Overview:
Increasing importance of compliance
Understand the changes that occur in your environment
Review the challenges faced by security incidents
Technical aspects of the audit
In the information technology world, change is timeless. If your IT organization is not the same as most other IT organizations, understanding the changes that have taken place in your environment will be the stress you have to face, and the pressure is growing. The complexity and scale of the IT environment continues to grow,
The impact of management errors and accidental data leaks is increasing. Today's society requires organizations to be responsible for such events, so organizations now have a legal responsibility to protect the information they manage.
As a result, the changes that occur in the auditing environment become critical. Why, then? Auditing provides a way to understand and manage changes in today's highly decentralized, large IT environments. This article will cover the common challenges facing most organizations, the prospects for compliance and regulation in your IT organization, some basic auditing in Windows®, and how to use Windows server®2008 features and Microsoft®system Center Operations Manager 2007 Audit Collection Services (ACS) to complete a comprehensive audit strategy.
Audit challenges
A glance at the headline will reveal that data leaks are now becoming a common problem. Many of these accidents involve litigation, financial losses, and public relations issues that the Organization is responsible for. Being able to explain the changes that are occurring or to quickly identify the problem is key to reducing the impact of the data leakage event.
For example, assume that your organization is responsible for managing "personally identifiable Information" (PII) for a given customer base. Although there are several ways to protect the information contained in the system you are managing, security issues may still occur. With proper auditing, organizations can accurately know the systems that have security problems and the data that may be lost. If you do not audit, the impact of data loss can be very large, mainly because there is no way to estimate the extent of the damage.
So why haven't IT organizations done that? The reason is that most organizations do not fully understand the technical aspects of the audit. While senior management usually only understands concepts such as backup and restore, it is difficult to convey the inherent complexity of the changes that occur in the auditing environment. As a result, auditing issues usually emerge only after a major incident occurs. For example, although basic auditing may be enabled, if a system is not configured to audit a particular change because of a lack of planning, the information is not collected.
In addition, there are some inherent problems in the audited security incidents that need to be handled by IT professionals. One of the difficulties is the distribution of systems in today's large computing environments, which poses a serious challenge to collection and aggregation because changes can occur in any one or a group of systems at any given time. And then there is another challenge-relevance. Sometimes it is necessary to transform the relationship between events on a single system and multiple systems to provide the true meaning of what happens.
Another issue to note is that auditing usually goes beyond the boundaries of traditional organizations. Different organizations or team structures exist for different reasons and may not be easy to connect to. Many organizations have directory service teams, messaging infrastructure teams, and desktop teams, but only one security team may be responsible for all of these areas. Also, specialized security personnel within an organization may not appear in all locations. For example, a branch office usually relies on a single person or a small team for all tasks, including security event log management.
Finally, a lot of events are also a challenge. The amount of event logging for audited security events is much more than the amount of data in other types of event log records. The number of events collected makes it very difficult to keep and view the log effectively. Moreover, the current and proposed provisions require the retention of this information and therefore do not help to reduce this burden in today's computational infrastructure.
Previously, audit access information may have been summed up as a desire to know and try to ensure security. Now, organizations and senior managers of your organization are legally responsible for information leaks or lack of proper protection, so it is particularly important for IT administrators to be familiar with the various rules that might apply to their environment. For global companies, the challenge will be more severe because each country has its own information and protection rules. Some of the existing regulatory compliance examples are listed in Figure 1, as well as some of the expectations of IT organizations.
Figure1 regulations and what they mean to IT pros
Regulations |
Expect |
The "Saban-Oxley Act" (SOX) of 2002 |
Section No. 404 recognizes the role of information systems and requires listed companies to conduct a review of their internal controls on financial reporting annually. |
Health Insurance Portability and Accountability Act (HIPPA) |
Committed to the safety and privacy of health data; "Security rules" cover the management, physical, and technical protection of the data. |
Electronic Discovery (EDiscovery) |
Defines criteria for document retention and access, including determining the scope and access of document visitors. |
Federal Information Security Administration Act of 2002 (FISMA) |
The Federation requires a comprehensive "information security" framework for the United States government system, coordinated with various law enforcement agencies, and establishes a mechanism for controlling and acknowledging the functions of commercial products and software INFOSEC. Section No. 3544 covers the responsibilities of the Organization (including IT controls). |
Federal Information Processing Standards (FIPS) release 200 |
Specifies the minimum security requirements for federal information and information systems and outlines the recommended usage found in the NIST Special publication (SP) 800-53. In the AU-2 section of NIST sp800-53 (Auditable events), the designation information system must be able to compile audit records from multiple components into a system-wide, time-related audit trail, events that can be managed by a single component, and to ensure that the organization periodically reviews auditable events. |
Given all these legal pressures, what does IT professionals need to do? IT managers and technicians need to build clear and concise scenarios and provide them to people within and outside the organization. This includes developing the right audit strategy (which requires prior assessment and investment). The key concept here is that auditing does not have to be designed as it is often done afterwards.
Such it challenges can often be addressed through a combination of people, processes, and technologies. For auditing, it is the process. Therefore, the first step should be to master the basics in order to be able to respond to organizational needs and requirements for compliance. Let's start by introducing some of the basics of auditing in Windows, and then delve into the changes in Windows Server 2008 and Windows vista®.