Вы находитесь на странице: 1из 11

White Paper

Ensuring Your IT Policies

Actually Work with Change
and Access Auditing
If policy and auditing don’t match, neither will serve its intended
purpose. Here’s how to avoid conflicts and roadblocks.
By Jason Helmick
White Paper

Table of Сontents


Is Auditing Really all that Important…………..3

Why Organizations Fail with Auditing…….….4

Who’s to Blame for Failure……………………….…5

Solving the Problem Through Process….…..6

In Closing………………………………………………....…..7
White Paper


Your organization might be reviewing configuration changes, or on

the occasional server log, perhaps even computer use, or on sharing
auditing for user account changes to information – there is still some sort
Active Directory, but are you helping of informal policy in place, some sort
your company to create and implement of expectations on who needs what
a formal and rigorous auditing policy? kind of data to do their jobs – there
This involves more than selecting what are still expectations on the level of
to audit; it means understanding and service from IT and the uptime and
following a process of defining, availability for different services.
monitoring, detecting and responding Even when formal policies are not in
to your business’s change and access place, there is some sort of
auditing needs. expectation between the business,
the users, the IT about how the IT
Many organizations may already have
infrastructure is being used, how the
formal policies in place covering
data is accessed and how the
development of infrastructure, as well
changes are being tracked”
as mitigation of operational and security
risks. The failure to have well-defined
controls established to ensure the Many organizations already have
application of those policies still places
the company at risk. These risks could formal policies in place covering
be as nominal as the inability to stay
within compliance or as severe as
development of infrastructure.
leakage of confidential data.
Elevating the importance of change and
In a recent interview with Ilia Sotnikov,
access auditing requires a better
Director of Product Management at
understanding of the process and
Netwrix, the question of understanding
controls, and what failure means to
policies versus controls was raised:
your organization.
“A lot of organizations, even if they
do not have a formal policy around
White Paper

Is Auditing Really All that

During an outage or security breach, change management process – which
listen to the IT pro begin to diagnose will increase the business continuity
the situation with the one question and monitor compliance on an
that itself answers that importance of ongoing basis.
auditing: “What’s changed?”
Regardless of the infrastructure or “Even when formal policies are not in
security failure, that question starts the place, there is some sort of expectation
process of investigation to discover
and resolve the current problem. How about how the IT infrastructure
the investigation proceeds from this
point is determined by the policy is being used.” Ilia Sotnikov, Director of Product
process and controls in place, or lack Management at Netwrix
thereof, for change and access In response to a security breach
auditing. If the organization has scenario, Mr. Sotnikov outlined the
instituted a solid and well-known importance of not only the mitigation
process, the investigation can move to a breach, but the importance of
swiftly to remediation as the IT and change monitoring to prevent the
security teams have rapid access to the breach in the first place:
audit information they need. Without
“It’s not only detection of the leak
this information IT and security must
itself, we are also talking about
discover the information, using
detecting the event or the change or
valuable time and resources, and
the incorrect setting or permission
sometimes without a satisfactory
that may lead to a leak in the
resolution for the business.
Being able to quickly answer that one
Organizations that have compliance
question “what’s changed? “ will help
requirements such as PCI, HIPAA and
detect and prevent security breaches
SOX are required to ensure that the
along with improving the quality and
business remains in compliance on an
completeness of investigations to both
ongoing basis. This is not only to detect
outages and security breaches. These
a breach, but also to prevent one from
are the extreme failures that
occurring in the future. Change and
organizations fear the most. By
access auditing, with a formal process
choosing to implement an effective
of control, can achieve the desired
auditing policy, organizations gain a
more subtle benefit – a verifiable
White Paper

Why Organizations Fail with

The typical mistake that organizations compliance and security, should be
make is the lack of ensuring that discussing which components are most
policies are being effectively applied. As important to audit. Some organizations
Mr. Sotnikov pointed out: “A good policy will make the mistake of throwing an
is not just a web document sitting open net, grabbing every server log
somewhere on an in internal portal.” along with all access and infrastructure
Audit policies require implementation changes. This creates too much
and monitoring, which means training overload on people that are responsible
and guidance. The work force, especially for monitoring the audit information
the departments for IT, security and due to the excessive amount of
compliance need to understand their irrelevant data. While it is possible to be
roles and responsibilities regarding the successful at this, most organizations
effective application of the policies. To quickly overwhelm themselves.
be successful, this often requires
Resolving the lack of scope requires
someone to be directly responsible for
decisions to be made, from the
the audit policies, dedicated to ensure
beginning, to focus on the parts of the
its ongoing application.
data and infrastructure that need to be

During an outage or security breach, diagnose the situation with

the one question that itself answers that importance of auditing:
“What’s changed?”
Many organizations have found it audited and monitored. For many
challenging to utilize their auditing organizations that have experienced
process, even after it has been properly this overload, it quickly makes sense in
implemented. The failure occurs in the hindsight that auditing access to a
selection - or lack of selection – of what webpage of product features is not as
to monitor and audit. The business important as access to the database
stakeholders working with IT, containing customer records.
White Paper

Who’s to Blame for Failure?

We have all seen the publicized news Often, IT is blamed for the outages and
reports of security breaches and data security breaches but that answer is
loss that have affected some of the much too simplistic. The solution begins
largest and most well protected with the business stakeholders
companies in the world. These are often understanding the cost of reputation
highly sophisticated attacks, often and possible legal action due to data
exploits that have been discovered in a loss/leakage. Combine this with the
lower layer of the infrastructure and not benefit to increased operational
necessarily a failure of auditing policy continuity – auditing quickly elevates in
and controls. They should be treated for importance. But the stakeholders can’t
what they are, unique. solve this problem alone.
However, many smaller companies, The solution is a joint effort along with
which don’t consider themselves to be IT, security and compliance, working
targets of these types of attacks, will with the stakeholders to define and
make the mistake of believing they implement the best policies for the
shouldn’t be concerned. This casual organization. A failure is not a finger
approach reduces the organization’s pointing exercise, but a discussion point
ability to know what is happening with about something that got missed and
their data. A formalized approach now needs to be resolved. It’s this
reduces the possibility of the combined teamwork that will make the
organization slipping out of compliance, most effective policies and procedures.
or a user mistake causing the leak of
confidential data. IT will enjoy the
benefit of reducing operational outages
due to failed change management.
White Paper

Solving the Problem Through

In discussing how to approach a decisions. The decisions made here are
solution with Mr. Sotnikov, successful not carved in stone and should be
organizations implemented a process reviewed and changed on a continual
involving the stakeholders, IT, security
and compliance members. The By choosing to implement an effective
importance of reviewing and repeating
the process is key to meeting the auditing policy, organizations gain a more
organization’s objectives. The process subtle benefit - a verifiable change
involved 6 general steps:
management process.
1. Define policies and controls
basis. At the heart of this is an
2. Monitor for policy compliance
understanding of what to audit and how
3. Detection of non-compliant activity to accomplish the data collection goals.
4. Inform stakeholders of incidents,
What you should audit
response and remediation
5. Postmortem analysis As discussed earlier, it is possible to
collect data on every aspect of all
6. Return to monitoring for compliance
systems but this often leads to failure
due to overload requiring too many
A person or group, primarily
eyes on the data and many processes
responsible for compliance, is best to
and controls. It’s better to work
own the cycle and ensure that the
together to define a scope of collection
process is understood, adopted,
– some systems are more important
implemented and reviewed on a
than others, some data is more
consistent basis. Details on each of
important than others, and create the
these areas will vary depending on the
process and controls around this scope.
organization, however the basic
The definition of this scope comes from
principles are as follows:
the business teams and the focus
1. Define policies and should start with the most important
and gradually work down to the least,
controls then review and add as experience and
Initially this is often the most complex resources become available.
part of the process, involving all of the
team in making the most important
White Paper

Solving the Problem Through

As an example, auditing access to a way for investigations and change
user’s home folder may not be as management.
important as monitoring the database
To build a comprehensive
that holds the company’s customer
understanding useful to the audit
information. Resources should be
professional, the following questions
focused first on the important data.
should be provided by the audit
Many organizations start with getting software.
control over access such as logons and
change management of identities and  What was changed?
permissions. For a Microsoft  Who changed it?
environment this is primarily Active  When was it changed?
Directory including Group Policies. The
 Where was the change made from?
next step is often auditing the access
and permissions to the data, stored in
When formal policies have been
products such as SharePoint, SQL
applied, it helps to have an expectation
Server and Exchange. The scope should
of the data available when an auditable
grow to include not only the systems
event occurs. Making sure that this
containing the data, but the systems
information is collected, easily
and processes that have access to the
accessible and searchable by audit

“It’s not only detection of the leak itself, we are also talking about
detecting the event that may lead to a leak in the future.”
Ilia Sotnikov, Director of Product Management at Netwrix

