classic | mobile
Follow us on:
Follow us on Facebook  Share via Twitter  Share via LinkedIn
 

Search...
Hi-Tech Security Solutions Business Directory
Residential Estate Security Handbook 2017


Dealing with the security compliance issue
February 2012, Security Services & Risk Management

In these IT cost-conscious times, most budgets are always under review, and usually in a downwards direction. At the same time and just to make life interesting, the volume of regulatory and compliance requirements are heading in the opposite direction. This makes the task of a hard-pressed IT security manager all the more difficult, especially given the disparate operating systems and networking environments we all have to deal with on a regular basis.

And while dealing with heterogeneous networking and IT environments is now an integral part of the modern IT security function, one unfortunate fact of life is that meeting the needs of a rising tide of security compliance needs can prove to be an expensive option.

Michael Hamelin, chief security architect at Tufin Technologies
Michael Hamelin, chief security architect at Tufin Technologies

It is all about the audit process, right?

Perhaps not. Most audit processes in the world of IT security rarely go far beyond their green pen `tick and check’ limitations, mainly because of the labour-intensive aspect of customised security audits. In an ideal world, IT audit testing procedures would be both automated (to save money on the labour involved) and highly flexible, covering most aspects of testing – including targeted, external, internal, blind and double-blind testing.

External testing, in case you were wondering, targets a company’s externally visible servers or devices including domain name servers, e-mail servers, Web servers and firewalls, with the objective being to discover if an outside attacker can get in and how far they can get in once they have gained access.

Blind testing, meanwhile, simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that is performing the test beforehand.

Double blind testing takes the blind testing process and carries it a step further, with only one or two people within the organisation being aware that a test is being conducted. Blind and double blind testing – desirable though they may be – can prove to be an expensive option, largely owing to the relatively high cost of the human labour that is required.

IT-based testing – sometimes called automated testing – is considerably cheaper, as the costs tend to be fixed, meaning that no matter how much the facility is used there are usually no appreciable extra costs.

Human labour costs, on the other hand, tend to be classed as fixed and marginal, with the marginal cost element rising the more you use the facility.

Small wonder then, that hard-pressed IT security professionals are constrained by the fixed and marginal cost issues. Unfortunately for us all, the cost of compliance – and I’m talking here about the best practice rules imposed by the likes of PCI DSS, Sarbanes-Oxley and Basel II – is rising and, because of the need for flexible reporting, can easily get out of hand if more human labour than is planned is actually required.

The situation is made more complex owing to the fact that the internal and external audit functions in many organisations are becoming a lot more technical. This is actually not as positive as it might first sound, as there is a trend for anyone newly arrived in the field of IT to become more technically involved than they should. This is not actually necessary. After all, just because you drive your car does not mean you always have to know what goes on under the hood.

And this is where firewall and allied security system automation can assist, as when it comes down to basics, all audit processes can be distilled down to a specified set of questions. Yes, the list may be a long one, and involve multiple tree and branch choices, but compiling a list is feasible in most instances.

The good news

Wherever there is an audit list, an automated audit process can be developed using that age-old work analysis process, the flowchart. It is our belief that most IT compliance processes can be automated, provided the processes are broken down into their constituent parts.

Through the use of automated audits – which, by the way, are far superior from a regulatory point of view than manual audits, as they are continuous, rather than representing the state of an organisation’s IT security at a single point in time – it is possible to meet all the required compliance needs of a given set of standards.

Companies, we have observed, need an automated audit process that can be configured to meet the specific requirements of both corporate and regulatory standards. In addition, in order to hold individuals accountable for their actions, companies also need to maintain an accurate audit trail of all security policy and operating system changes.

Commonsense audit rules mean that it is preferable that the audit trail comes from an objective third party – or an automatic logging solution. Furthermore, companies also need to enforce and demonstrate a separation of duties designed to ensure that all changes are approved and monitored properly. A good automated security audit suite provides IT staff with a series of automatic audit reports that test current firewall configurations against their organisation’s corporate security policy, as well as a configurable checklist of standards.

That same audit software also needs to supply a list of audit violations, as well as information on how to resolve or mitigate the infraction. Good audit software should also allow that reports be scheduled for automatic, periodic execution and then emailed to all relevant security officers.

But the technology advantages should not stop there, as the software should also provide periodic audits with continuous change tracking and a comprehensive audit trail that provides full accountability, as well as demonstrating the implementation of a separation of duties. Change reports should also be generated at any time to show the configuration changes that were made both to the rule base – and to the firewall operating system.

With these features, a good automated security audit package effectively turns the automated systems-assisted audit process into the reporting process it is meant to be, with transparency and accountability being the order of the day.

