Security Basics mailing list archives
Re: A question about Access controls
From: Faheem SIDDIQUI <fahimdxb () gmail com>
Date: Sat, 11 Nov 2006 21:07:01 +0400
Thanks for the detailed reply KernAppreciate it! Though the feeling that has hit home is...Lotsa paperwork in the coming month and a management whip to get some time outta busy Applications programmers schedule.
Kern wrote:
1. System utilities be controlled, monitored and challenged by someone. -Sounds like you need to disable access to all cmd.exe utilities except for ping, unless you have admin privileges 2. Periodic review of access privileges. - Paper work: Acceptable Use Polices (AUP), user security training, and account expiration policies 3. Response and investigative procedures be put in place and -More Paperwork 4. A report listing user profiles and access controls be generated from system on regular basis.- I would re task a programmer for a week it write you a little code for this.and NO, this is not the same as the DMCA, processes NEED to be documented, when (if) the crap hits the fan you need to be able to show someone (in this case a security auditor) what you do on a daily basis. If you cannot empirically document the process you are doomed in case of a failure.From the looks of the list you made, it seems as if the network istechnically secure, now it needs to be administratively secured. Good luck. On 11/4/06, Faheem SIDDIQUI <fahimdxb () gmail com> wrote:Hi All The job at hand is to target the points raised in the last years IT Auditing report and be able to help client come clear ( at least 80-90%) this year ending Dec 2006. Having taken care of some of the other issues, the main ones still pending happen to belong to the Access Controls. The points raised by E & Y guys were: 1. System utilities be controlled, monitored and challenged by someone. 2. Periodic review of access privileges. 3. Response and investigative procedures be put in place and 4. A report listing user profiles and access controls be generated from system on regular basis. The setup has two Network Administrators managing about 25 Windows 2003 servers (Windows AD/NAS/SAN/Mail Exchange/Websense etc) and about a dozen programming and development team members. All are overworked as usual with little to none segregation of duties, not even on paper. How to satisfy auditors this year? Any/all ideas would be appreciated.---------------------------------------------------------------------------This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree,without disrupting your career or home life. http://www.msia.norwich.edu/secfocus---------------------------------------------------------------------------
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- VPN relied upon for method of encryption nospam (Nov 03)
- A question about Access controls Faheem SIDDIQUI (Nov 06)
- Re: A question about Access controls Kern (Nov 10)
- Segregation of duties trivia Faheem SIDDIQUI (Nov 14)
- RE: Segregation of duties trivia David Gillett (Nov 15)
- Re: A question about Access controls Faheem SIDDIQUI (Nov 14)
- Re: A question about Access controls Kern (Nov 10)
- A question about Access controls Faheem SIDDIQUI (Nov 06)