Case Study: Configuration Compliance Manager automates checks for SarbOx and internal control compliance and tips off admins to trouble.
Manual audits to check for Sarbanes-Oxley Act and internal control compliance of Idaho Power's servers was eating up too much time. One solution was to test a small percentage of representative servers, but Idaho Power wanted more complete information and in August 2006 started looking at compliance solutions. The result was the February rollout of nCircle Network Security's Configuration Compliance Manager.
Idaho Power deployed a central management server and five scan engines that implement agentless information gathering, including using WMI (Windows Management Interface) and other techniques to gather configuration information from more than 400 Windows Server 2000 and 2003 systems, as well as approximately 50 SUSE Linux servers. (CCM also can collect configuration information about network infrastructure and applications.)
Idaho Power is an electric generation and distribution company in southern Idaho and eastern Oregon, serving an estimated population of 943,000 in approximately 80 cities. The organization has about 2,000 employees.
The nCircle CCM product enables Idaho Power to track configuration changes and regulatory compliance inside its heavily segmented and strictly separated environment by using scan engines running in virtual machines. Idaho Power needed only a couple of changes to firewall rules to enable communication between the scan engines, which monitor registry settings, log files and user accounts, among other things, to create reports for senior managers, system administrators and auditors.
Alex Tatistcheff, information security manager for Idaho Power, led the nCircle CCM evaluation and implementation process, in an effort to automate complex processes.
"Our biggest pain came when auditors would try to audit against our server standards, which tells how a server should be configured as far as registry settings, password policy, event log settings, what should be logged, various user privileges, whether the guest and administrator account is renamed," said Tatistcheff. "An auditor would have to sit down with a server engineer, pick three different servers out of a group and just do print screens and say "Show me this" and "Show me that." It would take quite a while. And they'd only get a very small subset of the servers. So what we needed was a tool that would automatically check preferably all of the settings in our baseline, and also do that for Windows and Linux servers."
SarbOx compliance is Idaho Power's main concern, but not its only one. The company is in the process of meeting other, energy-related regulations, including the CIP (Critical Infrastructure Protection) standard from the NERC (North American Electric Reliability Corporation). "I don't expect these to translate very directly into server settings," said Tatistcheff.
nCircle's CCM provides Idaho power with data collection and reporting capabilities. Tatistcheff now provides company managers and auditors with reports that show exactly what is happening with the servers.
Click here to read more about compliance scanning.
For example, a high-level report with charts that show how many servers passed and how many failed in particular groups goes to the CIO and the business managers. A more detailed report for server administrators provides data on which tests and policies failed so that the admins can address the issues.
Auditor reports have made short work of compliance reporting, according to Tatistcheff, who also sends the detailed reports to the Idaho Power service desk. The service desk creates tickets based on the reports and then works with server administrators to remediate problems.
As part of the deployment process, Tatistcheff gave nCircle Idaho Power's standard configuration baseline. "They took that and wrote most of the tests we would need," he said. "Some of those were based on their existing tests. That probably got us 70 percent of the way toward the final policy, at least for Windows. They did the same thing for Linux. We took what they did and tweaked it a little further by adding some tests here and there and making some modifications."
With the nCircle CCM in place, Tatistcheff has seen a big drop in the amount of staff time needed to monitor server configuration compliance. He now wants to explore using the product to further monitor configuration change management. "When the administrators group membership changes, we get a notification," he said. "I'd like to go further into the change management part of CCM."
Check out eWEEK.com's Compliance Center
for the latest news, commentary and analysis on regulatory compliance.