IT Controls - Detect vs. Prevent 2256

  • I’m an ITIL implementer and my experience has been on the ‘prevent’ side of the SOX equation… specifically around Change Management.
    My present client realizes they have deficiencies regarding changes and access to the production environment but would rather implement detection strategies at this time, which is new to me.
    My recommendations so far have been to 1) limit the number of production IDs for both change implementation and incident resolution, 2) initiate regular audits of the system accesses to equate accesses to production to specific change or incident tickets. But these seem pretty basic to me.
    I have to think there is more to detection. What am I missing?

  • Hi - The two approaches mentioned are good 🙂 Some additional ideas to explore might include:

    1. If you use Windows Server technologies, the IT security staff or ADMINS can turn on audits for certain processes. It has to be done carefully or performance may be degraded. This gives you a great electronic audit trail from a post-detection standpoint, (e.g., when someone logs on using their current or emergency accounts). A few links are noted below that you can copy/paste.
      http-and-#58;// Security Audit
    2. Corporate Policies are a good technique for controlling human behavior when it comes to security. Not all folks will abide, but most will if they are easy-to-understand and make sense. As one idea, a policy might be authored for the Change Control process, with the detailed guidelines in a procedure showing the step-by-step process. As a control point, any exceptions in the standard approach must be documented in writing. Also, any folks violating standards should write up an explaination. Sometimes, it’s not a willful violation as they may simply be trying to get the job done, but even this can provide input for improvements.
    3. Interviewing some of the principals associated with the change management process might be valuable occassionally to get a sense from them that things are working as they should.
    4. While expensive, long term you might look at improved change management or change control software if you feel this is needed. It should be efficient and have an ROI beyond just SOX alone.

  • As usual, excellent points by Harry.
    One important point that i would consider in detection strategy is, well, Segregation of duties.

    1. People capable of enabling, disabling logs should be the one to review them and such person should be out of IT operations( should not be any guy whose activities are logged)
    2. What needs to be logged?( is certainly something that we should be looking at)

Log in to reply