Auditing an Logging 129



  • Does anyone know what auditing and post-implementation review is necessary when granting developer’s production access in an emergency basis?



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • I don’t have anything specific but the focus should be on a monitoring control that could identify whether or not the developers made any changes to financial systems that would consitute fraud or a safeguarding of assets issue.
    Ideally a log of all actions performed by a developer whilest in production which is reviewed by a business lead and IT lead (who would understand how to read the log) and signed off by the business/IT leads would be a strong monitoring control. The issue is that if you can have all access to prod, you often have all access to any logs that are operating unless they’re written to a file on the OS to which the developer does not have access.
    I’d focus on a monitoring or strong review control after the fact.
    Chris



  • Does anyone know what auditing and post-implementation review is necessary when granting developer’s production access in an emergency basis?’
    I agree with the above poster.

    1. User ID level transaction logging, signed off by business owner of application. (Instead of logging ALL activity, however, we had business identify key activities and only turned on auditing for those fuctions.)
    2. Emergency access must be for a fixed period of time – automated termination of access rights is nice if possible but not 100 percent required.
    3. Frequency and Quantity of Emergency access requests should be tracked and reviewed periodically. Thresholds should be set and remediation should be done in a timely manner. (In other words, if its happening alot business needs to hire more resources to ensure it dosent happen etc etc.)
    4. We have an Emergancy Access Agreement that they must sign stating the importantce of security … telling them if they abuse their rights they can be held liable and fired etc etc etc.
    5. All Emergancy Access requests must be documented and approved by the proper level of management.
      Don’t forget these polices are only for access to production for SOX in-scope applications.
      Manual controls and record keeping are FINE. Just make sure you don’t ignore the manual controls for convience sake.

Log in to reply