Procedures, Roles, and Responsibilities
This is an area that is all too often totally overlooked in security audits. Auditors often focus on the physical and technical aspects of security and forget to ensure that proper procedures are in place, have been written down, and are being followed. Yet it can be the key piece in the jigsaw puzzle that, if missing, creates the biggest threat to security.
It is important to ensure that policies are in place to ensure that auditing and tracing is used effectively. Some systems will be required to log more than others (for legal or operational reasons), but the minimum auditing that should be carried out should log which login attempts have failed and which IP address they come from.
Are procedures in place to ensure that audit logs of system activity are regularly reviewed for signs of malicious intent (such as repeated failed logins)? Who carries out these procedures, and how often? Are they effective?
Is there a policy that ensures that passwords are not easily guessed? For example, is it mandatory that passwords be eight characters long and consist of a mixture of numbers and letters? Does the system force users to change passwords regularly?
The most effective virus-scanning software in the world is not going to be able to cope with a virus that is so new that no "antidote" has yet been written. Are procedures in place for what should be done if a virus outbreak is discovered? Should all mail servers be taken down in such an eventuality? Perhaps all Web servers, too? Many of the most lethal recent viruses use VBScript to write themselves onto Web pages as well as into emails, so this may be a consideration.
In such an eventuality, who should be informed of the outbreak? Who is responsible for making decisions about how serious the outbreak is?
It is also important for the auditor to check that these procedures are not simply written down in a document and forgotten about, but that they are well known to those who need to follow them and that they are carried out effectively when required.
Amazon.com went to great lengths to create procedures aimed at protecting credit card information of its customers because the site recognized how disastrous it would be to the Amazon business if such information was stolen. Also, the company wanted to put its customers' minds at rest about handing over credit card information across the Web. Originally, the procedures developed ensured that the credit card information was held on the Web server for the minimum amount of time possible and was immediately transferred to disk and then copied onto a standalone internal PC with a direct modem link to the credit card processing company (but no link to the Internet). Only the last four digits of the credit card number remained stored on the Web server, useless to any hackeror even to any Amazon employee with access to the Web server. This simple system gives Amazon a competitive advantage because customers feel safe trading with Amazon. Now their systems are more sophisticated but are just as secure.
Amazon also employs policies to ensure that it employs only the best people and that everyone is very clear about their responsibilities. Employing good people who have clearly defined roles with clear divisions of responsibility can play a major part in the effectiveness of security within an organization.