Attended a great meeting at AISA yesterday in which Dr Caroline Allison made the excellent point that the correct operation of an IT system is key in the admissability of audit trails as evidence.
This really pointed out to me that change management, release management and incident management processes (and systems and documentation) are key to making sure that you can state that IT systems are running as expected during the period of time in which the incident in question has occurred.
For example under cross examination the IT manager could be asked all these sorts of questions that he may not have the answers to such as:
- Was logging working correctly during the period of time that the incident occurred?
This also got me thinking how infosec activities should be embedded in these base (ITIL like) processes, for example:
- Change management - looking for unapproved changes by comparing say tripwire reports to change records and escalating to infosec department's CSIRT
- Release management - implementing gates for risk assessment, checks of security requirements, source code analysis, functional security acceptance testing and vulnerability assessment
- Incident management - engaging infosec as part of investigations into un-explained outages and incidents of human error, which may help identify users/developers/testers with excessive access rights
- Matthew Hackling
- Matt runs his own security consultancy called Ronin Security. His focus is information security management and he has a keen interest in infrastructure and web application security. He's a CISSP and the current Branch Executive of the Melbourne chapter of the Australian Information Security Association.
- ► 2010 (17)
- ▼ 2009 (56)