Maintaining and monitoring countermeasures are neither the most interesting nor the most high-profile activities that come with a role in systems and security management. These, unfortunately, are often the tasks that are recognized only when they are not done and something goes wrong. The following check lists provide a starting point for defining procedures related to both maintaining and monitoring countermeasures.
The following list highlights tasks that must be performed to maintain a variety of countermeasures:
- Review countermeasure policies and procedures at least once every 6months; more frequently if there are major changes, such as the introduction of new enterprise applications or organizational restructurings.
- Enforce change control procedures on all security devices. Do not change firewall configurations, content filtering parameters, or upgrade software on these devices without following change management procedures. One exception is updating antivirus and intrusion prevention attack signatures. These are changes to the applications' libraries, not the code itself. Critical patches to the same software might warrant an immediate update with change control in some circumstances as well.
- Review vendor support sites, RSS feeds, and other sources of information on deployed security devices and applications.
- Review user accounts, group, and privilege assignments.
- Participate in release management reviews of new and upgraded applications.
- Test backup and recovery procedures.
- Regularly schedule and conduct vulnerability assessments and penetration tests, perhaps on the same schedule policies and procedures are reviewed.
- Cross-train security and systems management staff and rotate duties
- On an annual basis:
- Review physical security measures
- Review business continuity plans
This list is illustrative, not exhaustive. There are other common tasks as well as organization-specific tasks that could be included.
As with the maintenance tasks, the following list provides examples of the types of activities that should be conducted (sometimes automatically) on a regular basis:
- Review event and error logs on all security devices
- Monitor quarantine areas used by content filtering devices
- Review statistics on spam filtered, malware detected, and other content filtering events
- Review performance monitoring statistics on CPU, disk storage, and network traffic of security devices to ensure adequate performance
- Review OS logs for system-level events, such as changes to a registry or OS directory
- Review access control logs and user accounts
- Check configurations of client devices to ensure anti-malware, anti-spyware, and personal firewalls are in use and properly configured (ideally, this would be done automatically with a client management tool)
These maintenance and monitoring tasks are performed to keep security devices functioning properly and to detect any significant security events. Organizations should also conduct audits to ensure policies are adequate and effectively implemented.
Auditing IT operations is becoming more commonplace with the advent of laws such as the Sarbanes-Oxley Act and other government regulations. An IT audit examines the controls related to general operations and specific applications to ensure policies are enforced and the basic principles of data integrity, confidentiality, and availability are enforced. Audits can examine several functions:
- Data center operations, ranging from backup and recovery operations to staff training to physical access controls to data center facilities
- Application development methodologies and practices—Audits might examine how projects are planned, how risks are analyzed, how software is developed to ensure quality and security, and how change control and release management are implemented
- Network operations—Including the deployment and configuration of security devices, the use of VPNs, and the architecture of trusted DMZs and untrusted network zones
- Business continuity planning and preparedness
Auditing is a complex topic. For small organizations with limited IT resources and little custom software development, an audit can be relatively quick and superficial. For large, and even some small and midsized companies that are highly dependent on IT operations, auditing and review of controls can be much more involved. It is recommended that organizations leverage well-developed and well-documented best practices for audit procedures.
Information Systems Audit and Control Association (ISACA) has developed an extensive framework for IT governance known as COBIT. For details, see the ISACA Web site at /https://www.isaca.org/.
There may be times—regardless of well-formulated policies and procedures, carefully deployed countermeasures, comprehensive maintenance and monitoring, and audit verified controls—that a security breach can occur. At those times, you should exercise a predefined plan for incident response.
This was first published in January 2007