Security Basics mailing list archives
Where is the head and tail?
From: "Harshal Mehta" <mehtaharshal () gmail com>
Date: Tue, 27 Feb 2007 11:13:39 +0530
Hi Wali,
How should I start? Well, I can start to outline Change Management procedures that would be followed. Segregation of duties between various levels of developers, quality assurance, app admin etc. That's generic.
I suggest you should understand the basic working of the application. Its not require to have a full understanding of the accounting or finance.You should just have a fair knowledge of the flow of the information. Then you can start with the listing of the security procedures like Change Management - How changes are made, who all are authorized to make the changes, who reviews the changes, is there a fall back procedure for the changes made, whether records are maintained for the changes made and so on. Backup Management - How regularly backup is taken , who is responsible for backup, type of backup, where is backup is stored. Privilege Management - What privilege levels are defined, are they required for the daily operations, privilege access matrix.
Then what? I am a novice when it comes to accounting and finance. Should I define workflows within dept. of accounting? Should I sit with accountants and other users and get deep into various things they do and then look deeply inside each module of this finance application in order to study General Ledgers, Journal Vuchers, Accounts recievables/payables etc. That would take months!!
Then you can start with the real application audit like checking in for: Administrative privileges Logging Database vulnerabilities A detailed understanding of the subject is not required, but should have knowledge of the critical information and the threats to it. Then you can design a checklist which will help you in auditing the application. I think this would help....... Harshal Mehta Information Security Analyst ISO 27001 IA CEH cVa ITIL NII Consulting Mobile: +91 9819066601 Website: www.niiconsulting.com --------------------------------------------------------------------------- This list is sponsored by: BigFixIf your IT fails, you're out of business - or worse. Arm your enterprise with BigFix, the single converged IT security and operations engine. BigFix enables continuous discovery, assessment, remediation, and enforcement for complex and distributed IT environments in real-time from a single console. Think what's next. Think BigFix.
http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/ ---------------------------------------------------------------------------
Current thread:
- Re: Security Simplification, (continued)
- Re: Security Simplification Paul daSilva (Feb 22)
- Re: Security Simplification Matt Moore (Feb 22)
- Re: Security Simplification Isaac Perez Moncho (Feb 23)
- RE: Security Simplification Nhon Yeung (Feb 22)
- Re: Security Simplification Christian Kopacsi (Feb 22)
- Re: Security Simplification simonis (Feb 22)
- Re: Re: Security Simplification aaarugrat (Feb 23)
- Re: Security Simplification Henry Troup (Feb 23)
- RE: Security Simplification Herb Steck (Feb 23)
- Where is the head and tail? WALI (Feb 26)
- Message not available
- Where is the head and tail? Harshal Mehta (Feb 28)
- Re: Where is the head and tail? crazy frog crazy frog (Feb 28)
- RE: Security Simplification Herb Steck (Feb 23)