Security Manager's Journal: Shrinking staff, and a time crunch
Our manager handles the quarterly SOX report himself after more layoffs
Computerworld - Today is the last day of the quarter in my company's financial calendar, and that means it's SOX time. I'm wrapping up four quarterly Sarbanes-Oxley Act controls that have to be completed by the end of the day -- reviewing security settings on our financial servers, reviewing the activities of system administrators on those servers, checking for inactive accounts that haven't been logged into in over 90 days, and checking the vulnerability report. SOX activities are remarkably time-consuming.
We're looking good so far. I've gone over the report on security settings (which, fortunately, applies in our case only to Linux systems, all of which have similar configurations -- I don't have to do this for Windows). The report includes installed packages, running processes, file permissions, account settings and other information related to configuration items and system behaviors that might indicate vulnerability or compromise. I've also gone over the system administrator activity logs (which really means looking at every command in the history files). That's a fairly time-consuming (and tedious) activity. The inactive account review is the easiest of the four SOX activities to perform, because our term process is working reliably and there are no system accounts still lingering after employees departed. And the vulnerability report isn't too bad either, because the system configurations haven't changed since last quarter, or the quarters before that. That's mainly true of the system settings as well.
You might be wondering two things: Why am I performing these SOX activities on the last day of the quarter, and why is the security manager performing these reviews at all instead of delegating them to technical security staff?
Well, actually I'm just wrapping up the documentation and approvals today -- the work has been done for a while now. Our SOX process requires a lot of documentation, entered in a very specific way into our ticketing system. The actual review work seems to be somewhat less effort than the documentation of the work in the ticketing system (and notifying the auditors and others who need to keep track of the documentation). At this point, I just need to enter the right approvals and close the tickets. It would be good to have gotten this done sooner, but with a million other things to do, many of which are equally (or more) important, the deadline is the real driver. Maybe I'll share my to-do list with you next time, so you can see what other things I'm working on.
As for delegating, that's no longer an option. I recently wrote about my company's financial struggles, our budget cuts, and my looming suspicion that I was about to get laid off. As it turned out, I didn't lose my job -- but I have only one staff member left on my team. That's left me as the most technically experienced resource available to do security work, and although I'm mentoring my one remaining staff member, that's an investment that won't pay off for a while. And as for getting contractors -- that's out of the question. No budget. So, it's either do it myself, or it won't get done.
It's not all bad. I enjoy getting my hands on the technology instead of dealing only with management activities. But every day, things will get left undone because there is always more than two people can manage.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at email@example.com.
To join in the discussions about security, go to blogs.computerworld.com/security.
More by J.F. Rice
- Security Manager's Journal: A rush to XP's end of life
- Security Manager's Journal: Security flaw shakes faith in Apple mobile devices
- Security Manager's Journal: Cyberattacks just got personal
- Security Manager's Journal: Target breach unleashes fresh scams
- Security Manager's Journal: Giving thanks for SIEM
- Security Manager's Journal: Hashing out secure applications
- Security Manager's Journal: Why the shutdown is like the cloud
- Security Manager's Journal: Thinking about passwords
- Security Manager's Journal: Android panic
- Security Manager's Journal: Auto-forwarded emails could be a huge problem
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts