process of comparing each GEM event with the defined policies allows the
severity of each event to be evaluated. The policies applied to the event data
throughout this process determines the contents of the policy exception and
attention reports. When high severity events such as policy violations are
detected, an automatic e-mail alert can be sent to predefined recipients.
Note: Because mapping precedes and serves loading, the combination of the
two is also called load (in short form).
In the remainder of this section, we describe the key concepts related to mapping
and loading in more detail.
The W7 model
A security log consists of event records. Each record usually describes a single
event that occurred on the audited system. Tivoli Compliance Insight Manager
normalizes the collected event data into an English-based language called W7
so that it can easily be interpreted. All Tivoli Compliance Insight Manager
security events have seven basic attributes:
Who Which user or application initiated the event?
What What kind of action does the event represent?
When When did the event occur?
Where On which machine did the event happen?
OnWhat What object (file, database, and printer) was involved?
WhereFrom From which machine did the event originate?
WhereTo Which machine is the target or destination of the event?
Benefit of using W7
The disparate platforms and systems generating the logs will often use different
terminology for the same action. For example, one operating system may use the
term logging on, while another operating system uses login. Similarly, one
system may request a user ID while another system asks for a user name.
Unless you are an expert in all of the different systems used by your
organization, it is very difficult to search through the logged data manually to find
all instances of a given action or user.
Mapping the raw event data into a standard set of seven distinctive attributes
enables a consistent method for monitoring, analyzing, and reporting,
irrespective of the original format of the event. When translating log records into
W7 format, the seven W's of the event are determined from the structure and
content of the original log record. Log record formats are very different for every
Groups
In order to apply logic and draw conclusions from the normalized data, the events
have to be classified. Knowing that an event happened on Monday at 8.30 AM is
one thing, but in order to draw conclusions, it is more interesting to know whether
it happened during or outside a specific time period, for example, office hours.
Similarly, a user ID has certain access rights, detailing what a user is allowed to
initiate. These user access rights are usually dependent on their role, for
example, based on whether he or she is an administrator, regular user, or guest.
Therefore, all W7 attributes are classified into W7 groups. There are five types of
groups:
1. Who groups for classification of users and processes
2. What groups for classification of event types
3. When groups for classification of time periods
4. Where groups for classification of machines and devices
5. onWhat groups for classification of objects
The Where, Where from, and Where to attributes are all classified using the
same Where groups.
The Tivoli Compliance Insight Manager administrator can review and update this
information in the Grouping editor on the Tivoli Compliance Insight Manager
Management Console.
Figure 2-12 The relationship between the GEM event and the W7 model
The result of the grouping for a particular record can be viewed in the Event
detail report in iView, as shown in Figure 2-13 on page 39.
The column called Field shows the GEM field values of a GEM event. The
column Group shows for each GEM field value which W7groups are linked to the
value to the left of it. For example, the GEM field value
Administrator(MSTESTCE\ADMINISTRATOR) is linked to at least two W7
groups: Administrators and IT.
Policy management
Whether or not an event deserves special treatment is determined by comparing
the W7 groups it is classified into against a set of rules defined by the Tivoli
Compliance Insight Manager administrator. As previously mentioned, there are
two kinds of rules:
Policy rules These describe acceptable users, for example, allowed
behavior
Attention rules These identify events deserving special attention
By refining policy rules, you can ensure that existing policies are effective and
can even establish new policies that reflect the actual behavior of users, as
opposed to theoretical activities contained in policy manuals and non-automated
tracking systems.
Attention rules are used to highlight instances of events that are critical to the
organization. One typical application for these rules is to monitor change
management activities even if the events are allowed by your policy rules.
Actions that match an attention rule generate actions. For example, by looking
for a specific instance of a data attribute in any of the W7 dimensions for certain
events, you can set an alert to notify someone of a change to a server’s
configuration.
Tivoli Compliance Insight Manager can send alerts through the following
protocols:
SMTP Alerts are sent as e-mails.
SNMP Alerts are sent as SNMP traps.
Custom alerts Alerts are sent through a mechanism invoked with a
user-provided program or script.
For more information about alerts, refer to “Managing Alerts” in IBM Tivoli
Compliance Insight Manager User Guide Version 8.0, SC23-6544.
Only those IT security policy rules that interact with the security functions on a
platform may be considered to become Tivoli Compliance Insight Manager
security policy rules.
The following requirements must be met in order to use Tivoli Compliance Insight
Manager to report on a particular policy:
1. The security functions on the target must contain audit functions to monitor
the actions relating to the rule.
2. Tivoli Compliance Insight Manager must support the platform and collect the
information that the target provides.
Commit
Corporate IT TCIM
Security security
Policy rule. policy.
The Policy Generator is an automated tool for creating policies from loaded event
data in a database and, based upon the in-built knowledge of various platforms,
builds the most applicable policy from that data. This policy can then be loaded
and modified if desired using the Policy Editor in the Management Console.
Both standard and custom reports let you examine exceptions and events that
require special attention, and since the data presented in these reports is in the
W7 format, no specialized knowledge is required to interpret the output. Reports
are clear, concise, and integrate all security data for your review. Tivoli
Compliance Insight Manager provides a dashboard with graphical and statistical
overviews of logged activities, with drill-down capabilities to identify and examine
Regulations underscore the need to understand who is touching the most crucial
corporate data, and whether this behavior complies with security policy. You can
use Tivoli Compliance Insight Manager to monitor all security events and audit
them against your security policy.
These management modules are described in more detail in the IBM Tivoli
Compliance Insight Manager User Guide Version 8.0, SC23-6544.
Report distribution
Tivoli Compliance Insight Manager Version 8.0 provides the functionality for the
automated distribution of reports in full or as excerpts to a predefined group of
Tivoli Compliance Insight Manager users. This report distribution functionality is
available through the Web interface of iView. More information about the report
distribution functionality can be found in “Distributing Reports” in the IBM Tivoli
Compliance Insight Manager User Guide Version 8.0, SC23-6544.
Note: The capability to collect W7Log event data is fully integrated into the
Tivoli Compliance Insight Manager 8.0 Windows Actuator.
Note: The W7Log Actuator will read ALL the log files from the designated
directory on the Actuator system and combine them into a chunk file to be
stored in the Depot. It then REMOVES all the log files from the directory.
Table 2-1 on page 48 through Table 2-8 on page 52 show the detailed syntax for
each of these expected values, as well as giving some examples.
Fields: When
YYYY-MM-ddTHH:mm:ss±hh:mm
where:
YYYY: The year in the Gregorian calendar
MM: The month number (1-12)
dd: The day number (1-31)
T: Literal separator between date and time
HH: The hour (0-23)
mm: The minute (0-59)
ss: The second (0-59) since local midnight
The second hour and minute specifications indicate the
difference between the local time and Coordinated Universal
Time (UTC).
Defined as: Platform dependent logon ID and logon name of the user who
initiated the event. The name of the system process or
application can be specified here instead of the name of the
actual user.
Fields: whorealname
whologonname
Defined as: Type of the event, specified as a triplet of values. The “verb” is
an action type (for example, logon, create, and so on); “noun'”-
refinement of the action type (for example, user, file,
correspondingly, and so on); and “success” can be Success if
the action was successfully executed or Failure if otherwise.
Fields: whatverb
whatnoun
whatsuccess
whatverb: Remove
whatnoun: Group
whatsuccess: Failure
whatverb: Clear
whatnoun: Auditlog
whatsuccess: Success
Remarks: The following values are used for the whatsuccess field:
Success: The operation succeeded.
Failure: The operation or attack failed.
Warning: The attack succeeded, or an undesirable situation is
detected.
Info: If none of the above values are applicable.
Defined as: Platform (type and name) where the event was registered (for
example, “SUN Solaris”, “GATEWAY”, and so on).
Fields: wheretype
wherename
Defined as: Platform (type and name) of the event's origin platform (for
example, “Internet”, “192.168.103.104”, and so on)
Fields: wherefromtype
wherefromname
For action events, that is, events of types that are commonly
associated with a single user account, the From Where
dimension identifies the workstation from where the user who
initiated the action logged on. If the Who implies that the action
was not associated with a particular user account (for
example, if it is equal to System), then the From Where is
equal to the Where.
Defined as: Platform (type and name) of the event's target platform (for
example “Microsoft Windows”, “WORKSTATION”, and so on)
Fields: wheretotype
wheretoname
For action events, that is, events of types that are commonly
associated with a single user account, the Where To
dimension identifies the namespace where the On What
resides (such as a Domain). If there is no particular On What,
then the Where To is equal to the Where.
Defined as: Triplet indicating what object (for example, file, database,
printer, and so on) was the object of the event.
Fields: onwhattype
onwhatpath
onwhatname
onwhattype: FILE
onwhatpath: -/etc
onwhatname: passwd
onwhattype: PRINTER
onwhatpath: printer01.domain.com
onwhatname: HP LaserJet First Floor
onwhattype: DATABASE
onwhatpath: ORADBINSTANCE
onwhatname: OracleSchema1
Remarks: The identity of the object is split into an object path and an
object name. If no object path is present (for example, the
name is a relative name), then a single period is used for it.
The root directory or object of a file or object hierarchy is
referred to as a single dash -.
Defined as: Any additional information that must be captured in the event
Fields: info
If the value of a field includes a comma or a new line, the whole field must be
surrounded with double quotes. When the field is in quotes, any quote literals
must be escaped by two quotes (""). Text that comes after quotes that have been
closed, but come before the next comma, will be ignored.
Empty fields are returned as strings of length zero: "". The following line has
three empty fields and three non-empty fields in it. There is an empty field on
each end, and one in the middle. One token is returned as a space:
,second,, ,fifth,
Blank lines are always ignored. No other lines will be ignored, even if they start
with a "#" sign.
Example 2-1 illustrates valid contents for a W7LogSDK CSV file. It specifies
some imaginary events.
The XML log file must contain XML log records defined by the above schema,
each of which describes one event that happened on the audited system. Refer
to the event attributes listed in 2.4.2, “Event attributes” on page 47.
The record fields cannot contain XML special characters, so corresponding XML
entities must be used instead:
< The less than sign (<)
> The greater than sign (>)
& The ampersand (&)
' The single quote ( ' )
" The double quote ( " )
Example 2-2 shows a valid XML file that has been formatted using the
W7LogSDK XML schema.
2.4.5 Validators
There are W7LogSDK Format Verification tools available that allows software
developers to test the validity of the generated logs.
Note: The validators do not check the size of each record field; the person
responsible for producing each log must ensure that the size requirements for
each field are satisfied.
These validators are available on the installation CDs. You can refer to the IBM
Tivoli Compliance Insight Manager Installation Guide Version 8.0, GI11-8176 for
further details on installing and using these validators.
2.5 Conclusion
Tivoli Compliance Insight Manager gathers audit information from across the
organization and compares activity to the acceptable use policies defined by both
your organization and by your regulators. The core of Tivoli Compliance Insight
Manager is based on a secure, reliable, and robust log collection engine that
supports effective, complete log collection and fast, efficient query and retrieval.
By focusing on security from the inside, it uses the W7 methodology (Who, did
What, on What, When, Where, Where from, and Where to) to consolidate,
normalize, analyze, and report on vast amounts of user behavior and system
activity. As a result, organizations can quickly and easily reveal who touched
what within the organization (with alerts and proactive reports) and compare that
activity to an established internal policy or external regulations. Numerous
organizations rely on the policy-based approach of Tivoli Compliance Insight
Manager to simplify monitoring the activities of privileged users, such as
administrators and outsourcers, improving security auditing, compliance
Depending on the target environment, you might possibly need additional skills
on applications that are installed in the environment.
A SIEM solution will need to provide log data capturing capabilities. Aggregated
information will need to be securely stored. Archived data will need to reside in a
database format that will allow for accurate and expedient reporting and viewing
capabilities.
There are two types of installs that can be considered for a basic solution
definition: turnkey and partial install.
Turnkey install: This includes help with identifying and documenting reporting
requirements. During this installation method, the majority (if not all) of the
licensed event sources will be installed. Also, the product will be configured
and baseline policies will be built. Specified reports will be created and
documenting the information for future reference is part of this installation
type. Last, but not least, hands-on training as well as technical project
management will be provided.
Partial install: This offers a similar service as the turnkey install, but only
includes the installation of a couple of event sources of each type that are
licensed by the customer.
It is important to work with the project team of the organization you are engaging
with to understand their expectations. Once you have gathered this information,
document the tasks, deliverables, and associated costs in a Statement of Work.
The Statement of Work acts as your contractual agreement with the organization
for the duration of the project. Therefore, a detailed and well-defined Statement
of Work is absolutely mandatory and results in advantages to both you and the
client organization.
The benefits of using the executive assessment in your sales process include:
Earning additional service fees
More effectively qualifying prospective client organizations
Shortening the sales cycle
Streamlining the development process
Closing a much higher ratio of potential engagements
This toolset helps you to ask the right people the right questions so that you get
the information that you need to propose the appropriate solution. The
assessment then helps you create a compelling business case. This business
case then will better persuade your prospective client to buy the required
hardware, software, and services from you in the shortest possible time.
Over the duration of the executive assessment, you determine who will be
involved in the project, what they want to accomplish, and when they plan to
deploy. This plays a mission-critical role in their business, and how the project will
be funded. Armed with this information, a competitive analysis, and a prototype
solution, you will be able to justify their investment, build perceived value, present
your recommendations in a way that is almost irresistible, and successfully close
the contract.
You can set up Tivoli Compliance Insight Manager on a notebook computer that
meets the minimum hardware requirements using a VMWare image. In this
VMWare image, you should demonstrate to the customer all of the capabilities of
Tivoli Compliance Insight Manager.
The tasks that we list are our suggested tasks, and we list them in the order that
we think you should run them. You might complete the tasks in a different order
or might omit or add tasks depending on the environment in which you implement
the solution. The overall success of the tasks and the required time can be
influenced by the amount of skill and experience that you or your team have on
the solution.
For the detailed task breakdown, see 3.4, “Defining solution tasks” on page 69.
This section will help you put the SOW together. An example of a possible
Statement of Work can be found in Appendix A, “Statement of Work” on
page 211.
What is the business objective of the customer for installing Tivoli Compliance
Insight Manager?
This will drive the installation and determine what direction the customer
wants to take in evaluating, testing, or implementing the software.
Your estimates for timing will depend largely on the following factors:
Number of Tivoli Compliance Insight Manager event sources that need to be
deployed.
An event source for Tivoli Compliance Insight Manager can be a database, an
application, an operating system, a network device, and so on, which records
its events in logs and to which the Tivoli Compliance Insight Manager has
access in order to collect a selection of security-relevant logs for event
monitoring and reporting. Therefore, you need to determine the size
estimates separately for each adapter.
Number of Tivoli Compliance Insight Manager group policy rules that need to
be defined.
Policy rules define allowed behavior. Most events that happen in
organizations are normal events, created by normal working activities. Group
policy rules represent this behavior. Any action that these rules do not cover
are automatically policy exceptions. A policy rule for every platform needs to
be defined.
Technical details
What would a technical project be with some details about it? This section shows
you what you need to consider when implementing Tivoli Compliance Insight
Manager:
Assess if auditing is enabled.
If so, then ask how much data is being collected per platform. If not, then
standard audit settings should be implemented. After this step, details on the
data volume should be gathered to identify hardware sizing.
Is the auditing subsystem on the target servers fine-tuned?
This will help to avoid generating an excessive amount of log data.
Are there any special considerations for auditing on the target machines?
Think about Group Policy Objects (GPOs), third-party products, change
control for modifying audit settings, separate partitions for audit logs,
requirements to delete audit logs on the target platform, and requirements for
agentless log collection. These are just a few examples. Do brainstorming
with the customer representatives to evaluate as much as possible.
Find out how much data needs to be online in the log repository.
This is important in determining the hardware requirements.
The following is a guideline to determine minimum requirements:
The server needs to be partitioned in a RAID 5 configuration (preferred, but
not required).
The amount of data that is to be kept in the log repository determines the
required hard disk space.
Tip: The repository size can be calculated using the following formula (this is
an approximate size):
For further details on how to size the disk space, refer to the IBM Tivoli
Compliance Insight Manager Installation Guide Version 8.0, GI11-8176.
On what operating system will Tivoli Compliance Insight Manager run?
The Tivoli Compliance Insight Manager runs on the following operating
systems:
– Windows 2000 Server
– Windows 2000 Advanced Server
– Windows 2003 Standard Edition
– Windows 2003 Enterprise Edition
The Tivoli Compliance Insight Manager server should be a newly installed
system.
This system should be dedicated to Tivoli Compliance Insight Manager and
should not host or run any other applications.
The Tivoli Compliance Insight Manager system should have a static IP
address.
Reporting
By getting this information from the customer, it is easier to understand what the
reports should look like. Knowing in advance whether the customer needs to
generate reports by platform, by business unit, by location, or by another type of
group will help the service provider and the project team with the product
configuration.
Be sure to explain to the customer that they can monitor/report on their event
sources using a combination of different reporting databases. For example, they
can include their Solaris machines in a UNIX GEM database (AIX®, Solaris,
Linux®, and so on) and then include the Solaris event source in another GEM for
their business unit (Solaris, Win, RACF®, and so on).
Platform specifics
This section will describe some of the supported platforms of the Tivoli
Compliance Insight Manager. Of course, we cannot discuss all the specifics of all
supported platforms. This section only focus on some special considerations
needed for a successful implementation on Windows, HP-UX, Solaris, and
iSeries® systems. For a complete set of supported platforms, refer to the IBM
Tivoli Compliance Insight Manager Installation Guide Version 8.0, GI11-8176.
Windows
For Wintel platforms, you need to consider whether the organization’s
environment uses Active Directory® or NT domains. Also, evaluate whether the
Tivoli Compliance Insight Manager server service and the agent services run
under one central domain account.
For agent and agentless collections, it is important to know whether the customer
plans to create the domain users and groups manually. If so, you must ensure
that the required user permissions are set. A summary of the user permissions
required for agent and agentless collection follows:
Agent collects
– On the target machine, it will create a local group called CeAUsers.
– The global domain group g_CeAUsers will be part of the local CeAUsers
group.
– The global domain group g_CeAUsers will be part of the local
administrators group.
On the target machine, the local group CeAUsers will acquire the following
rights:
– Act as part of the OS.
– Log on as a service.
For a Wintel installation, it is important to know whether the Windows agents will
be installed manually or remotely. For remote installations, NetBIOS has to be
enabled. NetBIOS is also important for pushing out audit settings.
On which kind of server systems will the Tivoli Compliance Insight Manager
agents be installed? Domain controllers, file servers, print servers, or simple
member servers all have different tasks to perform and applications installed.
This will influence the amount of data gathered.
HP-UX
Before a successful Tivoli Compliance Insight Manager installation can be
carried out, the organization needs to ensure that the HP-UX systems are trusted
systems; otherwise, the native operating system auditing cannot be enabled.
Solaris
If the organization is using tcsh or csh, then the start-client script will have
problems executing.
Tip: To work around this problem, call the start-client script as follows:
$ sh start-client
If the organization does not already rotate and purge old logs from the target
systems to avoid filling up disk space, we recommend using a cron job to do so.
Some organizations can have very large volumes of data that can fill up their
disks on the target systems.
iSeries
The iSeries systems should have an English language module. The iSeries
should have a CD-ROM drive for the installation. The default priority for Tivoli
Compliance Insight Manager subsystems is 20. If the priority should be different
than this, change it.
Implementation spreadsheet
An implementation spreadsheet can be a Microsoft Excel sheet that you create
and fill out during the pre-implementation phase. It can help the project team to
get information about all systems in scope. It should have following columns:
In or out of scope of the project
Name of the application
Owner of the application
Platform where the application is running on
Server name
Event source name
Daily log size
Business unit
Server location
Function of server
Domain
IP address of server
Number of network cards attached
Which Tivoli Compliance Insight Manager server assigned to
Tivoli Compliance Insight Manager group
With the information gathered into this list, it is much easier to plan the
implementation of Tivoli Compliance Insight Manager server and its agents on
the target systems.
3.5 Conclusion
In this chapter, we gave you an overview of what it needs to prepare for a
services engagement. We also showed what it needs to define a solution scope
and its components. We also showed how to define the solution tasks.
With this knowledge, we will now continue with Figure 4 on page 79, where we
guide you through our (fictional) scenario of a fitness center company, call Gym
and Health Corporation (GaH). Then we go to Chapter 5, “Deployment design”
on page 89, which contains information about the deployment design. Then we
need to show you how to install the Tivoli Compliance Insight Manager in
Chapter 6, “Installing Tivoli Compliance Insight Manager” on page 99. The last
two chapters, Chapter 7, “Event source configuration” on page 121 and
Chapter 8, “Report generation” on page 191, explain how to configure event
sources and do some basic reporting.
Part 2 Customer
environment
In this part of the book, we discuss how to deploy Tivoli Compliance Insight
Manager in a particular customer environment.
Note: All names and references for company and business institutions used in
this chapter are fictional. Any match with a real company or institution is
coincidental.
GaH offers a variety of training and service standards to its members and
professional supervision during training.
One reason for GaH being one of the leading U.S. fitness companies is the
availability of fitness and health data of its members whenever a member enters
any of GaH’s fitness centers. Logging on to member data can be done by a chip
card in conjunction with fingerprint authentication. Authentication can be granted
on every piece of training equipment. New training results will be stored
automatically after each training session and will be replicated to each of the
data centers during the night.
GaH also offers a program called gymnastics on demand (gymod). This program
has reduced monthly fees and charges the member on an “as used” basis by
sliding the chip card at the fitness station through the same card reader that is
used to logon to the training information. An application will ask the member to
confirm to be charged from the prepaid amount of money that can be loaded onto
the chip card at any GaH fitness center.
These regional data centers service the IT needs of the region, such as user
administration and help desk support.
Since credit card, personal information, and health data is processed on the
servers, GaH is concerned about the security of this data. That is why GaH
wants (and needs) to adhere to the regulations and security standards outlined in
4.2.2, “The GaH information security compliance initiative” on page 85.
Gym and Health Incorporation uses three fully resilient data centers in Ft. Myers
(Florida), Kansas City (Kansas), and Salem (Oregon) for their operations.
GaH knows that they have to be compliant with these rules and regulations. They
have implemented a variety of security measures to ensure information security
compliance. With the expansion plans in place, they need to be in much better
control of information security compliance. For that reason, they decide to
implement Tivoli Compliance Insight Manager, which gives them control over
who in the IT infrastructure does what, when, where, and so on.
GaH also wants to discover who does what. With this information, an internal
project will be set up to level up the quality of internal security standards. GaH
want to get as much control over information security compliance as possible by
being compliant with all of the above mentioned rules and regulations. This is a
mandatory requirement if the business expands outside the U.S. Also, with Tivoli
Compliance Insight Manager, they will be able to demonstrate, in a better and
efficient way, to internal and external auditors the compliance to rules,
regulations, and security policies.
4.5 Conclusion
This chapter gives you an overview of how the Gym and Health Corporation is
currently setup. Future plans have been discussed and you know what steps
need to be taken to ensure GaH’s future security compliance. Chapter 5,
“Deployment design” on page 89 describes the design of the deployment, which
should be the first step in each deployment project.
Keeping PCI and HIPAA compliance in mind, the CIO and the Information
Security team have identified the three primary business requirements for their
solution:
1. Implement processes to help achieve PCI and HIPAA compliance. Although
GaH currently is considered a “Level four Merchant” for PCI (less than 20,000
transactions per year), their outlook is going to be far beyond this number.
Compliance to PCI for Level four is recommended but not mandatory.
Nevertheless, looking ahead into the future, the CIO of GaH decided to make
this a key project. In particular, they want to monitor and report on user
access to sensitive company assets, that is, the sensitive assets that need to
be protected include the company’s financial data, as well as confidential
customer data that is stored on their servers.
2. Monitor and audit the actions taken by privileged users for internal purposes.
The GaH security representatives recognize the need to monitor privileged
users and their activities on key corporate systems and data to ensure that
confidentiality, integrity, and the availability of systems is properly maintained.
This monitoring and auditing can help prevent costly damages or outages due
to inadvertent mistakes or malicious actions of powerful users.
3. A centralized logging mechanism is needed. In order to meet regulatory
requirements, the IT security team would like to automate rapid, reliable log
file collection and management across their distributed IT environment, which
includes a variety of applications, operating systems, and databases:
a. This logging mechanism needs to be configurable so that it can change as
the corporate requirements and reporting needs evolve.
b. Historical log data should be accessible in order to get a global view of
compliance.
Let us examine every business requirement, and search for reasons and the
functional requirements:
Business requirement 1: In order to meet PCI regulations, GaH needs to
monitor user access to all sensitive company assets. This monitoring is
important for two key reasons. First, there is the threat of employees misusing
the data and breaching privacy. Employees may fraudulently access or
disclose confidential information. The second primary issue is data integrity. It
is essential that the company ensures that their data records are accurate
and complete. Therefore, GaH must be able to detect if someone tampers
with critical data.
GaH has corporate IT security policies outlined to help prevent the misuse of
sensitive assets. To guarantee that these IT security policies are being
adhered to, GaH wants to audit the logs of critical systems and applications.
