IT security has become increasingly important and is today the inevitable part of our daily lives. Because of the importance and emphasis that is being placed on IT security today, we have decided to write a guide for IT security auditors. Throughout our professional conduct, we have identified 10 common risk and security audit findings that enterprises should avoid, and we bring our knowledge to you in this series of articles.
Our guide provides a review of 10 security areas together with best practices for each. This is the first article which talks about data classification and change management.
Typical Security Issue:
Inability to find or produce an inventory of assets and associated classifications.
What It Means:
One would be surprised how many companies out there do not even know what assets they have. If your company does not know what it owns, then it probably does not even know how to protect it. And, if your organization does not know what it has, then it probably is unaware of the risks it is facing.
How to Avoid the Problem:
Traditional classification mechanisms and controls often fail, and classification is often a problem for enterprises, especially for the large ones. It is reasonable for an auditor to recognize that an enterprise has no idea where its sensitive data is held or how it is protected, but it is not reasonable to expect an enterprise wide classification and labeling scheme to be implemented.
Minimum Action Needed:
Create an ad hoc list of critical systems and publish a reasonable classification policy.
Recommendation:
Conduct an inventory and classification project. If possible, take advantage of automation of this process. Inventory and classification works best through a formal asset management process which utilizes automated mechanisms to identify sensitive data and use mandatory controls and content-aware mechanisms to prevent data leakage.
Typical Security Issue:
Evidence of change management on material systems cannot be found.
What It Means:
It is likely there is no one in your company whose job is to control mission-critical changes which means that the company probably does not know what problems might result from changes.
How to Avoid the Problem:
Unauthorized changes by privileged users represent a far greater risk than external threats, such as attacks of external hackers or malicious-code attacks. Change management is the area which can easily introduce unwanted risks into your information system and as such needs to be focused on more intensely. The U.S. Sarbanes-Oxley Act plays a major role in implementing controls into the corporate governance model.
Minimum Action Needed:
In order to mitigate change management risks, it is advised to maintain separate development, testing, and production environments together with implementing a robust and well documented change request process.
Recommendation:
Implement enterprise wide change management processes and best practices.
Advanced Recommendation:
Some companies with complex information systems implement a full change management database (CMDb) which enables configuration auditing and automated change recognition. Pay attention to segregation of duties.
To be continued...
It is easy, just include the code provided below into your HTML code.
Copyright © 2009 Maxi-Pedia http://www.Maxi-Pedia.com
Reproduction without written permission from Maxi-Pedia is prohibited.
All articles are protected by copyright and have been archived at a national library.
Linking to Maxi-Pedia pages is permitted provided that the links are clearly acknowledged. Thank you.
http://www.Maxi-Pedia.com - Copyright © 2009 - Contact information - Advertise - Terms of Use & Disclaimers
Delicious
Digg
StumbleUpon
Furl
Facebook
Google
Yahoo
