Tool of program enrollment/change 「WEEDS ITGC-Trace」
「I would like to detect when program enrollment/changeproduction environment program and config file change.」
「Audit concerning internal control represented about “program enrollment/change”, but I don't know how should I do.」
「Represented that DB module is also intended audit, but I don't know how should I detect.」
It seems that customers who consider program enrollment/change have a worry about such things.
"Program enrollment/change" which is one of IT general control goals is not indicated until J-SOX first year, 2nd year, however, since 3rd year, the number of companies which is indicated by external audit is increasing.
What is program enrollment/change
J-SOX conducts control-movement for preventing improper manipulation of financial statement.
Financial statement is easily falsified by a program enrollment. For example, preparing program calculating formula converted for flattering financial statement and replacing it easily falsify.
It is possible that except financial statement falsification angle changing program without a permit business system.
For avoiding these risk, controlling program enrollment/change is asked in corporate system.
What is WEEDS ITGC-Trace
「WEEDS ITGC-Trace」detects when program is “registered",“changed”,“deleted” and restore as registry/change and audit that these operation is with a permit log for proving function properly this controling activation.
Point of program enrollment/change
Point of program enrollment/change is
@Acquiring registry/change record of all files in a server application placed.
AAcquiring change record Database program (Stored procedure and PL/SQL)
BAuditing only registry/change of application program
from acquiring change logs (audit trail)
Above function is indispensable for program enrollment/change.
WEEDS ITGC-Trace encompasses these points.
Point@:Acquiring all enrollment/change
Because auditing applicatioin program, it seems to acquire simply registry/change logs of approrpiate program.However, when falsifying, program and setting file will be placed another area unconcerned applicatioin and ???? Appropriate application lack of logs in follow-up work by any possibility and sufficient audit is impossible. So that acquiring all registry/change log is needed.
PointA:Database program registry/change is also intended audit
Database program saved and run database like stored procedure and PL/SQL is also an intended audit for J-sox.
Database program is often used in financial account system and sale management system. It is critical detect database program registry/change and acquiring log.
PointB:Extracting log should be audited
"Acquiring logs" is written atPoint@. When normally auditing, audit all files registry/ change in a server make greater burden of audit work.
So that, a mechanism which extracts appropriate application registry/change easily, and audit is indispensable.
It updates files by batch in an application server. It should clear them of normal audit, even though recording them as a registry/upadting log.
Setting audit function makes precise audit at B, save low cost of audit task.
The reason why conducting a detailed survey is because acquiring all registry/change logs as @ by any possibility.
WEEDS ITGC-Trace Applicatioin case
「Systemizing change management of program management reduce operational cost considerbly.」
Dear chief of system planning department in certain IT company listed in the first section of the Tokyo Stock Exchange
<Originally problem>
「On IT general-control, people conduct change management of program module in the beginning.
Checking difference between request document and program module regularly, it takes operational cost so much because checking by manpower.
And, confirming the result of audit again and again for proving justice of audit.」
<After introducing WEEDS ITGC-Trace>
「Installing WEEDS ITGC-Trace enable change management of program module which is until by manpower and acquire automatically.
There is a workflow which register information program released. It is possible that proving justice of releasing like checking program not permitted by audit report. It realizes check by outsider.
Change management of program module is systemized in an operational aspect. It reduces operational cost compared to audit by manpower considerably. 」
「Corresponding is completed easily. Even though DB program asked from external audit.」
Toshiba Finance Corporation Information Systems force Engineering Dear chief of group Sanaga Minoru
<Originally problem>
「In J-SOX, not only change management of program module, but of database program is objected. It causes probleems which how to check and how to operate audit.
As a name which is change management database program, deciding how should we audit it without assigning well-known person in charge of database is impossible.
And, it is unactual to audit altered information by in charge, search mechanism which audit effectively.」
<After introducing WEEDS ITGC-Trace>
「WEEDS ITGC-Trace acquiring change management of database program by using WEEDS-Trace concurrently is posible.Because of this, building mechanism which audits a change history of program module+database program concurrently.
Creatively using depending on audit-report is possible, and realizes audit which includes detailed changed contents like the number of change history of database program and database program.Exploiting change management effectively is possible. 」
Comparison program registry/change audit method
Program enrollment/change auidt methods seems to be 3ways. Try to compare these 3 ways.
@Change management by visual contact(Ex:recording a ledger for apply and compare operation log by visual contact.)
Advantage:Consuming tools takes no cost.
Disadvantage:Taking man-hour and labor cost, audit leaked risk will not dissappeared.
ASelf-developed tool(Ex:Screen shot of modification back and forth and confirm difference by looking.)
advantage:Because of self-developed, tool is suitable for business.
Disadvantage:It takes develop cost, and it is obligate to always update enduring latest audit direct function.
BPackaging of a product(Change management systematically)
Advantage : Completeness, objectivity as audit-angle is high, and reduce operation-burdens.
Disadvantage : Generating package cost.
| Audit way comparison table | Completeness | Objectivity | Man-hour | Labor cost | Development cost | Purchases cost |
| @Visual contact | Low | Low | High | High | Without | Without |
| ASelf-developed | Low | Low | Moderate | Moderate | With | Without |
| BPackaging of a product | High | High | Low | Low | Without | With |
As above comparative chart,
using Bpackaging of a product seem to be best way in change management of program.
If using packaging of a product, @〜B「WEEDS ITGC-Trace」is appropriate.
Product specification
| Introduced effect | Internal control(Corresponding IT- general control), Corresponding control authority auditing, Corresponding law protecting personal information, Corresponding internal system audit, P-Mark, Corresponding ISMS, detecting improper manipulation of program. |
|
| Agent Module | Corresponding OS | Since Windows2000, Since AIX4.3.3・Since RedHat Linux3・ Since Sun Solaris 7 Since HP-UX 11i・Miracle Linux・Cent OS ※Other UNIX-like OS is immediate corresponding is posible depending on porting. |
| Changing setting at the time of introduction | Nothing available | |
| Running method | Executable format(Not resident) | |
| Load for server | At recommended operation setting, once/day at night. Using CPU for 10 minutes. Memory utilizattion is the size of maximum file pass. |
|
| Log | Item acquiring log | Change file (Registry,Updating,Deleting), File-pass, File name, Authority ※ Changing database program is necessity for installing WEEDS DB-Trace. |
| Database Program of operational operation | CREATE PROCEDURE、ALTER PROCEDURE、 CREATE FUNCTION、ALTER FUNCTION、 CREATE TRIGGER、ALTER TRIGGER、CREATE VIEW、 CREATE OR REPLACE VIEW、CREATE PACKAGE (Only Oracle)、CREATE PACKAGE BODY(Only Oracle) |
|
| Transfer | Transfer at an execution of an agent.(Normaly Once/day) | |
| The number of logs | 5kb by 1 file altered | |
| Licence system | Server OS unit | |
| Price | Open(It has a volume discount) | |
.jpg)
.jpg)