The core business of GaH is fitness training. Therefore, the number of IT staff
needs to be on a very low, absolutely mandatory level. GaH wants to
implement a compliance management solution that enables total monitoring
of all system events, with automatic identification and reporting of potential
security breaches.
Extracting relevant information from the raw logs manually can be difficult
because the format of logs is often quite incomprehensible. This can be
overcome by implementing a compliance management solution that is
capable of processing the log data and transforming it into a standardized
format that is easier to read. GaH want the ability to easily generate
meaningful reports to display the compliance information.
The key functional requirements for monitoring user access to sensitive
company assets are listed as follows:
a. The corporate IT security policies can be mapped into policies within the
compliance management solution.
b. Use of company assets are continuously monitored, with automatic
detection and reporting of potential security breaches.
c. The compliance management solution should transform the data extracted
from the logs into a readable, easy to comprehend format for the user.
While business and functional requirements are the main parts of the security
design objectives, we also have to consider other non-functional requirements
and constraints. These may include objectives that are necessary to meet
general business requirements, or practical constraints on designing the
compliance solution.
Prioritizing the monitoring and reporting requirements of the target systems and
applications is important because the priorities are one of the primary factors
used to decide which implementation tasks will be done in which phase of the
project. It is rare that a compliance management solution can be created as a
single deliverable satisfying every requirement on all targets. It is far more likely
that it will be delivered in phases and the highest priority requirements should be
included in the earliest phases.
PCI
The Payment Card Industry Data Security Standard outlines best practices for
credit card data that is stored, transmitted, or processed. This standard consists
of security requirements and guidelines that are mandatory for all major credit
card issuers. Each organization that works with one of these card issuers also
has to be compliant to the PCI standard.
GaH has barely below 20,000 credit card transactions per year. As outlined
previously, they have many more transactions built into their expansion plans.
Being a “Merchant Level 4” organization, it is not mandatory to be in compliance
with the PCI standard. Levels 1 to 3 must be compliant. Table 5-1 describes the
merchant level definitions table.
Merchant Level 1 Any organization that processes more than 6 million credit card
transactions (Visa or MasterCard) per year
Merchant Level 2 Any organization that processes 150,000 to 6 million credit card
transactions (Visa or MasterCard) per year
Merchant Level 3 Any organization that processes 20,000 - 150,000 credit card
transactions (Visa or MasterCard) per year
Merchant Level 4 Any organization that does not fit into Level 1, 2, or 3.
The PCI requirements can be broken down into six different topics, containing
the twelve requirements, which are discussed in the following sections.
HIPAA
The Health Insurance Portability and Accountability Act is one of regulations to
which GaH must adhere. There are a lot of predefined HIPAA reports and
policies available out-of-the-box within Tivoli Compliance Insight Manager, so we
will not concentrate on this topic within this book, although GaH must still
implement these policies and reports.
As outlined in 4.1, “Company profile” on page 80, we assume that identity and
access management tools and systems are in place. These, of course, also need
to be monitored, but are not within the scope of this book. We will only
concentrate on GaH’s current IT infrastructure described in 4.2, “Current IT
infrastructure” on page 82.
If it is not possible to generate the required log data, then that report cannot be
produced for that particular system.
Once compromised, the set of sensitive business data also has a high impact,
but it is not so vulnerable because it is protected by ACLs, encryption, and
authentication. In our scenario, this would be the DB2 system containing all
personal, health, and credit card data.
As a result, GaH will address these two systems first with Tivoli Compliance
Insight Manager.
The file and print server on the intranet zone of GaH in this scenario will not hold
any confidential data, so it is considered to be not classified. It needs to be
monitored, but it is not part of the priority 1 phase (most critical servers).
5.5 Conclusion
In this chapter, we have defined the business and functional requirements. Now
that we have defined the design and a subsequent implementation approach
definition, we are now ready to install the Tivoli Compliance Insight Manager
server. This will be described in Chapter 6, “Installing Tivoli Compliance Insight
Manager” on page 99.
The first section discusses planning the installation. Depending on your system
requirements, you can choose one or more of the following installation options:
Tivoli Compliance Insight Manager Enterprise Server
This installs the Enterprise Server, the Web applications, the Management
Console, and the consolidation database.
Tivoli Compliance Insight Manager Standard Server
This installation method installs the Standard Server, the Web applications,
and the Management Console.
Point of Presence
This will install the Actuator component.
Remote Management Console
This will install the Actuator and the Management Console.
The second part will outline the installation of a Tivoli Compliance Insight
Manager server and its components.
In the scenario of this book, you are not required to install an Enterprise Server,
since we are only monitoring a very small umber of servers. We will concentrate
on installing a Standard Server that has all the functionality that we need for our
customer Gym and Health Incorporation (GaH).
Figure 6-2 Tivoli Compliance Insight Manager database engine installation directory
Figure 6-4 Tivoli Compliance Insight Manager check setup information page
7. After the installation is complete, you must reboot your system before
continuing with the installation of other Tivoli Compliance Insight Manager
components. You can either choose to have the installation program perform
the reboot, or you perform the reboot yourself. Click Finish to exit the
installation program.
Figure 6-18 Location of the text file containing the command to register to an Enterprise
Server
15.The Setup Complete window shown in Figure 6-19 on page 119 is displayed
when the installation is complete. This window lists the Tivoli Compliance
Insight Manager components that were installed, and whether the installation
succeeded. If the window indicates that the installation did not succeed, run
the setup program again.
Chapter 7, “Event source configuration” on page 121will guide you through the
configuration of event sources that will be monitored for our scenario.
By default, the Active Directory is configured to log critical and error events only.
Only change this behavior if a detailed investigation is needed, because
extensive logging of events can quickly consume data storage space.
The following types of events that can be written to the event log are defined in
the Active Directory:
1. Knowledge Consistency Checker (KCC)
2. Security Events
3. ExDS Interface Events
4. MAPI Events
5. Replication Events
6. Garbage Collection
7. Internal Configuration
8. Directory Access
9. Internal Processing
10.Performance Counters
11.Initialization/Termination
12.Service Control
13.Name Resolution
14.Backup
15.Field Engineering
16.LDAP Interface Events
17.Setup
18.Global Catalog
19.Inter-Site Messaging
0 (None) Only critical events and error events are logged at this level.
1 (Minimal) Very high-level events are recorded in the event log at this
setting.
GaH decided to perform a high level of logging on Security Events and Directory
Access. These settings are applied through the registry settings as follows:
1. Run regedit on the Active Directory target machine.
2. Navigate to the registry subkey
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diag
nostics.
Note: The example in this chapter describes the monitoring of a single Active
Directory server only. For bigger Active Directory implementations where a
domain forest has been implemented, the process for monitoring the single
Active Directory server shown in this chapter would need to be repeated for
each member of the forest.
This section describes how to monitor and audit one of these file shares (for
example, C:\Finance). GaH would repeat this process for all of the shared folders
that need to be audited.
To enable and configure auditing of access to the C:\Finance folder, these steps
are performed on the target systems:
1. Open Windows Explorer, right-click the folder, and select Properties, as
shown in Figure 7-5.
3. Select the Auditing tab. Figure 7-7 on page 131 shows the default contents
of this tab.
4. Configure auditing for a new user or group by clicking Add. An input box will
be displayed. You can enter the name of the user group to be monitored and
click OK. In Figure 7-8, the Domain Users group has been added because all
authenticated users of the GaH systems are contained in this group.
6. The new auditing entry will now appear in the Advanced Security Settings
window, as shown in Figure 7-10 on page 133.
7. Click OK to close.
Each of these steps are shown in 7.3.1, “Create the GEM database” on page 134
to 7.3.3, “Add event sources” on page 141.
5. Figure 7-12 shows how the new database will now appear in the Database
View.
GaH want to group their audited Windows machines into a system group called
“Windows” in the Machine View of the Management Console.
Note: Checking the Show Available Event Source Types box will cause the
Event Source Type panel on the right hand side of the window to appear. This
allows you to browse the supported event sources for the type of machine you
are adding.
4. A local Actuator will be installed on each of the target machines. This option is
selected in Figure 7-17 on page 139. Click Next.
5. The default port that will be used for the Point of Presence is 5992. You can
check the availability of your configured port by clicking on the Test Port
button. In this window, you can elect to perform an Automatic or a Manual
install. For demonstration purposes, this chapter will show a manual Actuator
installation on a single Windows 2003 target system (FSPDC), as shown in
Figure 7-18. When adding the remaining Windows 2003 server machines in
Tivoli Compliance Insight Manager, GaH can use the option of automatically
installing the Windows Actuators on the targets.
