Security Surveillance Controls 525



  • I am interested to know peoples interpretations of SOX as it relates to security surveillance activities.
    It is ok for organisations to be expected to keep volumes of log information for long periods to ensure that in the case of a fraud being detected that it is possible to attempt examination to identify the culprit. However what requirements exist for real or near time detection of anomalies? Is it reasonable to expect an organisation to have to review significant amounts of information in order to detect possible fraud or computer misuse in short timeframes, or is it sufficient to be able to just use this information following detection of fraud via another control?
    Thanks



  • I’m inclined to see if there are enough prevention controls first. The more prevention controls you have, the less intensive and prolific your detection controls have to be.



  • I’m inclined to see if there are enough prevention controls first. The more prevention controls you have, the less intensive and prolific your detection controls have to be.
    In some respects this is true. However it is not realistic to expect that all organisations can put preventative measures in to restrict access to their network apart from physical security. Similarly with operating system access, it is not trivial to prevent all malicious activity with a particular control however it is possible often to detect this activity before logs are tampered with.
    This is why I was interested to see what an auditors perspective is on this, say for a typical organisation with typical Windows and Unix based servers yet without a 24x7 security monitoring service in place.



  • Did I read the word Security Surveillance? - We call it monitoring here 😎 8O
    To meet the Sarbanes-Oxley’s requirements:

    1. You need to deploy multiple security point solutions (firewalls, IDS etc). But it is not enough.
    2. You need to monitor in order to document that these solutions are doing what they were intended to accomplish
      So, you must collect, manage and save the relevant logs from your security point solutions. And, you have to monitor security logs.
      Simply storing the logs for later review is not enough - archiving a log for future computer forensics investigations is not the same as monitoring that log.


  • So, you must collect, manage and save the relevant logs from your security point solutions. And, you have to monitor security logs.
    Simply storing the logs for later review is not enough - archiving a log for future computer forensics investigations is not the same as monitoring that log.

    But for a small IT group (5-10 people) who have many other jobs to do, it may well be too burdensome to try to actively monitor the events on all of the servers that might possibly be security-related. Even with a tool to help gather and filter the events, it might be nearly a full-time job to monitor and evaluate the events. Does this mean that we need to hire someone to just perform this task?



  • A security administrator would be necessary. He could monitor the logs, could give access, permissions and rights, and help you with the so important segregation - separation of duties and responsibilities


Log in to reply