How you should audit professionals is the key to making the

audit process useful.
How to collect the auditing data on the
defined scopes is not as easy as flipping The importance of this data extends
a switch. While many products provide directly to IT in the event of a service
some sort of logging, it is usually outage due to change. If all change
different for each product and difficult management is audited, then outages
to collect in a comprehensive and useful can be investigated quickly.
White Paper

Solving the Problem Through

Not all changes directly affect only the becoming successful become irrelevant.
local system; some changes negatively
impact other systems and without a 3. Detection of
complete picture of change non-compliant activity
management may require extended Once formal policies are in place, the
troubleshooting to resolve. As an auditing platform should be able to
example, a permission change made by assist IT and security in quickly
the Storage team could negatively recognizing non-compliant activity
impact the operations of the Exchange through alerts and search capabilities.
server. If the Exchange team has quick Teams will need to react quickly to avoid
access to this change information, a the risk of data leakage and system
resolution to the problem can rapidly be outages. Tools that are complicated to
implemented. use, that don’t provide unified search
2. Monitor for policy and alert capabilities become unused,
causing the entire audit process to fail
compliance to achieve the organization’s goals.
While still in this initial phase of defining 4. Inform stakeholders of
the policies and controls, a decision on
the tooling is required. A hodgepodge of incidents, response and
questionable supported tools remediation
introduced by IT over time to gather and
manage the auditing process is doomed Many organizations include a process of
to failure. Lack of support, continuity communication in the auditing process
and training, coupled with product when a non-compliant event occurs. It
auditing limitations simply sets the stage begins with notification to the
for a complicated and unused process. stakeholders of an event, regardless of
severity and the planned response and
Organizations that have focused on remediation.
unified auditing platforms that support
the products and processes in their Organizations that have compliance
system are the most successful. A
unified platform simplifies training and requirements are required to ensure
usability, helping to ensure that audit that the business remains in
processes are followed and monitored.
Without this, the rest of the steps in compliance on an ongoing basis.
White Paper

Solving the Problem Through

remediation to inform stakeholders as and monitor change and access
other compliance and legal processes auditing will find the process easier than
may need to be initiated. The an organization that hasn’t started.
knowledge of these additional
requirements is normally outside the 6. Return to monitoring
scope of IT and the decisions that for compliance
stakeholders make in regards to
compliance may affect the response There is a cycle that IT and security
and remediation strategy. professionals need to incorporate into
the normal daily process of
5. Postmortem analysis management. It is the continued
practice to monitor for compliance,
At the end of any non-compliant event,
detect and respond to non-compliant
regardless if detected by the access and
events, and perform postmortem
change auditing process or a breach/
outage has occurred, there must be a
review to improve the overall process. There is still the larger cycle, of all six
steps that the audit/compliance
While some organizations use postmortem

Many organizations have found it challenging to utilize their

auditing process, even after it has been properly implemented.
professional should be driving. Bringing
reviews for finger pointing, realize that
the stakeholders back to review the
mistakes will be made and something
scope of auditing and discussing the
will be missed from the audit. The focus
monitoring and remediation processes,
needs to be on understanding what
bringing IT and security into the room to
event has occurred and if there are
determine where improvements are
changes that need to be made to help
prevent future occurrences. This can be
as simple as adding a non-audited
system to the process or refining an
audit scope. An organization that is
actively working to efficiently implement
White Paper

In Closing

Many organizations believe they are Many smaller companies, which don’t
doing something to monitor their
systems but often find out that is not consider themselves to be targets of
the case. Without formal policies and
processes, without the controls and
these types of attacks, will make the
procedures in place, without the right mistake of believing they shouldn’t be
tools to collect and alert – data leakage,
unnecessary outages and extended concerned.
outages affecting business continuity
should be expected. The business
stakeholders, working along with IT,
security and compliance professionals,
can implement a successful policy for
access and change auditing.

Jason Helmick is senior technologist

at Concentrated Technology

About Netwrix
Netwrix Corporation provides a market-leading visibility and governance platform for on-premises, hybrid and cloud
IT environments. More than 150,000 IT departments worldwide rely on Netwrix to detect insider threats on premises
and in the cloud, pass compliance audits with less expense and increase productivity of IT security and operations
teams. Founded in 2006, Netwrix has earned more than 90 industry awards and been named to both the Inc. 5000 and
Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.

For more information, visit www.netwrix.com