"Ibm Information Management Trends Nov 2009"
SAS Institute Inc. 2009 SysTrust Report Period from November 1, 2008 through September 30, 2009 Ernst & Young LLP Suite 500 4130 ParkLake Avenue Raleigh, NC 27612 Tel: +1 919 981 2800 Fax: +1 919 981 2997 www.ey.com Report of Independent Accountants The Board of Directors SAS Institute Inc. We have examined management’s assertion that SAS Institute Inc. (SAS), during the period November 1, 2008 through September 30, 2009, maintained effective controls to provide reasonable assurance that: • the ASP Network Environment (certain Information Technology General Controls related to the firewall, routers, hubs, bridges, and switches) was protected against unauthorized access (both physical and logical); and • the ASP Network Environment (certain Information Technology General Controls related to the firewall, routers, hubs, bridges, and switches) was available for operation and use, as committed and agreed based on the AICPA/CICA Trust Services Security and Availability Criteria. This assertion is the responsibility of SAS’ management. Our responsibility is to express an opinion based on our examination. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included (1) obtaining an understanding of SAS’ relevant security and availability controls, (2) testing and evaluating the operating effectiveness of the controls and (3) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Because of inherent limitations in controls, error or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that the validity of such conclusions may be altered because of changes made to the system or controls, the failure to make needed changes to the system or controls, or a deterioration in the degree of effectiveness of the controls. 1 A member firm of Ernst & Young Global Limited In our opinion, SAS’ management’s assertion referred to above is fairly stated, in all material respects, based on the AICPA/CICA Trust Services Security and Availability Criteria. The SysTrust Seal on SAS’ Web site constitutes a symbolic representation of the contents of this report and it is not intended, nor should it be construed, to update this report or provide any additional assurance. December 1, 2009 2 A member firm of Ernst & Young Global Limited Report by Management on the Controls Over the ASP Network Environment (certain Information Technology General Controls) Based on the AICPA/CICA Trust Services Principles and Criteria for Security and Availability For the Period November 1, 2008 through September 30, 2009 SAS Institute, Inc. maintained effective controls over the security and availability of the ASP Network environment to provide reasonable assurance that: • the ASP Network environment (certain Information Technology General Controls related to the firewall, routers, hubs, bridges, and switches) was protected against unauthorized access (both physical or logical) and • the ASP Network environment (certain Information Technology General Controls related to the firewall, routers, hubs, bridges, and switches) was available for operation and use as committed and agreed during the period November 1, 2008 through September, 30, 2009, based on the AICPA/CICA Trust Services TM Security and Availability Criteria established by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). Our attached System Description of the ASP Network environment (certain Information Technology General Controls) summarizes certain aspects of the Systems covered by our assertion. Mr. Donald Parker Chief Financial Officer SAS Institute, Inc. Ms. Suzanne Gordon Chief Information Officer SAS Institute, Inc. Dr. James Goodnight Chief Executive Officer SAS Institute, Inc. December 1, 2009 SAS Institute Inc. ASP Network Environment System Description System Description of the SAS Institute Inc. Controls Over the ASP Network Environment Based on the AICPA/CICA Trust Services Principles and Criteria for Security and Availability A. Overview of Operations SAS Institute Inc. (SAS or the Company) Information Technology Services (ITS) is dedicated to providing secure computing and network services for the Application Service Provider (ASP) environment. The SAS ASP Service Offering is part of SAS’ growing business model. SAS ASP Services offer the use of selected SAS products on a subscription basis, with data acquisition, storage, analysis, and results transmission all housed at SAS. The ASP model supports different sectors of the SAS software product lines, and therefore the available product and/or solutions have the option to move to the subscription service model. The ASP IT Infrastructure environment supports multiple applications, each of which provides application specific services. The purpose of this report is to identify and document the controls within the ASP IT Infrastructure environment, which supports the multiple applications residing within the ASP environment. Specifically, this report pertains to the controls regarding the data center physical security and environmental safeguards, logical access, and change management to the network devices. This report does not cover the operating systems, software, or transaction processing of the applications being supported by the ASP Network environment. B. Control Environment 1. SAS’ Organizational Structure The ASP environment, specifically the infrastructure environment, is supported by the Information Systems Division (ISD) on behalf of business units that are organizationally separate from ISD. The organizational chart in Figure 1 shows the relationships among the principal groups that manage and/or benefit from the ASP environment. ITS is the ISD department committed to maintaining a scalable, high performance computing infrastructure with a focus on availability and security. ITS’ primary role is to design and implement a robust ASP Infrastructure, through the use of SAS’ IT management product offerings like IT Resource Management and IT Service Level Management. 2 SAS Institute Inc. ASP Network Environment System Description ITS researches and deploys current computing hardware and software when it makes good business sense for the ASP environment. ITS focuses on IT Security and Continuity of Business to help protect the ASP environment’s assets and the productivity of ASP solutions. ITS works with each Application team within the ASP environment and the IT Governance Council (ITG) to align it’s activities with SAS’ business priorities and continue to provide superior services and support. Figure 1 – SAS Organization as Related to the ASP environment 2. Management Control The organization has a formal management information and reporting system that enables management to monitor key control and performance measurements. Adherence to the goals of management is monitored through use of the ISD scorecard, which has been implemented to quantitatively measure the trends for the goals and objectives. The scorecard is reviewed by ISD executives and discussed during ISD Department Head meetings. 