Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

A question about Access controls

From: Faheem SIDDIQUI <fahimdxb () gmail com>
Date: Sat, 04 Nov 2006 22:53:13 +0400
Hi All
The job at hand is to target the points raised in the last years IT Auditing report and be able to help client come clear ( at least 80-90%) this year ending Dec 2006.
Having taken care of some of the other issues, the main ones still pending happen to belong to the Access Controls. 

The points raised by E & Y guys were:
1. System utilities be controlled, monitored and challenged by someone.
2. Periodic review of access privileges.
3. Response and investigative procedures be put in place and
4. A report listing user profiles and access controls be generated from system on regular basis.
The setup has two Network Administrators managing about 25 Windows 2003 servers (Windows AD/NAS/SAN/Mail Exchange/Websense etc) and about a dozen programming and development team members. All are overworked as usual with little to none segregation of duties, not even on paper. 

How to satisfy auditors this year?
Any/all ideas would be appreciated.

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: