Filter
Top Products
Chapter 2. Architecting the solution 29
2. Check control settings and compare to security policy.
The audit team periodically checks the systems to be sure their settings are in
compliance with the policy. The audit team creates a report listing all
controlled systems and the violated controls. Periodically the list also has to
contain the complete security control settings and the systems that are
controlled.
3. Document health check and deviations.
The audit team archives the health check results documenting that the health
check was performed according to the security policy.
4. Address deviations.
The audit team has to inform the system owners and administrators about the
health check process findings. Usually a list of deviations is handed over that
specifies a target date for correcting the discrepancies.
5. Correct settings.
The system administrators usually test the corrective actions in a test
environment, verify that the system functions are not affected, and deploy the
changes to the production environment.
6. Report compliance status.
The audit team creates security compliance status reports for management
and external audit purposes on a regular basis.
7. Request compliance exceptions.
System administrators who come across security settings that affect the
functionality of a system might request compliance exceptions. They ask the
audit team whether the violation of a security control can be tolerated for a
certain amount of time.
8. Ask for risk acceptance.
When asked for compliance exceptions, the audit team will negotiate a risk
acceptance with the management team. Usually, the risk acceptance is
temporary until there is a secure solution for the IT system.
This process was designed for managing server compliance, where a typical
environment includes a variety of different configurations, platforms, and
applications. In a server environment, the number of application-specific
deviations can be large and the change management process is required to
correct any noncompliance.
On the other hand, in the typical workstation environment, all clients tend to be
unified in terms of security settings, and the remediation process can be
automated to enable faster accommodation to respond to security threats and
avoid network infection.