7. The Choose Event Source Type window appears. For the FSPDC machine,
which is an Active Directory Domain controller, both Microsoft Active
Directory and Microsoft Windows has been selected (see Figure 7-20). Select
Next.
Note: When adding the Windows 2003 server machines that are not Active
Directory servers, only the Microsoft Windows event source would be
selected.
8. Figure 7-21 on page 141 shows the Completing the Add Machine Wizard
window that appears. Click Finish to complete the Add Machine setup.
For the FSPDC domain controller that has just been added, the wizard runs
twice: once for Microsoft Active Directory and once for Microsoft Windows.
This section illustrates how to complete the Add Event Source Wizard for the
Microsoft Active Directory event source on the FSPDC Windows server. The
wizard for the Microsoft Windows event source on FSPDC is similar and so are
the wizards for each of GaH’s other Windows server event sources.
Set the load schedule time at least 15 minutes after each scheduled
collection time. This delay ensures that Tivoli Compliance Insight Manager
loads the most recently collected data into the database.
6. The Event Source Wizard is now complete and the final window shown in
Figure 7-27 on page 147 is displayed. Click the Finish button.
Note: The default location for this configuration file on the Tivoli
Compliance Insight Manager Standard Server is
<TCIMHomeDir>/ManConsole/<TargetMachineName>-<TCIMServerNam
e>.cfg.
This config file has been copied to the FSPDC server. Enter the complete
path to the file and click Next.
9. The Updates Overview window shown in Figure 7-36 outlines the installed
components. Click Next.
This section describes the process of setting up the W7 rules for the GaH’s
Windows event sources.
GaH will import the user information from Active Directory on the FSPDC server
to simplify the creation of their W7 grouping definitions.
9. The new User Information Source is now displayed in the Event Source view
of Management Console, as shown in Figure 7-46.
Figure 7-46 Grouping Active Directory UIS is available in the Management Console
Select Policy → View Automatic Policy and choose the current time in order to
get the most recent grouping definition.
The following process can be used to create a new policy for GaH that includes
grouping and policy rules for the Windows event sources that are being
monitored for phase 1:
1. Duplicate the latest committed policy to create a new working policy.
2. The new working policy can be used for customizing the W7 group definitions.
The Group Definition Set from the UIS can be imported into this policy.
3. Create appropriate W7 policy rules and attention rules for policy building.
4. Load the database using this working policy.
5. Commit the policy when the W7 rules are producing the desired results.
Each of these five steps are described in more detail in this section.
A new policy appears under the Work folder, as shown in Figure 7-48.
2. We can use the Browse button to search for the correct configuration file, as
shown in Figure 7-50.
Figure 7-51 NT folder for the automatic policy contains the config file
5. In Figure 7-53, we configure the group definition set name to be “FSPDC” and
click OK.
Figure 7-54 Locate the new group definition set in the working policy
As an example, the following figures show how GaH describe the Windows
locations of their confidential financial data. Section 7.1, “Auditing” on page 122
explains that the GaH Windows file servers have a number of directories that
contain sensitive corporate data. The financial data is stored within the
C:\Finance directory.
2. Figure 7-56 shows how to create a requirement to specify the new condition.
Right-click the condition and select New Requirement.
4. The new requirement is now complete and can be seen in the Grouping
windows shown in Figure 7-58.
Figure 7-58 W7 group definition for the Windows financial data file share
Showing all of these grouping definitions for GaH is beyond the scope of this IBM
Redbooks publication.
The default committed policy that was used as the basis for the current working
policy contains a number of predefined policy rules and attention rules. GaH
analyzed these existing policy and attention rules to ensure that they were all
appropriate to their IT environment. Where appropriate, these pre-existing rules
were edited.
New rules were also created to customize the rules to meet GaH’s needs. This
section describes the process of creating one of the policy rules GaH has
decided to introduce to the policy. The rule is defined in Table 7-2.
For this policy rule to be useful, GaH has ensured that the W7 Who group called
System effectively describes the permitted “system” users with the appropriate
requirements and conditions defined. Similarly, the W7 Where group called
INSIGHT has been created to represent all of the Windows servers being
monitored in the INSIGHT domain.
2. As you can see in Figure 7-60, an Edit Rule window appears that allows us to
enter the W7 groups that specify the new rule. Click OK.
3. The new rule appears in the Policy Rules list, as shown in Figure 7-61 on
page 175.
4. Once the new policy rules have been defined, the working policy must be
saved. The Save option is under the Policy menu (see Figure 7-62).
After reviewing the predefined attention rules, the security IT staff at GaH
proceeded to identify some more desired attention rules.
For example, the security IT staff are interested in being notified whenever
confidential financial data is deleted. This section outlines the configuration in
Tivoli Compliance Insight Manager to configure an attention rule for these
deletion events.
This What group can now be used in the new Attention rule that is created.
2. Figure 7-65 on page 178 shows the Edit Rule window that appears. The new
Attention Rule has been defined as: Any user performing a deletion (W7 What
= “User Actions - Deletions”) on objects in the financial file shares (W7
onWhat = “Financial Data”).
GaH has opted to assign an ID to this attention rule so that it can be managed
easily. Tivoli Compliance Insight Manager allows these rule IDs to be used to
create alerts for individual attentions. That is, an alert can be configured in the
future to send an e-mail to the GaH IT security administrator when events
matching this attention rule are detected by Tivoli Compliance Insight
Manager. “Alerts” on page 178 describes the creation of an e-mail alert.
3. After we click OK in the Edit Rule window, the new Attention rule appears in
the Attention Rules window, as shown in Figure 7-66.
Alerts
As described in the previous section, GaH want to configure an alert that sends
an e-mail to the security IT administrator staff when deletions are performed on
objects in the confidential file shares.
3. The Edit Alert window is displayed. GaH configures the alert to send an
e-mail to the recipient admin@GaH.com when events matching the attention
rule with ID DeleteFinancials occur (refer to Figure 7-69 on page 181). Click
OK.
4. The alert is updated with the new configured settings. Click the Protocol
Settings button shown in Figure 7-70 to configure the protocols in use.
Protocol settings apply to all alerts that are sent using the same protocol.
We can wait for the next scheduled collection and load to occur. Alternatively, we
can temporarily cancel the scheduled load and manually load the database
instead.
8. When we refresh the database view in the Management Console, we see that
the status for that database changes to the value “Loading...” to signify that
the load process has started. When the load is complete, the status will be
“Loaded” and the time and date of the last load will also be updated.
To commit the working policy, we simply right-click the policy (in the work folder of
Management Console Policy Explorer) and select Commit. When the policy has
been committed, it will appear under the Committed folder.
7.6 Conclusion
Event source configuration was the topic of this chapter. We showed how
auditing can be configured and enabled. The next section described how to
configure new Windows event sources. Without an Actuator on a target system, it
is not possible to gather log data from that system, so we dedicated a section in
this chapter to this topic. The last section of this chapter described how to
configure the audit policy for the GaH scenario. Basically, these are the W7
groups and rules. To work with gathered data, it has to be loaded into the
database, which was one of the last steps described in this chapter.
We are now ready to run reports from the log data that was loaded into the
database, which we discuss in Chapter 8, “Report generation” on page 191.
Tivoli Compliance Insight Manager provides both standard and custom reports
and enables analysis of the data in a variety of formats and levels of detail. This
chapter will lead you through the navigation of iView, the reporting application of
Tivoli Compliance Insight Manager, and will also show you how to generate
standard reports that are provided out-of-the-box with Tivoli Compliance Insight
Manager.
In this chapter, we assume that you have already obtained a user name and
password from the Tivoli Compliance Insight Manager administrator. The web
portal usually is accessed through the following URL:
http://webserver/Portal
where webserver is the name (or the IP address) of the system where the Tivoli
Compliance Insight Manager Web applications are installed. Portal is the name
of the virtual directory where the portal is deployed.
After having logged on, you are directed to the Portal Overview page, which
contains a set of links to the available Tivoli Compliance Insight Manager
components. The overview page is divided into two panes. On the left side you
see the “Tivoli Compliance Insight Manager Portal” and on the right side you see
the “Extra Information” pane. Figure 8-1 on page 193 shows you the reporting
portal.
The main pane includes sections about links to the installed components of Web
applications and links to the add-on components of Tivoli Compliance Insight
Manager. The “Extra Information” pane is located in the right part of the overview
page. It consists of the help section, which is common to all Tivoli Compliance
Insight Manager components that are manageable through the Web interface.
