SOX

06/08/2010

Keeping Watch & Monitoring IT

More and more new technology is released into working environments each day, whether it be intentional installations of servers and software, or unintentional releases of viruses and malware.  Given all the possibilities of what might and can occur, vigilance over what is going on is more important than ever.

Historically, keeping watch has been an extremely important duty.  Sentries would be placed at key locations at all hours to look for invaders, storms, fires, and friends approaching a castle.  Depending on what the sentry saw, he would alert different groups of people to respond appropriately to the threat or the opportunity that was presented.

The success in these situations is to cut response times (and downtime), and improve customer satisfaction.  This also helps to cut costs, as preventing major problems and attacks is almost always better than repairing the aftermath of the issue.

Today, the analogy to IT is quite similar, but the methods have changed.  You can’t use a person to track all the events on a network, there are too many systems, and too many transactions per second for this to be viable.  Instead, we need to take a risk based approach by putting sentries on watch at the most important areas.  If we don’t, then the risk of invaders, fire, or other catastrophe increases, as does the risk that we won’t discover the problem until after it is far too late.

Step 1: The first step is to identify everything you want to monitor.  Areas to consider will be specific to your business but may include: firewall and network attacks, changes to systems, changes to logical access/user access, bandwidth usage, hard drive usage, server utilization, backup tape usage, database utilization, printer usage, and/or login times.

Step 2: Identify the areas of your network that you are able to monitor.  If you can track attacks on your network, that is something worth noting.  If your current system cannot track attacks on your network, that is also worth noting.

Step 3: Compare the list of things you want to monitor to the things you can monitor.  You now have to decide what you will be monitoring in the short term (items you want to monitor and can monitor) and make decisions about items you want to monitor in the future (those you want to monitor but cannot monitor now).  Further decisions must be made on how you will monitor these items (the criteria).  Monitoring hard drive space is a good idea, but how often will you check it, and what is the threshold for concern?  90% usage?  91%?

Moving ahead with monitoring of your IT investment will help to streamline and optimize your environment, and provide you with increased return on your investment (ROI).  Depending on the assessment, you may find that you can use existing tools, or conversely that you need a special monitoring tool.  Either way, by evaluating your environment, deciding what needs to be monitored, and posting sentries, you will be safer and better prepared for whatever may come your way.

“Never neglect details. When everyone's mind is dulled or distracted the leader must be doubly vigilant.”-          Colin Powell

By: Samuel BowerCraft

Posted at 02:42 PM in ERM - Enterprise Risk Management, IT, Risk & Internal Controls, SOX | | Comments (0)

|

05/20/2010

Security Zen –Backing Up to Move Forward

Cds2 

The world of information technology is filled with information; emails, files, spreadsheets, reports, databases, pictures, websites, and more.  Everywhere you look there is information that was made by and is used by us, our colleagues, our friends and family.  And just as we protect our prized possessions at home by locking the front door or installing an alarm system, we need to protect the electronic data that is important to us.

Data backup is one of the easiest concepts in the information technology world; let’s make a copy!  You copy the data you have to another place so that should the unthinkable happen, the primary data is altered or corrupted or deleted, you have the copy and can use it, and you can move ahead; brilliant!  However, as easy as this concept is, there are some fundamental steps to take to in order to ensure you have a copy of the information when you need it.

  1. Identify Your Data: If you don’t know what data you have, how can you know what data you should be backing up?  This process takes far less time than recreating everything you lost.
    1. Have business owners make a list of all the data sources they rely on: file folders, application data, databases, etc.
    2. For each source, identify if you need to back it up, i.e. yes, or no.
    3. For each item you need to backup, indicate how frequently it should be backed up.  Daily?  Weekly? Monthly?
  2. Setup Your Backups: With the listing you made in step #1, you can hand the plan to the IT department and they will quickly and efficiently setup the backup system to ensure the right things are backed up.  Since you included IT in step #1 for their areas, they won’t feel left out.

  3. Backup the Data: Backups will now take place magically, but there are still items that need to happen to reduce your stress. 

  4. Confirm Successful Backups: There are two parts to this process, and frequently only the first part is done.
    1. Part one: Check the backup software daily to see if the backup was completed and successful.  This is a good start, and will catch some problems.  However, as we know, sometimes computers don’t tell us everything and we discover issues later, so to be sure of the backups we do…
    2. Part two: Check the backup media.  Backups don’t really help us unless we can restore from the media (tape, CD, server, etc.).  This is why it is STRONGLY encouraged that backups are tested by restoring from the media.  Select a tape and see if you can pull files from it, or the database you use for your general ledger, etc.  If you can’t get files from your backups, then your tapes are good for very little, save perhaps propping up a couch with a missing leg.  This will also help you to check for hardware failures of your backup device.

  5. Store Backups Somewhere Else, Securely: While it is nice to have things where they are easy to access, backup media should not reside in the same building as your datacenter or servers (in general).  What happens when that building catches fire?  You will lose your primary data and the copy in a glorious blaze and despair will set in.  So, keep the tapes somewhere else, properly stored (not in a damp basement or with your dog’s toys) and keep them locked up where they reside.  Backup tapes are good for restoring, but they also contain all your company’s information, so lock them up.

By taking these steps you will dramatically reduce the backup failures you have in your environment, helping you to have more peace of mind as you and your company move ahead.

Written by: Samuel BowerCraft

Continue reading "Security Zen –Backing Up to Move Forward" »

Posted at 11:33 AM in Internal Audit & Controls, IT, Security, SOX | | Comments (0)

|

11/25/2009

GRC: Implications of Lack of Independence and Ethics. What Can We Do?

 Week 4 GRC  

Link to GRC Post:

A recent large company scandal and court decisions relates to the shareholders claims against Washington Mutual Bank (WaMu) (WaMu Fact Sheet. pdf).  This case involves billions of dollars and the court upheld the right to file claims against both WaMu executives and their external auditors Deloitte and Touche (D&T). (Internal Controls WaMu and D&T.pdf). There is speculation that this case may be the downfall of D&T, much like Enron and Arthur Andersen in 2002.  As I read through the various posts from insiders, a common thread appears:  Management and the External Auditors knew of the risks related to WaMu’s lending practices.  Management did not take the recommended action to mitigate those risks, that is, increase reserves.  Management then proceeded to lead shareholders astray by attesting to the effectiveness of internal controls over financial reporting.  So, if this is true, why did these insiders not speak up prior to the collapse?

Continue reading "GRC: Implications of Lack of Independence and Ethics. What Can We Do?" »

Posted at 03:44 PM in ERM - Enterprise Risk Management, Fraud Risk Management, Internal Audit, SOX | | Comments (0)

|

Search

Links


McKonly & Asbury LLP.
News & Updates


The Affordable Housing Gurus


Contractors Center Point


The Lean Accountants


The Risk, Management, and Control Advisors


The Corporate Confidante