Security Manager's Journal: Shrinking staff, and a time crunch
Our manager handles the quarterly SOX report himself after more layoffs
Computerworld - Today is the last day of the quarter in my company's financial calendar, and that means it's SOX time. I'm wrapping up four quarterly Sarbanes-Oxley Act controls that have to be completed by the end of the day -- reviewing security settings on our financial servers, reviewing the activities of system administrators on those servers, checking for inactive accounts that haven't been logged into in over 90 days, and checking the vulnerability report. SOX activities are remarkably time-consuming.
We're looking good so far. I've gone over the report on security settings (which, fortunately, applies in our case only to Linux systems, all of which have similar configurations -- I don't have to do this for Windows). The report includes installed packages, running processes, file permissions, account settings and other information related to configuration items and system behaviors that might indicate vulnerability or compromise. I've also gone over the system administrator activity logs (which really means looking at every command in the history files). That's a fairly time-consuming (and tedious) activity. The inactive account review is the easiest of the four SOX activities to perform, because our term process is working reliably and there are no system accounts still lingering after employees departed. And the vulnerability report isn't too bad either, because the system configurations haven't changed since last quarter, or the quarters before that. That's mainly true of the system settings as well.
You might be wondering two things: Why am I performing these SOX activities on the last day of the quarter, and why is the security manager performing these reviews at all instead of delegating them to technical security staff?
Well, actually I'm just wrapping up the documentation and approvals today -- the work has been done for a while now. Our SOX process requires a lot of documentation, entered in a very specific way into our ticketing system. The actual review work seems to be somewhat less effort than the documentation of the work in the ticketing system (and notifying the auditors and others who need to keep track of the documentation). At this point, I just need to enter the right approvals and close the tickets. It would be good to have gotten this done sooner, but with a million other things to do, many of which are equally (or more) important, the deadline is the real driver. Maybe I'll share my to-do list with you next time, so you can see what other things I'm working on.
As for delegating, that's no longer an option. I recently wrote about my company's financial struggles, our budget cuts, and my looming suspicion that I was about to get laid off. As it turned out, I didn't lose my job -- but I have only one staff member left on my team. That's left me as the most technically experienced resource available to do security work, and although I'm mentoring my one remaining staff member, that's an investment that won't pay off for a while. And as for getting contractors -- that's out of the question. No budget. So, it's either do it myself, or it won't get done.
It's not all bad. I enjoy getting my hands on the technology instead of dealing only with management activities. But every day, things will get left undone because there is always more than two people can manage.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at email@example.com.
To join in the discussions about security, go to blogs.computerworld.com/security.
More by J.F. Rice
- Security Manager's Journal: Trapped: Building access controls go kablooey
- Security Manager's Journal: We manage our threats, but what about our vendors?
- Security Manager's Journal: With Heartbleed, suddenly the world is paying attention to security
- Security Manager's Journal: A rush to XP's end of life
- Security Manager's Journal: Security flaw shakes faith in Apple mobile devices
- Security Manager's Journal: Cyberattacks just got personal
- Security Manager's Journal: Target breach unleashes fresh scams
- Security Manager's Journal: Giving thanks for SIEM
- Security Manager's Journal: Hashing out secure applications
- Security Manager's Journal: Why the shutdown is like the cloud
Read more about Security in Computerworld's Security Topic Center.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!