Security Manager's Journal: Shrinking staff, and a time crunch
Our manager handles the quarterly SOX report himself after more layoffs
Computerworld - Today is the last day of the quarter in my company's financial calendar, and that means it's SOX time. I'm wrapping up four quarterly Sarbanes-Oxley Act controls that have to be completed by the end of the day -- reviewing security settings on our financial servers, reviewing the activities of system administrators on those servers, checking for inactive accounts that haven't been logged into in over 90 days, and checking the vulnerability report. SOX activities are remarkably time-consuming.
We're looking good so far. I've gone over the report on security settings (which, fortunately, applies in our case only to Linux systems, all of which have similar configurations -- I don't have to do this for Windows). The report includes installed packages, running processes, file permissions, account settings and other information related to configuration items and system behaviors that might indicate vulnerability or compromise. I've also gone over the system administrator activity logs (which really means looking at every command in the history files). That's a fairly time-consuming (and tedious) activity. The inactive account review is the easiest of the four SOX activities to perform, because our term process is working reliably and there are no system accounts still lingering after employees departed. And the vulnerability report isn't too bad either, because the system configurations haven't changed since last quarter, or the quarters before that. That's mainly true of the system settings as well.
You might be wondering two things: Why am I performing these SOX activities on the last day of the quarter, and why is the security manager performing these reviews at all instead of delegating them to technical security staff?
Well, actually I'm just wrapping up the documentation and approvals today -- the work has been done for a while now. Our SOX process requires a lot of documentation, entered in a very specific way into our ticketing system. The actual review work seems to be somewhat less effort than the documentation of the work in the ticketing system (and notifying the auditors and others who need to keep track of the documentation). At this point, I just need to enter the right approvals and close the tickets. It would be good to have gotten this done sooner, but with a million other things to do, many of which are equally (or more) important, the deadline is the real driver. Maybe I'll share my to-do list with you next time, so you can see what other things I'm working on.
As for delegating, that's no longer an option. I recently wrote about my company's financial struggles, our budget cuts, and my looming suspicion that I was about to get laid off. As it turned out, I didn't lose my job -- but I have only one staff member left on my team. That's left me as the most technically experienced resource available to do security work, and although I'm mentoring my one remaining staff member, that's an investment that won't pay off for a while. And as for getting contractors -- that's out of the question. No budget. So, it's either do it myself, or it won't get done.
It's not all bad. I enjoy getting my hands on the technology instead of dealing only with management activities. But every day, things will get left undone because there is always more than two people can manage.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
To join in the discussions about security, go to blogs.computerworld.com/security.
More by J.F. Rice
- Security Manager's Journal: Security flaw shakes faith in Apple mobile devices
- Security Manager's Journal: Cyberattacks just got personal
- Security Manager's Journal: Target breach unleashes fresh scams
- Security Manager's Journal: Giving thanks for SIEM
- Security Manager's Journal: Hashing out secure applications
- Security Manager's Journal: Why the shutdown is like the cloud
- Security Manager's Journal: Thinking about passwords
- Security Manager's Journal: Android panic
- Security Manager's Journal: Auto-forwarded emails could be a huge problem
- Security Manager's Journal: Our network infrastructure has fallen far out of date
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts