URGENT help or features needed for sox compliance

[Pamela Bradford]

We are looking for a way of securing a file against modification during
transfer.
A user logs in to our application to generate a payroll data export file
(.csv format) the file is generated and encrypted in our system and sent via
email to the requester. The requester then decrypts the file then logs into
another application and uploads the file. The problem is that between
decrypting and uploading the file the data can be manipulated.

Sarbanes oxley auditors are failing us on this deficiency.
We would like our system to automatically add the following options to the
file prior to email transfer.

1. Render the csv or text file read only (currently available in both Word
and Excel)
2. Option to Disable the application window scroll bar (so the file cannot
be read onscreen beyond the first page)
3. Encrypt the csv file with PGP encryption key of the requester (already in
place) 4. Create and save a hash value of the file in both the message field
of the transfer email message and in a table within our database.
The other application will be tasked with retrieving the Each quarter the
other application will be required to provide the hash values of all files
uploaded from our application. the hash values should match if not there was

I am asking for help and guidance in knowing how to accomplish step 2. As
well as feedback
3. Upon decripting Limit online MS office application options to upload
file, or close window in order to force the reciever. No save, modify, or
delete option.
3.
--
Pamela J Bradford
FEPS Business Analyst
ACS Inc.

----------------
This post is a suggestion for Microsoft, and Microsoft responds to the
suggestions with the most votes. To vote for this suggestion, click the "I
Agree" button in the message pane. If you do not see the button, follow this
link to open the suggestion in the Microsoft Web-based Newsreader and then
click "I Agree" in the message pane.

http://www.microsoft.com/office/com...5bc814f&dg=microsoft.public.excel.programming

 

[Dave Peterson]

CSV and TXT files are plain old text. They can be opened in any text
editor--notepad to the millions of free text editors available on the web (as
well as MSWord and excel).

I don't think you'll find a solution to #1 or #2. I don't know anything about
PGP.

And I would think that the second #3 would depend on macros. Macros don't have
to be enabled (and wouldn't travel with .csv or .txt files, anyway) by the
user. So you wouldn't have assurances that the end user used the limiting
macros.

Maybe using excel and text files isn't the way to go.

Maybe using some other (home grown) program that encrypts the data and only
allows what you want allowed would be better.

 

[Dave F]

Excel is not a secure application. If your auditors say you need to prevent
your data from being manipulated, then I'd agree with Dave Peterson that
neither .txt files nor .xls files are the way to do it.

 

[Les]

Your primary problem is to ensure that the recipient does not change the file
prior to uploading it.

The PGP encryption is sufficient to ensure that the file is not intercepted
and changed when the it is sent to the user.

Prior to emailing the file, the sending application should calculate and
store securely a unique hash of the file contents. There is no requirement to
include this value in the file, either internally or as part of the email
message.

The upload application should use the same algorithm as the sending
application to re-calculate the hash of the file. This hash can be verified
against the stored value prior to any upload.

I am using the term hash, however any kind of algorithm can be used as long
as it is duplicated at both ends. Your concern should be that the calculation
remain secure from the users.

Lastly, your upload application can be set to prevent scrolling etc.
However, as pointed out in other posts this would not prevent the recipient
from viewing the contents of the unencrypted file.