The help section gives instructions about using the key features of the
corresponding components.
After clicking iView, the application will switch to the main page of iView. The
iView Navigation Bar is displayed at the top of the page as shown in Figure 8-2.
We explain briefly the eight options you can choose from this menu:
Dashboard
This shows the compliance dashboard. The dashboard window is divided into
three sections:
– The enterprise view, which shows events by top event count by “Who” and
“On What”
– A trend graphic, showing a percentage of policy exceptions
– A database overview with a list of all available databases along with brief
information about a selected database
Trends
This shows all events of aggregated data of all databases for a specific period
of time.
Reports
This shows the initial iView reporting page.
Regulations
Here management modules can be accessed and monitored.
Policy
Here you can set up and check Tivoli Compliance Insight Manager audit
policies.
Groups
This gives access to the group types page of iView. This also includes group
types for the selected database, the number of groups they presently contain,
and the “Grouping Wizard”.
In this section, we show how to change the filter of the displayed data.
Depending on how narrow or wide you select the filter (for example, time frame of
displayed data), the information displayed might look similar to Figure 8-3 on
page 196.
From the enterprise overview, you can view all activities in the enterprise. The
size of each circle indicates the amount of activity (logged events). Blue circles
indicate compliance to the policies, and red circles indicate non-compliance to
the policies. On the axes, we compare people (Who) with information (onWhat).
You can open a similar view for each of the reported databases by clicking them.
Let us look in more detail at the mapped events, especially the policy exceptions
and special attentions.
To view all of the individual policy exception events, go back to the previous
window (this is the database summary page) and click the link for the event list.
Once you click it, it will display all individual policy exceptions, as shown in
Figure 8-7 on page 199.
In the last column entitled “#SpecAtt” is the break down of the occurrences of
that group of events. Clicking the values in this column will display a window, as
shown in Figure 8-11 on page 202. For example, if you click the value “4” in the
first row, it will display the special attentions for events classified as
“Administration” (What) on “Sensitive Groups” (On What) by user
“CRMLAB\ADMINISTRATOR” (Who) located at “CRMLAB\DCSRV” (Where).
Each of these categories contain predefined reports to analyze the events that
have been captured.
Clicking the link Events by rule will open another window, as shown in
Figure 8-15. In the last column called Action there is a tick located. This means
that in order to generate this report, you need to input some additional
parameters. This applies to all reports that have this tick in the last column; all
other reports can be generated by clicking the link Title.
As with all reports that we will demonstrate in this chapter, you can click any of
the links of the reports to get more detailed information about the event.
One of the daily verification reports shows data about logon failures. This is one
of the reports the security management of GaH would like to see. If you click the
link Logon Failure Summary, this report will be generated, as shown in
Figure 8-17 on page 207.
A complete review of all of the predefined reports is beyond the scope of this
book, so we will only briefly talk about how to analyze trends with iView.
To get data from the last four weeks, click Last Month. The drop-down menu that
defaults to All Events lets you select between all events, policy exceptions,
special attention events, and failures. For the latter three, you can also choose to
see a percentage view.
Click Previous to view the previous time period, and click Next to show the next
time period. If there is no data available, the control is unavailable.
Below the bar graph there are fields for each of the W7 group types. Click Go
(not seen in this screen capture; it is located to the right of these seven list boxes)
and iView will show you data for the previous selected groups.
At the bottom of the window there is a table with a description of every bar in the
figure. Again, also click the links in the table in the Day or #Events columns to
see a more detailed explanation of the events.
Executive summary
The service engagement provides a high-level assessment of your customer’s
information security compliance requirements. You should provide an initial
assessment of the customer’s environment and a demonstration of how to
monitor the customer’s resources for compliance. You should also list the
resources that are required to implement the solution.
Business objective
What is the business objective for installing IBM Tivoli Compliance Insight
Manager? This will drive the installation and determine what direction the
customer wants to take in evaluating, testing, or implementing the software.
Reporting requirements
Learn about the reporting requirements of the various groups and audiences that
will be using Tivoli Compliance Insight Manager at the customer organization. If
the customer is unable to provide their reporting requirements, but has a
business or security requirement for monitoring privileged users, then
recommend the top 10 Privileged User Monitoring and Audit (PUMA) reports.
Target platforms
This will help determine the customer’s focus. Some customers are more
interested in monitoring UNIX servers while others concentrate on Windows
servers. Use an implementation pre-planning worksheet, which requires the
customer to provide information about event sources, platforms, versions, log
sizes, and so on.
Tracking of progress
How is progress being tracked during this implementation project? The customer
might want to have weekly status reports. The format of the report should be
agreed upon by everyone involved.
Implementation team
It is important to identify the key players at the customer site and within IBM.
These typically are members of the administration and security teams.
Project scope
The Statement of Work also describes the project scope. This description should
include (but not be limited to) the following items:
IBM will assess the customer’s computing environment to prepare for the
implementation of Tivoli Compliance Insight Manager.
Install and configure Tivoli Compliance Insight Manager Standard Server in a
test environment.
Implement security event collection and loading from target systems.
Assist the customer with the definition and creation of Tivoli Compliance
Insight Manager groups and policies.
Generate the customer required reports (or the top 10 PUMA reports).
Provide (remote) guidance to the customer project team during intermediate
deployment.
Provide product training.
IBM responsibilities
In this part of the Statement of Work, IBM responsibilities should be documented.
It can be divided into six different sections.
Project management
The purpose of project management is to provide technical direction and control
of IBM project personnel and to provide a framework for project planning,
communications, reporting, procedural, and contractual activity. This activity is
composed of the following tasks.
Planning
The contractual responsibilities of both parties with the customer’s project
manager will be reviewed. Also, project communications through the customer’s
project manager will be maintained.
Deliverables
Audit setting recommendations
Tivoli Compliance Insight Manager system requirements
Port and protocol details for the customer’s change management
Tivoli Compliance Insight Manager environment design diagram for the
customer’s production environment based on information gathered and
defined in Phase 1 of the project
Customer responsibilities
The successful completion of the implementation also depends on the
customer’s participation and his full commitment. This section therefore should
include customer responsibilities as precisely as possible. A successful
implementation project is predicated upon the following customer responsibilities:
Project manager
Prior to the start of a Statement of Work, a designated person from the customer
must be assigned. This person will be the focal point for all communication
relative to the project. This person’s responsibilities include:
Manage the customer’s personnel and responsibilities for the project.
Serve as the interface between IBM and all customer departments
participating in the project.
Participate in project status meetings.
Obtain and provide information, data, and decisions.
Resolve deviations from the estimated schedule, project plan, or Statement of
Work.
Help resolve project issues and escalate issues within the customer’s
organization as necessary.
Other responsibilities
Within this section of the Statement of Work, you should document that the
customer’s staff is available at the agreed time. Also, the customer needs to
ensure that the staff has the appropriate skills and experience. In addition, it
could be stated that suitable additional or alternative staff will be provided.
Accurate information is key for such projects. It should be agreed that all
information disclosed to IBM will be true, accurate, and not misleading in any
material respect.
It also has to be the customer’s responsibility to make the final selection of the
solution and technical architecture. Given this, all prerequisite hardware and
software to be used during the project should be supplied by the customer.
Facilities
If the project is implemented on the customer’s premises, it should be the
customer’s responsibility to provide the appropriate facilities, such as supplies,
furniture, computer facilities, telephone/fax communications, analog lines and
broadband access through network connectivity capability, and other facilities
while working on the project.
Last but not least, the customer should ensure the appropriate backup, security,
and virus checking procedures are in place for any computer facilities the
customer provides or that may be affected by the services.
Deliverables
The following deliverables will be provided to the customer throughout the
project:
Implementation information
This specifies the installation prerequisites and contains the system
requirements, as well as the ports and protocols needed to install Tivoli
Compliance Insight Manager.
Tivoli Compliance Insight Manager Security Manager installation
This delivered document provides detailed instructions on installing the Tivoli
Compliance Insight Manager Server. It will show installation steps and screen
captures where applicable. By following these instructions, a customer’s
administrator will be able to perform a default installation of Tivoli Compliance
Insight Manager, including the embedded Oracle 10g database component.
Additionally, the document includes instructions for installing the applicable
hot fixes and platform plugs.
System agent installation
This document provides installation steps and screen captures, where
applicable, to install the agents of the operating system, that were projected.
Completion criteria
You need to list the completion criteria here. You have to engage the customer to
get a proper sign off of the project with an appropriate completion criteria, for
example, the customer’s acceptance of the findings and recommendations. Also
take into consideration that our project team or the customer might cancel the
project.
