Security Manager's Journal: Shrinking staff, and a time crunch
Our manager handles the quarterly SOX report himself after more layoffs
Computerworld - Today is the last day of the quarter in my company's financial calendar, and that means it's SOX time. I'm wrapping up four quarterly Sarbanes-Oxley Act controls that have to be completed by the end of the day -- reviewing security settings on our financial servers, reviewing the activities of system administrators on those servers, checking for inactive accounts that haven't been logged into in over 90 days, and checking the vulnerability report. SOX activities are remarkably time-consuming.
We're looking good so far. I've gone over the report on security settings (which, fortunately, applies in our case only to Linux systems, all of which have similar configurations -- I don't have to do this for Windows). The report includes installed packages, running processes, file permissions, account settings and other information related to configuration items and system behaviors that might indicate vulnerability or compromise. I've also gone over the system administrator activity logs (which really means looking at every command in the history files). That's a fairly time-consuming (and tedious) activity. The inactive account review is the easiest of the four SOX activities to perform, because our term process is working reliably and there are no system accounts still lingering after employees departed. And the vulnerability report isn't too bad either, because the system configurations haven't changed since last quarter, or the quarters before that. That's mainly true of the system settings as well.
You might be wondering two things: Why am I performing these SOX activities on the last day of the quarter, and why is the security manager performing these reviews at all instead of delegating them to technical security staff?
Well, actually I'm just wrapping up the documentation and approvals today -- the work has been done for a while now. Our SOX process requires a lot of documentation, entered in a very specific way into our ticketing system. The actual review work seems to be somewhat less effort than the documentation of the work in the ticketing system (and notifying the auditors and others who need to keep track of the documentation). At this point, I just need to enter the right approvals and close the tickets. It would be good to have gotten this done sooner, but with a million other things to do, many of which are equally (or more) important, the deadline is the real driver. Maybe I'll share my to-do list with you next time, so you can see what other things I'm working on.
As for delegating, that's no longer an option. I recently wrote about my company's financial struggles, our budget cuts, and my looming suspicion that I was about to get laid off. As it turned out, I didn't lose my job -- but I have only one staff member left on my team. That's left me as the most technically experienced resource available to do security work, and although I'm mentoring my one remaining staff member, that's an investment that won't pay off for a while. And as for getting contractors -- that's out of the question. No budget. So, it's either do it myself, or it won't get done.
It's not all bad. I enjoy getting my hands on the technology instead of dealing only with management activities. But every day, things will get left undone because there is always more than two people can manage.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
To join in the discussions about security, go to blogs.computerworld.com/security.
More by J.F. Rice
- Security Manager's Journal: Peering behind the firewall
- Security Manager's Journal: Trapped: Building access controls go kablooey
- Security Manager's Journal: We manage our threats, but what about our vendors?
- Security Manager's Journal: With Heartbleed, suddenly the world is paying attention to security
- Security Manager's Journal: A rush to XP's end of life
- Security Manager's Journal: Security flaw shakes faith in Apple mobile devices
- Security Manager's Journal: Cyberattacks just got personal
- Security Manager's Journal: Target breach unleashes fresh scams
- Security Manager's Journal: Giving thanks for SIEM
- Security Manager's Journal: Hashing out secure applications
Read more about Security in Computerworld's Security Topic Center.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!