Controlling SIDADM access per SOX audit compliance

Similar Messages

• Reporting & Audit Compliance Solutions for Cisco Secure ACS

  The Cisco Secure ACS Access Control Server is probably the worlds best selling remote access security solutions and its quite likely that you're already using it! Wouldn't it be great to know exactly what it was doing? Further still, when you have to provide audit documentation regarding your policies and how effective they are, how long does this take and what valuable data remains locked inside the ACS database and logs?
  extraxi offer a range of products that deliver a complete solution for harvesting, managing and analyzing your ACS/SBR log data to meet the increasing demands for regulatory compliance (SOX, COBIT) and overall enterprise monitoring and security.
  We are proud to supply customers including Intel, Ford, Lego, T-Mobile, US Dept of State, US Army, British Telecom, First Energy, TNT Express, Kodak and JP Morgan and many more so why not take a look at our industry leading solutions and evaluate the benefits for your organization...
  Featured Products:
  * aaa-reports! enterprise edition - Automated Reporting
  The best reporting system for Cisco Secure ACS and Funk SBR just got a whole lot better! Improved reports, enhanced filtering and query builder and now with up to 48GB internal storage based on SQL Server technology makes this the ideal solution for large or complex AAA deployments and those that need the additional functionality from the standard aaa-reports! tool.
  With aaa-reports! enterprise you have a complete application for reporting including many canned reports (each with flexible filtering options) and a point-n-click query builder for designing custom reports.
  For historic trending, forensics and audit compliance there simply is no better reporting application for Cisco Secure ACS or Funk/Juniper SBR.
  * csvsync - Automated ACS Database & Log File Collection
  csvsync allows you to download CSV log data (RADIUS, TACACS+, Passed/Failed Attempts etc) directly from any number of Cisco Secure ACS servers (Windows & Appliance) via http(s). Version 3.0 now supports the collection of ACS database itself for import into aaa-reports and detailed reporting based on the ACS security policies. Simple, secure and efficient, csvsync is the best solution for harvesting log data from your Cisco Secure ACS servers.
  Download fully working 60 day trial versions at http://www.extraxi.com/rq.asp?utm_source=technet&utm_medium=forum
  Fore more information please visit http://www.extraxi.com/?utm_source=technet&utm_medium=forum

  bump

• Change control reviews to be SOX compliant

  Hi all,
  please can anyone provide me with info on how to Performe change control reviews to be SOX compliant on a weekly basis (Auditing Information System and Management Internal Control)
  email: [email protected]
  Thank you,
  sam

  Hello,
  Users who have experienced blank options dialog boxes had the extension Ghostery installed. If you have it installed as well can you try disabling it to see if that allows you to access the options? Alternatively you can run in [[Troubleshoot Firefox issues using Safe Mode|Firefox Safe Mode]] to see if that lets you change your options.
  * https://getsatisfaction.com/ghostery/topics/problem-with-firefox-32-firefox-option-is-not-displayed-when-ghostery-is-active-in-firefox-32
  * [[Troubleshoot extensions, themes and hardware acceleration issues to solve common Firefox problems]]

• Print "Confidential" mark on all docs (required for SOX audit)

  Hi All.
  Problem: In order to comply with Sarbanes-Oxley Act I need to implement possibility to print "Confidential" mark for any user chosen document (on every page).
  Partially this was implemented by setting footnote in SAP printer driver. But this isn't usable all the time (especially with ALV-lists).
  There are 3 SAP notes:
  895029 - Let MIC report output watermark
  371854 - SAP Query: Printing in the SAP List Viewer (ALV)
  756650 - Footer in the print dialog
  But first one is about standard header. Second one looks is what I need, but it also does not cover all documents. Third is for future releases.
  I found that there is special Sarbanes-Oxley Compliance Software for SAP ERP. And I wonder if it covers also print issue:
  680615 - Installing SAP CM SOA Release 1.0
  Best solution would be to have a checkbox, which user can check while printing confidential documents.
  I do not believe that nobody faced with the same problem while preparing to SOX audit. Is there a standard solution?
  Thanks to all.
  Message was edited by:
          Andrei Balashchanka

  If someone interested here is SAPs reply for my problem:
  "Setting a footline for printing in the ALV lists is not possible.
  However as a workaround you are able to design the areas above and
  below the ALV output with various elements. In your business case (if I
  understood your business requirements correctly) you need to output a
  text/a mark at the top/at the bottom of every printed page -> in order
  to implement this you would have to implement handling for either the
  TOP_OF_PAGE or the END_OF_PAGE events as in ALV the page headers and
  footers are events.
  If ALV determines that there is a page break when generating the
  printout, the END_OF_PAGE or TOP_OF_PAGE event is triggered. ALV checks
  whether a design object is defined for this event and inserts at the
  correct position e.g. when you use the event print_end_of_page to output
  text with the WRITE statement during print output. The text is inserted
  at the end of each page. During print output, the ALV Grid Control goes
  to the list output of the classic ALV. In the print preview (classic
  ALV), the text for this event is not displayed. Demo program
  BCALV_GRID_01 in development class SLIS illustrates how the
  print_end_of_page is used. To allow output at the end of each page, you
  must reserve several lines for these pages. To do this, use field
  reservelns of a structure of type lvc_s_prnt and pass this structure
  with method set_table_for_first_display.
  For an overview see also the documentation for the events of class
  CL_GUI_ALV_GRID."

• SOX Auditing on BPC 7.0

  We are in the process of rolling out BPC 7.0 and have run into some SOX auditing issues. The team leveraging the software is not large enough to segment roles in order to fulfill the segregation of duties requirement. Because of this, it looks like we are going to have to use IT resources, to push changes into production, in order to mitigate the finance team being able to make changes and having the ability to move them to production.
  All of this can be subverted if we can find a way to implement a robust logging mechanism. From what I have heard, BPC does not have the ability to track changes to logic files.
  Does anyone know of a way to track logic changes?
  How are other companies meeting SOX logging and segregation of duties requirements?
  Are there any third part tools that can handle SOX compliance for us?

  Hi EWillie,
  you better should post your message into this forum:
  SAP Planning and Consolidation, version for SAP NetWeaver
  The GRC forum unfortunately does not deal with BPC.
  Best,
  Frank

• Can you limit the amount of data accessed per user on an AirPort Extreme?

  Can you limit the amount of data accessed per user on an AirPort Extreme?

  Your question was whether the AirPort Extreme is able to establish data limits per user.
  If you add another router that has this type of capability or install software on another router, then you will be able to establish data limits for each user. The AirPort Extreme will have no control over this.

• How can i use the ACL file to control the access from the other website?

  Hello all~
  My Sun one is 6.1 sp3 on Windows 2003 SE, and I am try to use the ACL file to control the access.
  My ACL file is below:
  version 3.0;
  acl "path=my_path_on_HD";
  deny absolute (all)
  (user = "anyone") and
  (dns = "*.my_site.com");
  deny absolute (all)
  (user = "anyone") and
  (dns = "*.other_site.net");
  Once I add the "deny", anyone include my site is decline for vist the path specify in the ACL file. But if remove the "deny", everyone include other one's website can access the file.
  Can anybody tell me how to make it work?

  I think you've misunderstood what the dns attribute is for. The dns attribute returns the hostname of the client accessing your website, not the hostname of the website that linked to your website.
  For example, when someone using the Comcast ISP goes to a malicious website at example.com that loads images from your website at www.amigoo.net, the dns attribute will be something like "c-1-2-3-4.ca.comcast.net", not "example.com". ACLs are used for authentication and authorization of clients (not the websites those clients chose to visit), and they don't provide the functionality you're looking for.
  If I understand correctly, you want to prevent websites other than amigoo.net from linking to files in your d:/webserver/imat/pics_upload directory. You can achieve this adding the following lines to your obj.conf configuration file:
  <Object ppath="d:/webserver/imat/pics_upload/*">
  <Client referer="*~*amigoo.net">
  PathCheck fn="deny-existence"
  </Client>
  </Object>

• As a stockholder, I would like see the development of iTV with Retina display and integrating Siri control, internet access, and iTunes apps. This new product would be a large screen, thin wall mounted television, much like a oversided iPad.

  As a stockholder, I would like see the development of iTV with Retina display and integrating Siri control, internet access, and iTunes apps. This new product would be a large screen, thin wall mounted television, much like a oversided iPad.
  Do you think this product is possible?

  In general theory, one now has the Edit button for their posts, until someone/anyone Replies to it. I've had Edit available for weeks, as opposed to the old forum's ~ 30 mins.
  That, however, is in theory. I've posted, and immediately seen something that needed editing, only to find NO Replies, yet the Edit button is no longer available, only seconds later. Still, in that same thread, I'd have the Edit button from older posts, to which there had also been no Replies even after several days/weeks. Found one that had to be over a month old, and Edit was still there.
  Do not know the why/how of this behavior. At first, I thought that maybe there WAS a Reply, that "ate" my Edit button, but had not Refreshed on my screen. Refresh still showed no Replies, just no Edit either. In those cases, I just Reply and mention the [Edit].
  Also, it seems that the buttons get very scrambled at times, and Refresh does not always clear that up. I end up clicking where I "think" the right button should be and hope for the best. Seems that when the buttons do bunch up they can appear at random around the page, often three atop one another, and maybe one way the heck out in left-field.
  While I'm on a role, it would be nice to be able to switch between Flattened and Threaded Views on the fly. Each has a use, and having to go to Options and then come back down to the thread is a very slow process. Jive is probably incapable of this, but I can dream.
  Hunt

• Best authentication method for controlling DEVICE access to wlan

  Hello,
  I have a similar question to this thread ( https://supportforums.cisco.com/message/3927713 ) but I'm interested about device control on top of user control. Just like that thread, we are using WPA2-AES Enterprise with PEAP MSCHAPv2, which allow users to log on with their domain credentials. We wanted something simple for our users, so MSCHAPv2 with "single sign on" was optimal to us.
  Problem is, we have a new requirement and we need to implement it yesterday. We would like to allow only mobile devices and computers of our choice.
  Since we are using MSCHAPv2 which allow every domain user to connect using any device as long as their domain credentials are valid, is there a simple way to control this ?
  I guess we could go with MAC filtering, but we have about a thousand laptops. Not a big problem, we could do a regular MAC address inventory using SCCM. It's just that it looks like a brute force tactic to a simple problem. Would a Cisco ACE 4.1 RADIUS server tolerate well a MAC address table with a thousand entries ? What if it goes to two thousands ? Would this be easy to implement ? I'm a bit new to this, is there some documentation I could follow ?
  How do people usually do this in an elegant way ? How do you manage and control WLAN access to thousands of device ? I guess they go with TLS with certificates ?
  Thank you very much !
  Konnan

  Konnan,
  Just saw your PM:)
  Would it be possible to configure Access policies even if our Radius servers aren't joined to the domain ?
  > I really don't know... typically all my installs have the radius server joined to the domain.  I don't know what limitations you would have using the setup you currently are using.
  Still wondering if it would be a good path for us, because of the computer authentication issue where it happens only at logon in Windows if I read correctly and our users don't have the habit to log off frequently and we use only manual connection mode when the user already has his session open. I guess MAR will have to be set to a stupid high value... if it even works.
  > Well you need to sit down with everyone who is involved and really think out what works best for you.  Machine authentication works well, but then people wonder what happens if someone logs in that isn't authorized and that because the computer is a domain computer it automatically gets on the network.  Well your not going to get everything you want:)  So PEAP has issue because IT wants to limit the user to only be able to access using a company owned device... well, then ISE is your fix.  You can add a certificate that ISE can see and if that device has that or a registry value and the user is allowed to access the network, the authentication is allowed, or else it will not be.  EAP-TLS... well more work since you need a PKI infrastructure and both the radius and the clients need a cert...
  No matter what, you need to decide what works best and don't over complicate it with adding mac filter, etc.
  I'm wondering if EAP-TLS wouldn't be better for the long term, maybe with MAC Address restriction on the short term...
  > See above
  I'm also wondering if we could stay with PEAP MSCHAPv2 but use an NPS Radius server from Microsoft which allow to use complex policies instead of the Cisco ACS Radius server...
  > You need to know how to setup and configure the policies... either one will work, but if your on ACS 4.x, I would look at upgrading to 5.4.  ISE is replacing ACS as far as the radius portion, but tacacs isn't yet available on ISE.
  There's also the Cisco ISE, which seems to be equivalent to Microsoft NPS... a bit more costly OTOH.
  > ISE allows you to profile devices so you know what device is accessing your network.  Again, ISE is replacing ACS as far as the radius, but tacacs will soon be out and available for ISE.  If you really want to create crazy profiles, then ISE is the way to go.  You can specify that this user group is allowed wireless, but it has to be a domain computer.  The user isn't allowed access if its not a domain computer.  The same user group is allowed access with company iPads (certificate installed), but not have access with personal iPads, tablets or smartphones.
  Hope this helps.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Problems controlling Microsoft Access with ActiveX

  I have done quite a bit of searching on this topic, and have found several answers that are close, but do not address my actual problem.
  I would like to use ActiveX to control Microsoft Access, specifically to create new database files without having to copy a blank file I have stored somewhere. I also can't stand it when I can't get something to work, so this is now a personal thing too.
  Anyway, when I run a simple VI to open the creatable reference Access._Application, I get the error: "Error 3005 occurred at Automation Open: Object specified is not creatable in Access.vi". I have tried a lot of the common answers to this problem, like browsing for the library in the ActiveX window, and trying to register it with regsvr32, but the file is msacc.olb, which cannot be registered with regsvr32.exe. I have attached the original VI and I have tried this on 3 different PCs, all with slightly different installs of Office, but all with Access 2007. If anyone can help me figure this out, I would greatly appreciate it.
  Thanks 
  Eric
  "When I see an adult on a bicycle, I do not despair for the future of the human race."
  -H.G. Wells
  Solved!
  Go to Solution.
  Attachments:
  Access.vi ‏6 KB

  Your vi gave the same error on my machine.  Then I deleted the Access._Application reference, right-clicked on the reference input and selected Create Control.  Then I changed the Active-X Class by browsing to my computers version of the reference ("Access._Application.12").  The same vi ran without error.
  The class still shows as Access._Application, which indicates that there may be an incompatibility which is not visible.  
  When and activeX node fails to run when copied from any other machine, it is recommended to Replace each node that generates the error and reselect the properties and methods.
  Michael Munroe, ABCDEF
  Certified LabVIEW Developer, MCP
  Find and fix bad VI Properties with Property Inspector

• Error when re-starting an SQL Server Instance from VBA - [SQL-DMO]Service Control Error: Access is denied.

  Our Application needs to have the use of the [Named Pipes] and [TCP/IP] Protocols.  To save our Users the hassle of having to enable them manually our application has always done it for them and then stopped and restarted SQL Server.  However
  since the advent of Vista and Windows 7, the restart stopped working.  We solved the problem by detecting the failure to re-start and giving Users sufficient instructions for them to do it themselves.  Since this only occurs during installation on
  the Server, this approach has not been too much of a hassle.  However we would like to tidy this up if possible. This the VBA code that is causing the problem:
      obj_SQLServerInstance2.Start _
          g_SQL_UseWindowsAuthentication, _
          SQLServerInstance, _
          UserName, _
          Password
  This still works when run under XP, but fails under Windows 7 with the Error:
  [SQL-DMO]Service Control Error: Access is denied.
  Does anyone know how to resolve the problem?

  This still works when run under XP, but fails under Windows 7 with the Error:
  [SQL-DMO]Service Control Error: Access is denied.
  Hello Brian,
  Under Windows 7 you have to run the VBA script with admin permission, a normal user don't have permissions to start/stop services.
  Olaf Helper
  [ Blog] [ Xing] [ MVP]

• Exam 1Z0-007 and questions from Controlling User Access

  Hi,
  I am preparing for exam 1Z0-007 and going to give this exam in two weeks. I like to confirm if "Controlling User Access" topic is part of this exam 1Z0-007? I have checked on Oracle website and this topic is not a part if this exam anymore unless they add it later.
  Has anyone recently given this exam and were there any questions related to "Controlling User Access" or user Privileges?
  Thanks

  user10878991 wrote:
  Hi,
  I am preparing for exam 1Z0-007 and going to give this exam in two weeks. I like to confirm if "Controlling User Access" topic is part of this exam 1Z0-007? I have checked on Oracle website and this topic is not a part if this exam anymore unless they add it later.
  Has anyone recently given this exam and were there any questions related to "Controlling User Access" or user Privileges?
  ThanksI recommend people are very very very careful in answering this question as it could be very easy to breach one's certification candidate agreement.
  Rgds - bigdelboy.
  Edited by: bigdelboy on 27-Dec-2009 04:26
  It is certainly true the topic you mentioned is in ISBN: 007-219537-1 printed in 2001.
  It is also apparent, unless bigdelboy's eyeball is deceiving him, the topic does not appear in [http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=41&p_org_id=28&lang=US&p_exam_id=1Z0_007] which is authorative.
  I have not followed these things that closely until recently, however this will not be the only example of an OraclePress/Sybex book being left behind because of errata/topic updates etc. These often occur when the exams are update for new releases, eg from 10gR1 to 10gR2; or for when the exam moves from beta to production (sometimes these books are prepared and even pulbished while exam is in beta). In your case I suspect the change quite probably have occured when the exam moved from 9gR1 to 9gR2 or to better accomodate the WDP programme. The exam may also be influenced by the content of Oracle training courses that are being taught and from time to time these will be chaged for a variety of reasons.
  How you handle it is up to you ..... you may:
  - ignore these topics. IMHO you are always entitled to complain if questions asked did not sigificantly match the published topics and you feel this caused you to fail. (I assume the remedy would be a retake voucher). You can hit a comment button on the question and also a comment button the the end of the exam. This is a sort of negative approproach.
  - Go over these topics. If your're serious about Oracle you really need to understand this anyway. See it as an opportunity. A few hours revision ought tosee you able to answer 50% of he topics. This is a positive approach. And this if how certification study ought to be .... sometimes it good to investigate a non examined topic that is interesting.

• Controll user access with internal attribute date

  I all.
  i've created an internal attribute called Date-of-validity  of type Date.
  the objective is to controll user access based on the date configured in this attribute and permit acces only when the date as not been reached.
  who do i control-it, putt the acs looking to the date in an autommated way.
  thanks in adv
  Antero Vasconcelos

  It is possible to define an internal user whose password is taken from an external store.
  In internal user definition select "Password Type" to be the LDAP database and then define the rest of the user definition, including identity groups, as desired

• EA6500 Parental Control or Access Restrictions question

  I have been looking into this router, I woujld like to know if I can enable Parental controls or access restrictions to block a MAC or IP address; from 03:00 AM - 06:00 AM ?
  Instead of Midnight to 6:00 am.
  My E4200 works just fine, Just would like to know if the EA6500 Can do that ?
  Thanks
  Chris
  Solved!
  Go to Solution.

  Yes, you can block a device on the network from accessing the internet from 3 AM to 6 AM.
  Screen snippet I just took from my EA6500:
  As for blocking it by IP address or MAC Address directly, no you can't, you have to select it from the device list, but from what I've seen, you have to do that on the E4200 as well, so that's nothing different.
  There have been people expierencing issues with their device lists on the EA6500, but I've rarely had any since a few fimeware updates ago, and usually refreshing the page or clicking the in-page refresh button, fixes those when they do happen to occur. (In my case.)
  And in response the the second post, although it's only apart of the wireless and unrelated to parental controls, the EA6500 does have MAC Filtering:

• SAP Security Planning and implementation with SOX/SOD compliance

  hello
  Hi guys, i am a security guy
  could you tell me ,"SAP Security Planning and implementation with SOX/SOD compliance" 
  what does it mean.
  <removed_by_moderator>
  thanks
  Ramesh
  Edited by: Julius Bussche on Feb 2, 2008 1:26 PM

  Ramesh Sammiti wrote:>
  > hello
  >
  > Hi guys, i am a security guy
  >
  > could you tell me ,"SAP Security Planning and implementation with SOX/SOD compliance" 
  > 
  > what does it mean.
  >
  >
  > <removed_by_moderator>
  >
  >
  > thanks
  > Ramesh
  Forgive me for saying, but it means:
  Implementing security which complies with Sarbanes Oxley requirements and takes into account Segregation of Duties.
  SOX and SOD are different things, from a security perspective SOX is generally technical security based and SOD is business process based (although bus proc has big SOX component).
  There is a plethora of information via yahoo/google etc.
  Edited by: Julius Bussche on Feb 2, 2008 1:28 PM