You can include specific issues and resolutions explicitly in the completion
criteria. You have to be aware of these additional specific completion criteria for
the customer.
Estimated schedule
Define an agreed start and end date of the implementation project here. Be sure
to keep the time frame up as accurately as possible. Underestimation will lead to
additional effort.
Charges
Be sure to add this part to the Statement of Work. The project can be charged at
a fixed price or at any other convenient charging method. Payment can be
provided at the end of the project or after each successfully completed phase of
the project.
Access management A discipline that focuses on Alerts Messages that Tivoli Compliance Insight
ensuring that only approved roles are able to create, Manager sends when a serious or potentially
read, update, or delete data, and only using harmful security event has occurred. Alerts allow for
appropriate and controlled methods. Data a fast response to the event by a systems manager
governance programs often focus on supporting or system administrator.
access management by aligning the requirements
and constraints posed by governance, risk Assurance Activities designed to reach a measure
management, compliance, security, and privacy of confidence. Assurance is different from audit,
efforts. which is more concerned with compliance to formal
standards or requirements.
Actuator A piece of software that automates the
collection of logs from event sources and transmits Audit An independent examination of an effort to
the logs to the Depot. Each Actuator consists of an determine its compliance with a set of requirements.
Agent and numerous Actuator Scripts. The server An audit may be carried out by internal or external
where the Actuator is installed is referred to as the groups.
Point of Presence.
Audit report A report that shows infrastructure
Actuator scripts The Actuator Scripts are invoked changes that are made to hardware and software
by the Agent (at the request of the Tivoli Compliance and who is responsible for the changes.
Insight Manager Server) to collect the log for a
particular event source. There is a different script for Audit trail A record that can be interpreted by
every supported event type. auditors to establish that an activity has taken place.
Often, a chronological record of system activities to
Agent The Agent is a component of the Actuator. It enable the reconstruction and examination of the
listens for collection requests from the Tivoli sequence of events or changes in an event. An audit
Compliance Insight Manager Server, invokes the trail of system resource usage may include user
appropriate Actuator Script, compresses the login, file access, and triggers that indicate whether
retrieved logs, and maintains an encrypted channel any actual or attempted security violations occurred.
for communication with the Tivoli Compliance Insight
Manager Server in order to securely deliver the Audited system A system on which events occur
requested logs. and are recorded in logs that provide the audit data
for Tivoli Compliance Insight Manager.
CCO See Chief Compliance Officer. COBIT See Control Objectives for Information and
related Technology.
CERT See Computer Emergency Response Team.
Glossary 223
Computer Emergency Response Team CSV See Certified Server Validation.
(CERT) The CERT/CC is a major reporting center
for Internet security problems. Staff members Data aggregation The ability to get a more
provide technical advice and coordinate responses complete picture of information by analyzing several
to security compromises, identify trends in intruder different types of records at once.
activity, work with other security experts to identify
solutions to security problems, and disseminate Data governance The exercise of
information to the broad community. The CERT/CC decision-making and authority for data-related
also analyzes product vulnerabilities, publishes matters. The organizational bodies, rules, decision
technical documents, and presents training courses. rights, and accountabilities of people and
The CERT/CC is located at the Software information systems as they perform
Engineering Institute (SEI), a federally funded information-related processes. Data governance
research and development center (FFRDC) determines how an organization makes decisions.
operated by Carnegie Mellon University (CMU).
Data mapping The discipline, process, and
Configuration Compliance The comparison of a organizational group that conducts analysis of data
known state to a compliant state that may include objects used in a business or other context,
automated actions. After discovery or scanning is identifies the relationships among these data
performed, devices are said to be either compliant or objects, and creates models that depict those
noncompliant. relationships.
Consolidation database An Enterprise Server Data privacy The assurance that a person's or
database that delivers enterprise-wide trend and organization's personal and private information is
summary reports. not inappropriately disclosed. Ensuring data privacy
requires access management, security, and other
Control A means of managing a risk or ensuring data protection efforts.
that an objective is achieved. Controls can be
preventative, detective, or corrective, and can be Delta table A database table used for saving
fully automated, procedural, or technology-assisted changed data from subsequent runs of a collector.
human-initiated activities. They can include actions,
devices, procedures, techniques, or other Deployment The process of reconfiguring and
measures. reallocating resources in the managed environment.
Deployment occurs in response to deployment
Control Objectives for Information and related requests, created manually by administrators or
Technology (COBIT) A set of best practices automatically by the system.
(framework) for information technology (IT)
management created by the Information Systems, Depot Tivoli Compliance Insight Manager secure
Audit and Control Association (ISACA), and the IT storage facility for storing and archiving logs.
Governance Institute (ITGI) in 1992. COBIT
provides managers, auditors, and IT users with a set Depot server The component that stores files for
of generally accepted measures, indicators, distribution. Files are uploaded to a Depot server
processes, and best practices to assist them in using a client and stored in a directory that is
maximizing the benefits derived through the use of specified when the Depot server is installed. Depot
information technology and developing appropriate servers can replicate files to other Depot servers
IT governance and control in a company. and download files to clients.
GEM See Generic Event Module. Incident An incident is an adverse network event
in an information system or network or the threat of
General Scanning Language (GSL) A scripting the occurrence of such an event.
language that enables someone to describe the
structure and label the attributes contained in the log
files of ubiquitous collect event sources.
Glossary 225
Information Quality Management An ISO 27002 See SO/IEC 17799.
information technology (IT) management discipline,
which encompasses the COBIT Information Criteria ISO/IEC17799 An information security standard
of efficiency, effectiveness, confidentiality, integrity, published by the International Organization for
availability, compliance, and reliability. The idea is for Standardization (ISO) and the International
companies to have the risks of using a program Electrotechnical Commission (IEC) as ISO/IEC
diminished to protect private and sensitive 17799:2005 and subsequently renumbered ISO/IEC
information definition. 27002:2005 in July 2007, bringing it into line with the
other ISO/IEC 27000-series standards. It is entitled
Information Systems Audit and Control Information technology - Security techniques - Code
Association (ISACA) An international association of practice for information security management.
for the support and improvement of professionals The current standard is a revision of the version first
whose jobs involve the auditing of corporate and published by ISO/IEC in 2000, which was a
system controls. word-for-word copy of the British Standard (BS)
7799-1:1999.
Information Technology Governance A subset
discipline of Corporate Governance focused on IT Governance Institute (ITGI) Exists to assist
information technology (IT) systems and their enterprise leaders in their responsibility to ensure
performance and risk management. The rising that IT goals align with those of the business. It
interest in IT governance is partly due to compliance delivers value, its performance is measured, its
initiatives (for example, Sarbanes-Oxley (USA) and resources properly allocated, and its risks mitigated.
Basel II (Europe)), as well as the acknowledgement Through original research, symposia, and electronic
that IT projects can easily get out of control and resources, the ITGI helps ensure that boards and
profoundly affect the performance of an executive management have the tools and
organization. information they need for IT to deliver against
expectations.
International Compliance The International
Standards Organization (ISO) produces iView Tivoli Compliance Insight Manager Web
international standards such as ISO 27002. user interface for compliance reporting.
Internet Engineering Task Force (IETF) This JAAS See Java™ Authentication and
organization develops and promotes Internet Authorization Service.
standards, cooperating closely with the W3C and
ISO/IEC standard bodies, and deals in particular Java Authentication and Authorization Service
with the standards of the TCP/IP and Internet (JAAS) A set of APIs that enable services to
protocol suite. authenticate and enforce access controls upon
users. It implements a Java technology version of
ISACA See Information Systems Audit and Control the standard Pluggable Authentication Module
Association. (PAM) framework, and supports user-based
authorization.
ISO The name generally applied to quality system
standards published by the International Log chunk The set of events placed in the Depot
Organization for Standardization. ISO certification is by the collect mechanism.
provided, on a fee basis, by third-party assessors or
registrars through an on-site, in-depth audit to Log collection event Each instance of collecting
determine that a company's quality system meets an audit trail, or log chunk, from an audited machine
the requirements of the standard. is called a log collection event.
Management console Enables you to load data Point of Presence The server where the actuator
into the databases, add new audited machines and is installed is referred to as a Point of Presence
event sources, configure collection and reporting (POP).
schedules, and add and configure users.
