2.Check control settings and compare to security policy.

The audit team periodically checks the systems to be sure their settings are in compliance with the policy. The audit team creates a report listing all controlled systems and the violated controls. Periodically the list also has to contain the complete security control settings and the systems that are controlled.

3.Document health check and deviations.

The audit team archives the health check results documenting that the health check was performed according to the security policy.

4.Address deviations.

The audit team has to inform the system owners and administrators about the health check process findings. Usually a list of deviations is handed over that specifies a target date for correcting the discrepancies.

5.Correct settings.

The system administrators usually test the corrective actions in a test environment, verify that the system functions are not affected, and deploy the changes to the production environment.

6.Report compliance status.

The audit team creates security compliance status reports for management and external audit purposes on a regular basis.

7.Request compliance exceptions.

System administrators who come across security settings that affect the functionality of a system might request compliance exceptions. They ask the audit team whether the violation of a security control can be tolerated for a certain amount of time.

8.Ask for risk acceptance.

When asked for compliance exceptions, the audit team will negotiate a risk acceptance with the management team. Usually, the risk acceptance is temporary until there is a secure solution for the IT system.

This process was designed for managing server compliance, where a typical environment includes a variety of different configurations, platforms, and applications. In a server environment, the number of application-specific deviations can be large and the change management process is required to correct any noncompliance.

On the other hand, in the typical workstation environment, all clients tend to be unified in terms of security settings, and the remediation process can be automated to enable faster accommodation to respond to security threats and avoid network infection.

Chapter 2. Architecting the solution

29

Page 47
Image 47
IBM Tivoli and Cisco manual Architecting the solution