Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A question about Access controls

From: Faheem SIDDIQUI <fahimdxb () gmail com>
Date: Sat, 11 Nov 2006 21:07:01 +0400
Thanks for the detailed reply Kern
Appreciate it! Though the feeling that has hit home is...Lotsa paperwork in the coming month and a management whip to get some time outta busy Applications programmers schedule. 


Kern wrote:

1. System utilities be controlled, monitored and challenged by someone.

  -Sounds like you need to disable access to all cmd.exe utilities
except for ping, unless you have admin privileges

2. Periodic review of access privileges.

  - Paper work:  Acceptable Use Polices (AUP), user security
training, and account expiration policies

3. Response and investigative procedures be put in place and

 -More Paperwork

4. A report listing user profiles and access controls be generated from
system on regular basis.
- I would re task a programmer for a week it write you a little code for this. 

and NO, this is not the same as the DMCA, processes NEED to be
documented, when (if) the crap hits the fan you need to be able to
show someone (in this case a security auditor) what you do on a daily
basis. If you cannot empirically document the process you are doomed
in case of a failure.


From the looks of the list you made, it seems as if the network is

technically secure, now it needs to be administratively secured.

Good luck.


On 11/4/06, Faheem SIDDIQUI <fahimdxb () gmail com> wrote:

Hi All

The job at hand is to target the points raised in the last years IT
Auditing report and be able to help client come clear ( at least 80-90%)
this year ending Dec 2006.

Having taken care of some of the other issues, the main ones still
pending happen to belong to the Access Controls.

The points raised by E & Y guys were:
1. System utilities be controlled, monitored and challenged by someone.
2. Periodic review of access privileges.
3. Response and investigative procedures be put in place and
4. A report listing user profiles and access controls be generated from
system on regular basis.

The setup has two Network Administrators managing about 25 Windows 2003
servers (Windows AD/NAS/SAN/Mail Exchange/Websense etc) and about a
dozen programming and development team members. All are overworked as
usual with little to none segregation of duties, not even on paper.

How to satisfy auditors this year?
Any/all ideas would be appreciated.
--------------------------------------------------------------------------- 
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
--------------------------------------------------------------------------- 








---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: