Security is an extension of good systems administration

Attended a great meeting at AISA yesterday in which Dr Caroline Allison made the excellent point that the correct operation of an IT system is key in the admissability of audit trails as evidence.

This really pointed out to me that change management, release management and incident management processes (and systems and documentation) are key to making sure that you can state that IT systems are running as expected during the period of time in which the incident in question has occurred.

For example under cross examination the IT manager could be asked all these sorts of questions that he may not have the answers to such as:
- Was logging working correctly during the period of time that the incident occurred?

This also got me thinking how infosec activities should be embedded in these base (ITIL like) processes, for example:
- Change management - looking for unapproved changes by comparing say tripwire reports to change records and escalating to infosec department's CSIRT
- Release management - implementing gates for risk assessment, checks of security requirements, source code analysis, functional security acceptance testing and vulnerability assessment
- Incident management - engaging infosec as part of investigations into un-explained outages and incidents of human error, which may help identify users/developers/testers with excessive access rights