AuditNet
Resource List
Audit
Programs
AuditNet Virtual
Library
AuditNet
Newsletter
Ask
the Auditor
Audit Bookstore
Audit
Jobs
Travel
Career Links
Partner
Discounts
Search
Sign Guestbook
AuditNet Sponsors
Advertising
Opportunities
About AuditNet
About Jim
Kaplan
AuditNet Seminars
AuditNet
Home Page
Computer Security Policies – How do you know if yours is working?
Have you been part of a Computer Security Policy implementation team? Are you tasked with auditing (determining) the successful implementation of such a policy project? How do you measure success, and how confident are you that it can be sustained?
For those of you involved in such a strategic company initiative there is now a tool to help accelerate implementation. A tool which shows graphically how well established security controls on individual systems (or groups of systems) compare with the policy’s Security Standards. With visual representation of discrepancies, all parties can readily recognize which areas are strong and which areas are weak.
But how will this, you might ask, help judge whether the Security Policy is working successfully?
Let me first pose the following two assertions: A successful Security Policy should include the ability of System Owners to define the access control standards for the production environment in which their applications operate; And System Owners should be able to readily review meaningful security reports showing who has access to their production resources. I contend that when User management has these two capabilities they are able to take “ownership of security”, a critical success factor for an effective Computer Security Policy.
If we step back a decade, we had the rapid deployment of applications on departmental LAN systems, often to the chagrin of mainframe IT. At the time, naysayers were pointing to the inability of Users to control the integrity of their systems. Slowly but surely, however, the concept of User Ownership began spelling out the roles of User Management. To take charge of their systems, the concept required User champions to promote extensive user education; to appoint system administrators; to adopt production control disciplines; and to install utilities to monitor system integrity. However, even today, one key “ownership” discipline has generally eluded User Management control, namely Ownership of Security.
Sure, Users departments have system administrators to implement application-level security features. These skilled individuals ensure adequate segregation of duties among user functions by applying their applications’ in-built security controls. And, as and when required by System Owners (or by Internal or External Auditors), these administrators are able to provide access profile reports, audit trails of profile changes, etc.
However, does this provide User Management sufficient assurance over the security of their applications’ databases) and reports? Are they confident that their production data is reasonably protected from unnecessary access by a slew of technical support personnel? In other words, are System Owners able to readily review who, at the operating system level, has to access their system’s production environment?
I would contend that true User Ownership should nowadays include Ownership of Security, with the attendant capability to readily review all access rights to the production environment of their applications. This becomes even more imperative where User Management is tasked with responsibility for maintaining confidentiality and privacy of Customer/Patient/Credit Card data. Yet, ensuring appropriate access rights over user staff only addresses half of the security protection equation. Bearing in mind that significant computer crime is still perpetrated by internal IT employees, User management should also be able to review, and challenge, unsubstantiated access rights for technical support personnel.
By having such “access reporting” capabilities, User Management can review their production environment security after major hardware or software upgrades. We all appreciate that operating system security controls are usually relaxed, or even disabled, to accommodate vendor’s upgrade activities. Sometimes IT Security administrators fail to follow up after the vendor (or internal technical support) finishes. Consequently, after upgrade completion, User Management should have the ability to verify whether security has been reinstated to the original levels.
In fact, User management should actively be involved in setting the security standards for accessing their production environments. This is not to suggest that User Management should understand the technical roles of all the support technicians administering the operating system and the middleware software. However, with guidance by Internal Computer Audit personnel, System Owners can certainly specify desirable minimum standards for access by support technicians. These standards might include how many technicians should have general access, how frequently, from where (remotely or only locally), with or without delegation authority, etc. (Because of the technical nature, IA should still be tasked with reviewing the security-related audit trails of O/S and middleware components.)
Under such a scenario, User Management would be empowered in making significant contributions to the credibility and adoption of an organization’s Computer Security Policy. No longer would operating system and middleware security be delegated, by default, to technical support. And with the right security reporting tools, System Owners would be able to request security assessments on a regular or adhoc basis, with minimal turnaround delay.
In fact, one such computer security analysis service, with a turnaround time of 24 hours or less, is already available and in use by a number of companies. These are companies audited by Deloitte & Touche, which are able to subscribe to its automated computer security review service, SekChek (available from www.sekchek.com). Besides comprehensive analyses, SekChek provides tangible, graphical reports showing how well production environments have been secured. In turn, these reports can be tailored to compare security measures, across multiple locations (departmental, regional and international), against a company's Security Standards benchmark. Over time, these graphical reports can provide visible and objective feedback on the progress of policy implementation. In an organization with the right culture, and an active Security Champion or Privacy Officer, these comparison reports can be very powerful. Used correctly, these reports can give acknowledgement for effective adoption of “security ownership”, as well as motivate those departments lagging behind.
In conclusion, to determine if your organization has an effective Computer Security Policy, you need to establish whether User Management has truly taken “Ownership” of all aspects of security of their systems, including security of the production environments. Moreover, there should be evidence that User Management is actively involved in setting Security Policy standards for technical support access to their systems’ resources. And finally, User Management should be regularly requesting and receiving, with minimal delay, meaningful security reviews to confirm reasonable protection of their application databases, audit trails and program libraries.
