Compliance, IT Security
Leave a Comment

Who’s Auditing The Auditor?

Who's auditing the auditor?

http://www.darkreading.com/compliance/167901112/security/news/240150205/an-auditor-s-thoughts-on-access-control.html?cid=nl_DR_daily_2013-03-14_html&elq=d83a4a7b87d04ae88c505db19c3be729

This is all good and wonderful but, hold on, there are a couple of glaring issues.  First of all, who controls the controller?  The writer talks at length about logging the activity of the super user; but remember, the super user has access to all these logs.  You got it, he can delete logs, he can suspend logging, he can even put his hands in the access control system and change the log management.  Therefore, if a “super user” wants to cause havoc, there’s really very little you can do to stop him.

Access control is of extreme importance to prevent mistakes and stop unauthorized access; but, aside from those two measures, does barely anything to stop high level crooks who are hell-bent on causing havoc.

When you reach that stage, if your organization permits it, you’ll need ‘double keys’ ~ access to certain things can only happen when 2 people are logged on.  For example with 2 different passwords, known by 2 different users, both of whom clearly understand that if one learns the other’s password, his (or her) job is over, there is no mercy.

The other grave issue is that while this is great for large organizations, small organizations don’t (or can’t afford to) have this luxury.  Very often, the one same person wears multiple hats, i.e., there’s only one administrator cum super-user and he/she is the IT god.  So, expecting to exercise any (let alone optimal) control on this person is, in my opinion, purely wishful thinking.

In almost everything else, though, I concur with the writer, and certainly, I agree with the idea of roles.  True, it’s not new but it’s the only one that makes sense.  You’re not allowed to access salary data because your name is Joe but because your job title is HR Director!

Still, the point remains, in smaller companies, how do you deal with higher-ups pulling rank and accessing more than they need and/or should have privy to?  In addition, for the logging review; a good log management system costs upwards of $20,000 for a small company.

Typically, small companies are already stretched when they need to spend more than $2000 on a firewall, and now, here we are, asking them to dish out $20,000 (or more) for a log management system?

For as much as I’m convinced this is even more useful than a firewall, the sad fact remains that the market needs to come down quite a bit before these devices will become more ubiquitous.  Until that happens, I really don’t see any small/medium company spending that amount of money unless some strong regulation compels them to do so.

Your thoughts?

This entry was posted in: Compliance, IT Security
Tagged with: , ,

by

Our mission is to produce, configure and maintain effective, affordable, computer security systems to protect the computer systems of enterprises of all sizes. We believe that all companies, regardless of size, should be afforded the same level of protection.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s