Policy A set of one or more compliance queries
Metadata Information about a particular data set used to demonstrate the level of adherence to
that may describe, for example, how, when, and by specific security requirements.
whom it was received, created, accessed, or
modified and how it is formatted. Some metadata, Policy bundle A file containing the information
such as file dates and sizes, can easily be seen by associated with a policy, such as the compliance
users; other metadata can be hidden or embedded queries, the collectors, and the associated
and unavailable to computer users who are not schedules. A policy bundle permits the policy to be
technically adept. Metadata is generally not saved and subsequently applied to other servers.
reproduced in full form when a document is printed.
Policy exceptions Actions or network activity that
National Institute of Standards and Technology violate company policy.
(NIST) A unit of the US Commerce Department.
Formerly known as the National Bureau of Policy Generator Tivoli Compliance Insight
Standards, NIST promotes and maintains Manager tool that can be used to create policies
measurement standards. It also has active programs using existing logs to set a baseline for acceptable
for encouraging and assisting industry and science network activity.
to develop and use these standards.
Policy Rules A Tivoli Compliance Insight Manager
NIST See National Institute of Standards and tool that helps a user to generate automatically a set
Technology. of policy rules or extend an existing policy rule set.
Glossary 227
Proxy server A server that acts as an intermediary Risk management In a broad sense, to assess,
between a workstation user and the Internet so that minimize, and prevent negative consequences
the enterprise can ensure security, administrative posed by a potential threat. The term risk
control, and caching service. A proxy server is management has significantly different meanings
associated with or part of a gateway server that that can affect data governance programs. At an
separates the enterprise network from the outside enterprise level, risk refers to many types of risk
network and a firewall server that protects the (operational, financial, compliance, and so on);
enterprise network from outside intrusion. managing risk is a key responsibility of Corporate
Boards and Executive Teams. Within financial
Pull client A client that permits communication institutions (or in the context of a GRC program), risk
with the server to be initiated by only the server. management may be a boundary-spanning
department that focuses on risk to investments,
Push client A client that permits communication loans, or mortgages. At a project level, risk
with the server to be initiated by either the client or management is an effort that should be undertaken
the server. as part of project management, focusing on risks to
the successful completion of the project. From a
PuTTY A free software SSH, Telnet, rlogin, and compliance, auditing, and controls perspective, risk
raw TCP client. It was originally available only for assessments and risk management are high-effort
Windows, but is now also available on various UNIX activities included in the COSO and COBIT
platforms. frameworks, and are required by Sarbanes-Oxley
and other compliance efforts. Data governance
Regulatory compliance Refers to systems or programs may be asked to support any of these risk
departments at corporations and public agencies to management efforts, and may need input from these
ensure that personnel are aware of and take steps to efforts to resolve data-related issues.
comply with relevant laws and regulations.
Role Based Access Control Assigns users to
Remote collect Agentless log collection facilitated roles based on their organizational functions and
by SSH or by NetBIOS for Windows. determines authorization based on those roles.
Risk The product of the level of threat plus the level
of vulnerability. It establishes the likelihood of a
successful attack.
Scoping Enables you to define limited access for Sensitive information As defined by the federal
certain users or for certain groups of users. government, any unclassified information that, if
compromised, could adversely affect the national
Secure shell (SSH) A network protocol that allows interest or conduct of federal initiatives.
data to be exchanged over a secure channel
between two computers. Encryption provides Server A system where audit data is collected and
confidentiality and integrity of data. SSH uses investigated using Tivoli Compliance Insight
public-key cryptography to authenticate the remote Manager.
computer and allow the remote computer to
authenticate the user, if necessary. Shell A UNIX term for the interactive user interface
within an operating system. The shell is the layer of
programming that understands and executes the
commands a user enters. In some systems, the shell
is called a command interpreter.
Glossary 229
Simple Network Management Protocol Tivoli Compliance Insight Manager Cluster The
(SNMP) Defined by the Internet Engineering Task combination of a Enterprise Server, one of the
Force (IETF). SNMP is used by network Standard Servers, and a collector in a network
management systems to monitor network-attached deployment.
devices for conditions that warrant administrative
attention. Tivoli Compliance Insight Manager Server A
generic term referring to the Tivoli Compliance
SMTP See Simple Mail Transfer Protocol. Insight Manager engine that collects and normalizes
log data using the W7 methodology. There are two
Snapshot™ The result of running all of the types of Tivoli Compliance Insight Manger servers:
compliance queries in a policy against a set of Enterprise and Standard.
clients. A snapshot shows the number of violations
and indicates what clients are not adhering to the Tivoli Compliance Insight Manager Suite. Refers
security requirements being tested by the to the entire Tivoli Compliance Insight Manager
compliance queries. application. This includes the Tivoli Compliance
Insight Manager server, Point of Presence, Analysis
SNMP See Simple Network Management Engine, Web Portal, iView, Log Manager, and the
Protocol. Compliance Modules.
Glossary 231
232 Deployment Guide Series: IBM Tivoli Compliance Insight Manager
Related publications
The publications listed in this section are considered particularly suitable for a
more detailed discussion of the topics covered in this book.
Other publications
These publications are also relevant as further information sources:
IBM Tivoli Compliance Insight Manager Installation Guide Version 8.0,
GI11-8176
IBM Tivoli Compliance Insight Manager User Guide Version 8.0, SC23-6544
IBM Tivoli Compliance Insight Manager User Reference Guide Version 8.0,
SC23-6545
Online resources
These Web sites are also relevant as further information sources:
IBM Education Services
http://www.ibm.com
IBM Redbooks
http://www.redbooks.ibm.com
IBM Software support Web site
http://www.ibm.com/software/support
IBM Tivoli Access Manager for Enterprise Single Sign-On
http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliCompli
anceInsightManager.html
IBM Training and certification Web site
http://www-306.ibm.com/software/sw-training/
F
D failures 21
dashboard 14, 22, 44, 194
file based
data
collection of log data 31
aggregation 44
filter 34, 43
center 81
financial data 85
Index 239
compliance 10 Payment Card Industry Data Security Standard 85
management charts 21 PCI 6, 85, 89–90, 93
Management Console 14, 18–19, 22, 99, 117, 133, regulations 91
153, 183, 189 performance efficiency 11
manual personal
collect command 28 data 81, 85
mapper 37, 42 information 81
mapping POC 63
process 23, 33 Point of Presence 19, 26, 99, 139
meta policies and standards 10
information 35 policy 194
Microsoft Excel 75 attention report 34
monitor compliance 45 exception 193, 198
monitoring requirements 94 exception report 34
MS Windows XP 83 framework 4
generation tool 43
management 39
N rule 39
NetBIOS 74
rules 69
agentless collection 29–30
POP
event collection 26
see Point of Presence
normalization
portal 192
W7 data 37
practices 4
normalized audit data 21
preparation of reports 20
normalized log data 14
privileged user 92, 95
normalizing
procedures 4
GEM data 34
process
notebook 65
aggregation 24, 44
Novell
collect 23, 25
agentless collection 29
consolidation 24
NT 73
indexing 24
level security control 5
O mapping 23, 33
ODBC reporting 44
event collection 26 processing credit card information 6
OnWhat 35 proof of concept 63
Oracle 72 PUMA reports 68
data collection 26 PuTTY
engine 72 SSH for Windows 31
organizational
complexity 9
level security control 5 R
RACF 73
RAID 70
P raw
partial install 62 event data
password mapping 36
length 5 log data 32
Payment Card Industry 95 logs 91
Index 241
platforms 68 model 33, 35
system 94 policies 34
technical rule 156, 170, 190
security control 5 W7LogSDK 46
technical assessment 64 collect custom log data 31
technological complexity 9 CSV format 53
text based Format Verification tools 57
collection of log data 31 toolkit 13
time zone 114 XML format 54
Tivoli Compliance Insight Manager 44 Web portal 14
trend graphic 196 Web-based reporting application 18
trending information 21 What 35
trends 194 When 35
turnkey install 62 Where 35
WhereFrom 35
WhereTo 35
U Who 35
ubiquitous log collection 31
Windows
UNIX 68
agentless collection 29
agentless collection 29–30
Windows 2000
GEM database 73
Advanced Server 71
up-sell opportunities 61
Server 71
user information source 157
Windows 2003
UTF-8 encoding 53
Enterprise Edition 71
Standard Edition 71
V Wintel 82
virtual private network 18
VMWare 65
X
XML
W log file 46, 56
W7
analysis 33
attributes 34
categories 44
category 44
classification scheme 34
data store 21
dimension 47
elements 165
format 44, 46
grammar 37
group 156, 173, 176, 190, 208
grouping functions 34
groups 37, 39
language 14
log event format 46
log event sources 46
methodology 57