Today is the last day of the quarter in my company's financial calendar, and that means it's SOX time. I'm wrapping up four quarterly Sarbanes-Oxley Act controls that have to be completed by the end of the day -- reviewing security settings on our financial servers, reviewing the activities of system administrators on those servers, checking for inactive accounts that haven't been logged into in over 90 days, and checking the vulnerability report. SOX activities are remarkably time-consuming.
We're looking good so far. I've gone over the report on security settings (which, fortunately, applies in our case only to Linux systems, all of which have similar configurations -- I don't have to do this for Windows). The report includes installed packages, running processes, file permissions, account settings and other information related to configuration items and system behaviors that might indicate vulnerability or compromise. I've also gone over the system administrator activity logs (which really means looking at every command in the history files). That's a fairly time-consuming (and tedious) activity. The inactive account review is the easiest of the four SOX activities to perform, because our term process is working reliably and there are no system accounts still lingering after employees departed. And the vulnerability report isn't too bad either, because the system configurations haven't changed since last quarter, or the quarters before that. That's mainly true of the system settings as well.
You might be wondering two things: Why am I performing these SOX activities on the last day of the quarter, and why is the security manager performing these reviews at all instead of delegating them to technical security staff?
Well, actually I'm just wrapping up the documentation and approvals today -- the work has been done for a while now. Our SOX process requires a lot of documentation, entered in a very specific way into our ticketing system. The actual review work seems to be somewhat less effort than the documentation of the work in the ticketing system (and notifying the auditors and others who need to keep track of the documentation). At this point, I just need to enter the right approvals and close the tickets. It would be good to have gotten this done sooner, but with a million other things to do, many of which are equally (or more) important, the deadline is the real driver. Maybe I'll share my to-do list with you next time, so you can see what other things I'm working on.
As for delegating, that's no longer an option. I recently wrote about my company's financial struggles, our budget cuts, and my looming suspicion that I was about to get laid off. As it turned out, I didn't lose my job -- but I have only one staff member left on my team. That's left me as the most technically experienced resource available to do security work, and although I'm mentoring my one remaining staff member, that's an investment that won't pay off for a while. And as for getting contractors -- that's out of the question. No budget. So, it's either do it myself, or it won't get done.
It's not all bad. I enjoy getting my hands on the technology instead of dealing only with management activities. But every day, things will get left undone because there is always more than two people can manage.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
To join in the discussions about security, go to blogs.computerworld.com/security.