3 SAS Institute Inc. ASP Network Environment System Description 3. Controls Related to Personnel SAS has a formal hiring process designed to help ensure that new employees are qualified and able to complete their job responsibilities. Each job candidate is interviewed by SAS personnel within the employing department to determine if background and experience is appropriate for the job function. Additionally, background checks are performed and references are checked prior to hiring new personnel. Employees who are involved in supporting the ASP environment are trained in their respective areas of expertise. Network and system engineers are encouraged to achieve certifications from vendors and independent certification organizations. The Global Information Security (GIS) group has Certified Information Systems Security Professionals (CISSP), and individuals with SysAdmin/Audit/Network/Security (SANS) certifications. SAS ASP employees are also required to attend annual training on ASP Policies & Proceudres. 4. Internal Audit There is an internal audit group in the General Administration Office, reporting to the Chief Administration Officer. They are responsible for governance with respect to financial operations at the corporate level. The GIS group provides some audit functions to meet the needs of some ASP customers. C. Risk Assessment The GIS group is responsible for providing Risk Assessment services, specifically focused around security threats, for SAS. Additionally, the GIS team evaluates known vulnerabilities and risk, which would adversely affect the availability and security of the ASP environment. The International Business Machines’ (IBM) X-Force Internet Risk Assessment service is used daily to measure the potential impact of current threats on SAS. An individual from GIS reviews and assesses the daily reports provided by IBM, and distributes information to parties responsible for managing potentially affected resources, including the ASP Systems Support Managers, and the ASP Hosting Manager. The GIS team follows-up on all threats that are considered critical and makes sure the risk has been mitigated within a reasonable period of time. All correspondence associated with the Risk Assessment process is logged in an Exchange Public Folder. 4 SAS Institute Inc. ASP Network Environment System Description D. Monitoring ISD has implemented a program, “P3,” to measure and align activities and completion of objectives throughout the year. Each department has identified objectives within the ISD Scorecard and they are reviewed in a variety of ways, including: • Existing and planned projects are integrated into the objectives, • During the weekly ISD Department Heads’ meeting, a casual review of leading projects and outlier situations are discussed, • Measurements from these objectives are developed into the ISD Scorecard, using SAS Strategic Performance Management (SPM), and • During one-on-one meetings with the CIO, goal attainment and barriers to success are discussed. The organization has implemented the program to monitor and review compliance with objectives set by the organization. E. Information and Communication 1. Policies and Procedures All information regarding the ASP operation is documented on-line, and is available via the internal SAS Intranet. Critical documentation for networks is also stored offline in the event of an incident that causes on-line access to be unavailable. 2. Information Systems The Company’s ASP applications reside in a common ASP network environment, which is the scope of this report. The ASP network environment includes the physical environment supporting the hardware on which the applications reside as well as access to the physical environment. Additionally, the scope of the report includes controls the Company has implemented to restrict logical access to the network environment. Finally, this report focuses on controls related to changes made to devices within the network environment. 5 SAS Institute Inc. ASP Network Environment System Description 3. Physical Security The ASP IT Infrastructure environment (the Environment) is physically located in the SAS data center on the SAS campus in Cary, NC. Like all buildings on the SAS campus, physical access is restricted to employees or third parties that have been issued badges by the SAS Security Department. Receptionists at the front door of each building are responsible for challenging anyone attempting to gain access to a building without displaying a SAS badge. Visitors or anyone without a SAS badge, are required to sign in, obtain a visitor badge, and be escorted by a badge holder. SAS provides an unencumbered working environment for employees and contractors. Permitting physical access to a building doesn’t mean that all resources inside the building are also accessible. Additional physical security is enforced to specific areas wthin the building including the ASP environment. Once inside, badge holders must use their badges to gain physical access to the data center. Only employees and contractors that have responsibilities inside the data center have badges that permit access. Once inside the data center, access to the ASP environment is limited to IT support roles, and can only be authorized by the Data Center Operations (DCO) Manager and ASP Hosting Manager. Only escorted third parties may gain entry to the ASP environment and they are required to sign in and out each time they enter and exit the area. In order for unescorted third parties to gain entry to the ASP environment, they must be sponsored by someone that has badge access to the environment, or management of the IT support organization for which badge access has been granted. The sponsor must communicate their approval to the Data Center Operations staff, which will permit the use of a service badge by the third party. The service badge is signed in and out by the third party each time it is used, and it must be returned at the end of each business day. Unescorted third parties may escort other third parties, and they must sign in and out of the ASP area each time they enter and exit. The Data Center Operations group provides continuous coverage for all ASP systems and networks. Availability of ASP systems and networks is considered critical, which mandates constant monitoring of those resources. The Performance Enhancement Resource Center (PERC) provides the primary monitoring facility for ASP resources. 6 SAS Institute Inc. ASP Network Environment System Description 4. Logical Access Logical access to system resources (for example, programs, data, tables, and parameters) is restricted to properly authorized individuals. Access controls for the ASP environment are baselined at the host and network level. Host access is restricted to employees that are designated to support the host operating system and host-based services, and employees that are designated to support the ASP application. Authorization for host and host- based services access is granted by the ASP Hosting Manager and the GIS group. Application support access authorization is granted by the ASP Application manager that is responsible for the application. Network access to the ASP environment from the SAS network is limited to application support personnel, network on-call personnel, and data center personnel. Logical access to network devices is limited to network on-call personnel. Each authorized person uses their own account and password to gain access to network devices. The naming conventions for the accounts and the complexity rules for their passwords are the same for network on-call personnel as for all other accounts at SAS. Those conventions and rules have been accepted by SAS as sufficient for protecting the assets of SAS, including those in the ASP environment, and are described below. Access to network devices in the ASP environment are managed by Terminal Access Controller Access Control System (TACACS), which provides logging of all access attempts, and command level logging. This provides assurance that all access to network devices is accounted for, down to the commands that are executed. 5. Password Requirements for SAS Accounts in Windows Active Directory Logical access to the ASP network devices requires the use of a unique user ID and password. Minimum length, password complexity requirements, maximum password age, account lockout duration, account lockout, minimum password age, and password history are enforced by Windows Active Directory. The ASP environment perimeter has a dedicated firewall installed that is designed to provide a barrier to traffic coming from the Internet and traffic coming from the SAS network. All firewall configuration changes are approved by the ASP Hosting Manager, and logged. 7 SAS Institute Inc. ASP Network Environment System Description An Intrusion Detection System (IDS) is in place to monitor incoming IP traffic, and alert on suspicious traffic. The IDS logs are reviewed by the Global Information Security (GIS) group on a regular basis. All change controlled modifications to ASP systems at the host, host services level, and network devices are approved by the ASP Hosting and GIS Manager prior to implementation. Once a change is approved, they are logged in the Production Environment Resource Center (PERC) and Management of Infrastructure Delivery, Availability, and Service (MIDAS) ASP Change Management application system. The Maintenance modifications to ASP systems at the host, host services, and on network devices (except routers and firewalls) do not require prior approval, but can only be performed by personnel that are authorized to by the ASP Hosting and GIS Manager. Maintenance modifications to ASP routers and firewalls require prior approval. Routers and firewalls require approval because they directly affect the access controls, while primitive devices, such as hubs and bridges require changes, such as cable input in hub ports. Changes to the primitive devices are controlled by monitoring of change control documentation and physical access to the devices. All logical access changes are approved by the ASP Hosting Manager, GIS, and the appropriate ASP Systems Support Manager (for systems and systems level applications), and documented in the Management of Infrastructure Delivery, Availability, and Service (MIDAS) ASP Change Management application. 6. Elevated privileges There is only one level of access to the ASP Network devices (All access). Only a limited number of network engineers who need such access in order to perform their ASP responsibilities receive such access. 7. Systems Development and Conversion Methodology All changes are logged and tracked in the Production Environment Resource Center (PERC) and then tracked for approvals in the Management of Infrastructure Delivery, Availability, and Service application (MIDAS). The MIDAS ASP change management application manages all changes in the ASP hosting environment and is used to document all host and host service changes for ASP systems. Changes in state are approved by the ASP Hosting and GIS Manager, or the appropriate ASP Systems Support Manager. The ASP Hosting Manager is responsible for notifying all affected ASP Systems Support Managers of upcoming changes at the host or host services level. The ASP 8 SAS Institute Inc. ASP Network Environment System Description Systems Support Manager is responsible for testing all changes prior to making them available in their respective production application environments. SAS uses a scheduled outage calendar to control when non-emergency changes are made to the ASP environment. Scheduled outages are used to update operating systems and host services to maintain resistance to current, known threats to those platforms. Emergency changes are made to ASP systems and networks following emergency protocols, as documented in the ASP Policies and Procedures manual. The emergency protocol includes daily comparison of firewall settings to document and understand changes made, restricting access to the network environment (physically and logically), and monitoring of access versus change documentation. 8. Computer Operations All systems within the ASP environment operate with the expressed approval of the ASP Hosting Manager, and the appropriate ASP Systems Support Manager. Operational procedures executed by ASP Systems Support staff and DCO include the monitoring of system performance and availability via PERC. Escalation procedures for the ASP environment are included in the ASP Policies and Procedures Manual, and the DCO Operations Manual, and all DCO personnel are required to follow them. 9 Ernst & Young LLP Assurance | Tax | Transactions | Advisory About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 144,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. For more information, please visit www.ey.com.