|
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]
Determining Whether to Fine Tune or Buy
Once architectural and design decisions have been made, the technical policies, controls and configurations must be set and monitored on existing systems, or implemented on new ones.
Here's some good news: For most companies, the lion's share of tools needed to support control objectives for regulatory compliance are already in house. Before investing a single penny in new technology, assess the ability of what you already have.
If there is pressure to purchase a specific technology or vendor solution for compliance work, don't circumvent normal purchasing procedures. Assess every new addition to the compliance architecture with the same comprehensive, strategic approach used throughout the rest of the organization.
"Recycle Existing Technology" (at right) lists tools that most companies own and specifies how the tools can be used as part of the compliance process. As you read the table, think about which of these your company already has in place and whether they are being used in your compliance efforts. If they aren't, can they be? What controls in your company would they support?
While many existing tools can be re-used as part of the compliance...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
process, they may need some tweaking to provide sufficient assurance. A good example of this is the level of data integrity associated with a piece of data. Simple Network Management Protocol (SNMP) is used to exchange management information between network devices. SNMP traps send audit and alert information to centralized network management systems. One problem is that versions 1 and 2 of SNMP don't provide a method for authentication, and the data is not protected in transit. If the SNMP data is being used to manage or report on critical network devices, an upgrade to SNMPv3 with security enhancements is in order.
Firewalls and perimeter devices are another example of tools that could need tweaking to meet compliance objectives. If a company decides a prudent compliance decision is to restrict access to a certain server or database, the firewall or gateway in front of that device could have a new rule, narrowing access to only an approved set of IP addresses or users. Or a content filtering gateway may be configured to block data, such as personal health information, that has been classified as not-for-export during the compliance work.
Something that often catches people off guard is the need to increase storage when there's an increase in logging. To keep log files to a reasonable size, assess in advance what information really has to be logged for compliance. Do all alerts need to be recorded, even if they are duplicates that could be aggregated? If not, trim the log file to only critical information and create a robust backup plan that supports search and retrieval requirements. Many auditors have time limits for presentation of data; if you can't find the correct supporting data in time, it makes little sense to store it in the first place.
|
 |
|
