When checking system access, make sure you look at all the different items that affect the user’s access. For example, the user might need one or more of the following:
- Application ID
- Application role or group
- Membership in an local server group, Active Directory (AD) group, or UNIX Group
- Access to the application’s share and/or folder on the server
- Database ID
- Database role, including access permissions (read/write)
- Other permission (from a home-grown application code or enterprise identify management system)
Continue reading →
Like this:
Like Loading...
Filed under Audit, How to..., Security, Technology
Tagged as access, active, AD, admin, application, Audit, batch, confidential, contractor, data, database, directory, employee, file, financial, folder, format, generic, group, hipaa, HR, ID, LDAP, log, membership, new, non-personal, OS, PCI, permission, personal, role, script, setup, share, sox, system, Unix, user
Here’s my list of IT/security basics that I think IT auditors ought to know. If you can’t understand and audit these items, you do not know enough about technology to avoid having the wool pulled over your irises (not matter how good an auditor you are). The list is in no particular order.
If you’re a CISA or CISSP and you don’t know the following, I think you have some work to do.
Continue reading →
Like this:
Like Loading...
Filed under Audit, How to..., Security, Technology
Tagged as active directory, Audit, complexity, database, DHCP, DNS, IP, know, password, permissions, ping, printer, share, URL, whack, wireless, WPA
Okay, so you’re not up to a wastebasket audit? Too demeaning, too sneaky, too many sticky candy wrappers? How about a simple server share audit?
Many companies have shared drives, and then they have “over-shared” drives, those locations where anyone who needs a space to store files that they share with a couple departments. Or perhaps your company just doesn’t lock their shares according to the least privilege principle.
Continue reading →
Like this:
Like Loading...
Filed under Audit, How to...
Tagged as appraisal, Audit, confidential, demotion, easy, encryption, intellectual property, lawsuit, least privilege, medical history, naked, nude, password, PII, porn, salary, search, server, sex, share, social security, SSN, theft, trade secret, wastebasket audit, xxx
No, I’m not suggesting that you don’t answer your phone. Just be careful what you do or say when you are called or contacted.
What am I talking about? A principle I refer to as the CONTACT principle, which will keep your private information private:
Continue reading →
Like this:
Like Loading...
Filed under Security, Security Scope
Tagged as bank account, children, confidential, contact list, contact principle, easy, email, help desk, helpful, initiate, internet, malware, password, reset, scam, secret, Security, Security Scope, share, social engineering, SSN, trained, trust, verify