Policy, Standards, Regulations & Compliance
Back to list
Advise on Internal Control Policies
Sep 19 2007 06:46PM
mr nasty ix netcom com
RE: Advise on Internal Control Policies
Sep 19 2007 10:16PM
Jason Bevis FOUNDSTONE COM
It appears you are trying to solve a problem with software that really
should be solved with policy, procedures, and standards. You can throw
as many packages as you want at the problem, but if you don't get basic
rules in place you will have the same problem.
Without in-depth knowledge about the environment these suggestions may
not be valid, but hopefully they can provide some assistance.
1st: Determine exactly what needs to be protected or resolved from an
audit standpoint. (Do you know all of your vulnerabilities and what
should be protected 1st?)
2nd: Identify the roles and responsibilities for each individual and
list any gaps (Your org appears to have some money, so maybe increased
head count will help solve the overlap of responsibility.)
3rd: Create written policies that are realistic to implement in the next
6 months to year. Most auditors / assessors are simply looking for
documents. Once documents are written they typically assess against the
documents or some framework.
4th: Implement the policy and controls.
In some cases if management doesn't want to listen you may have to bring
in an outside service to relay the message. This is all high level, but
if you don't separate the functions of the staff and their access you
will continually have audit issues.
Removing development access from a production operating system doesn't
require any additional tools. Using an application to try to control
that access other then locking them out of production entirely may not
work. Many applications such as webMethods have command line prompts
that could allow them to gain system access anyway if you have not
created and implemented appropriate hardening standards.
Stick to the basics! Don't throw products at the problem.
Hope this helps!
[ reply ]
Copyright 2010, SecurityFocus