The OxygeN software system is part of the main identity and access management system for Global Philips. It has been determined that the system has to meet SOx requirements. After T-Systems became the global IT Partner of Philips in 2010, the Oxygen software system is the last system that still is located in a former Philips Data Center located in Eindhoven and uses the network managed by T-Systems. All other SOx compliant systems are operated form Data Centers in Germany or England. The system is due to be replaced and therefore will remain in its current location until being decommissioned.

SOx regulations require a regular security assessment. Because the last Security Assessment on the OxygeN system dates from 2007, when Philips was still running most of the systems itself, a new security assessment should be made promptly. In any event before the end of the current audit cycle.

Approach

To carry out a reliable and robust security assessment within the given time frame was the central goal of the approach. To achieve that goal Aranea proposed to limit the focus of the assessment and re-use the basis of the previous assessment. Making two of the CobiT Control Objectives the focal point of the assessment and re-using the extensive list of threats that was used for the assessment in 2007 did this.

Execution

Based on the above approach a stepwise methodology was used to conduct the security assessment. The steps are: Get to know the environment and surroundings; Identify Threats; Analyze Risks; Identify Recommended Corrective Actions, and Document Results.

To get to know the environment and surroundings two series of short interviews were conducted. The list of 2007 was reviewed to identify the threats. Per threats it was determined whether the threat was still applicable concerning the changed scope of the assessment. Also the list was crosschecked against the requirements of the CobiT DS5.10 (‘Network security’) and DS5.11 (‘Exchange of sensitive data’) control objectives. To analyze the risks all threats were individually examined to determine which security measures are in place to prevent vulnerabilities from being exploited, and what measures are taken to control any possible damage. In the next step recommendations for additional measures or corrective actions to further mitigate the risk were made, depending on the mitigation level of the vulnerability. By documenting the results in a written report as well as a presentation to the customer the result of the assessment was captured.

Result

The Security Assessment Report enabled Philips to meet SOx requirements. It provided Philips and T-Systems with a more detailed view of risk regarding the OxygeN system. And it supplied the system’s stakeholders with an assessment of the adequacy of the management, operational, and technical controls used to protect the confidentiality, integrity, and availability of the system and the data stored, transmitted and processed.