All about IT Governance

It is because,

a. Senior management of companies do not believe, they need to invest into something that *may* happen

b. DR is expensive - if you are not a storage company, your DR costs can skyrocket to the extent of listing them on your 10-k!

But think about it, what is not expensive? Automation is expensive, Regulation is expensive, Business Process Transformation is expensive.  Atleast, DR enables you to do the best at something you are good at - do it once, do it the best!

What is the bare minimal risks that your ITGC SOX controls should cover? Although there are ITGI/COBIT documents to guide you through, one can easily get lost in the maze - I thought, I will put together this checklist for anybody to apply this to get a comfort.

a. New accounts or modifications to account privileges are approved - OS, DB, App, Network, Logical Security (VPN, ActiveDirectory, NIS, LDAP and other authentication sources),  Physical security.

b. Terminations are performed timely - applicable to same processes as above

c. Transfers are handled as combination of b. and a. above - applicable to same processes as a.

d. Controls around change management to specifically address database object level changes, data fixes, data migrations and UATs are recorded for all application level changes

e.  Shared privilege level account management - passwords are changed when team members having access to shared privileged accounts leave the company - applicable to all areas listed in a.

f. Storage backup is tested for recovery (especially for databases)

g. Password configuration complies with enterprise standards for areas listed in a.

Optional:

a.  Account reviews in each area listed in a.

IT Forensics tools today can be categorized into Data gathering and data analysis.

The data gathering tools runs a monitor on the subject machine and gathers the necessary information - typically a mdf or pst file in windows environment.

The data analysis tools are evolving and would depend on the legal objective - if the objective is a simple source code search or keywords, it is quite easy. However, if you are looking for photographs or audio or video, it is complex - luckily, most of the legal needs today are ‘text’ based lookups.

One of the key areas where the tools offer an extra hand is: they record the system name and date which are very important to prove it in a court of law.

That would depend on how you deploy it.

With the right set of policy and deployment standards, the cost can be zeroed right from the initial days of deployment and you need to strike a balance between the risk vs. the benefit - benefit as in agile environment, risk as in exposure to security threats.

For example one of the policy could be:

No sharing of virtualized zones between business applications. Say, ERP and HR applications.

With this, you reduce the security exposures and leverage existing set of controls (assuming existing controls are strong). However, here is where you strike a balance between risk vs. benefit. You lose a bit of agility of virtualization however it is well worth it.

Another policy could be:

All changes to the virtualized zones/clusters align with the existing change processes with appropriate approvals including access changes. Again, assuming there is a strong change process and security related changes are well addressed.

This would help increase awareness and reduce the ‘knee jerk’ reaction to make changes to virtualized zones.

Another policy could be:

Migration to production (regardless of OS, Database, Applications, interfaces, Network connectivity, storage changes) complies with Security checklist - this checklist ensures securing the base operating system (hardening), physical and logical access to console, admin access to each zones and so on for each associated layers.

Another policy could be:

Logs of changes are maintained in the system (global zone and virutal zone) and is audited periodically.

This is to ensure that potential exposures are detected and addressed.

Overall, in a typical public company, almost all of the above controls would exist (existence is one thing, execution is another) excepting the last audit of logs control.

Here is an interesting conversation that started me to write this blog by Christofer Hoff at http://rationalsecurity.typepad.com/blog/2008/05/virtualizing-se.html

He has raised several key points of which one of them is SOD - I agree with his concerns on SOD and with a strong policy and procedures, it can be addressed and is not impossible.