But wait – there is more

Automated audit software brings more advantages to the reporting table. Good software should also be able to write the security rules once within an organisation and then continually enforce them without direct reference to the IT support staff.

The final requirement that IT security professionals need to ask for, along with the usual return-on-investment calculations, is whether the software supports a Web graphical user interface, as this option makes life easier from an audit perspective, since it allows a dashboard-drilldown approach to monitoring the audit software.

Armed with good auditing software like this means that IT security professionals can both audit and verify that their security software is doing what it should do and, arguably equally as important, that the auditing software provides the information that IT management need to prove compliance (and on a cost-effective basis).

The final advantage that good security audit software brings to the better security table is the ability to generate ‘what if’ reports on demand. Skilful use and interpretation of these reports allows IT security managers to generate an effective risk analysis process – and without breaking the bank.

For more information visit www.tufin.com


  Share via Twitter   Share via LinkedIn      

Further reading:

  • Combating the evolving threat of fraud
    May 2018, Technews Publishing, This Week's Editor's Pick, Security Services & Risk Management
    It is impossible to pin an exact number on how much fraud costs the South African economy, but analysis of leading research reports on the subject puts it easily in the billions of Rands per year.
  • Trust, but verify
    May 2018, iFacts, LexisNexis, Managed Integrity Evaluation, This Week's Editor's Pick, Security Services & Risk Management
    Employee screening is not a new discipline, but the options have grown to assist HR in making the right hiring decision.
  • Do more with security
    May 2018, Johnson Controls, This Week's Editor's Pick, Integrated Solutions, Security Services & Risk Management
    Current trends predict that companies do more with their security solutions than just secure their people, assets or data in the near future.
  • Active Track
    Securex 2018 Preview, Active Track, Asset Management, EAS, RFID, Security Services & Risk Management
    Active Track is a workforce management and reduction of payroll specialist. Its products optimise clients’ security services by ensuring that patrols and duties are carried out on time, every time. The ...
  • Martin Electronics
    Securex 2018 Preview, CCTV, Surveillance & Remote Monitoring, Perimeter Security, Alarms & Intruder Detection, Security Services & Risk Management
    Martin Electronics will be showcasing a number of new products and solutions under the Sentry brand at Securex 2018. The company will also have some value-added additions and integrations on display, ...
  • HISSCO International
    Securex 2018 Preview, Hissco, Access Control & Identity Management, Asset Management, EAS, RFID, Security Services & Risk Management
    HISSCO International will be showcasing its range of security X-ray and detection systems at this year’s Securex. The company is currently seeking potential partners, distributors and representatives ...
  • Turnstar
    Securex 2018 Preview, Turnstar Systems, Perimeter Security, Alarms & Intruder Detection, Access Control & Identity Management, Security Services & Risk Management
    Africa’s largest manufacturer of physical access control products, Turnstar, is excited about its return to Securex this year. Craig Sacks, MD of Turnstar, says that the company will use the Securex platform ...
  • Tagtron Solutions
    Securex 2018 Preview, Quality Label Solutions t/a TagTron Solutions, Asset Management, EAS, RFID, Perimeter Security, Alarms & Intruder Detection, Security Services & Risk Management
    Tagtron Solutions will showcase a number of systems and innovations at Securex 2018. As specialists in display security, Tagtron supplies anti-theft products for protecting goods on open display. The ...
  • ZKTeco South Africa
    Securex 2018 Preview, ZKTeco, Access Control & Identity Management, Perimeter Security, Alarms & Intruder Detection, Security Services & Risk Management, Products
    Solutions is what ZKTeco is all about for Securex 2018. ZKTeco South Africa will be offering clients an insight into how its products can be integrated into any platform and provide them with a solution ...
  • TeleEye South Africa
    Securex 2018 Preview, TeleEye (South Africa), CCTV, Surveillance & Remote Monitoring, Perimeter Security, Alarms & Intruder Detection, Security Services & Risk Management
    It is well known that farm attacks and farm murders are increasing at an alarming rate in South Africa. According to Afriforum’s latest stats, 156 commercial farmers are murdered per 100 000 people. There ...
  • Trackforce
    Securex 2018 Preview, Security Services & Risk Management
    Trackforce offers an advanced security services management solution that increases workforce accountability, improves operational productivity and enables better communication between all stakeholders. ...
  • Seagate
    Securex 2018 Preview, Seagate Technology, CCTV, Surveillance & Remote Monitoring, Security Services & Risk Management, Products
    In line with its participation at Securex 2018, Seagate has announced that it will be showcasing the SkyHawk AI, the very first drive created specifically for artificial intelligence (AI)-enabled video ...

 
 
         
Contact:
Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronic Buyers Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory (HSBD)

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Other
Terms & conditions of use, including privacy policy
PAIA Manual
         
    Mobile | Classic

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.