IT Security - IT Policies and Procedures Review

Many organizations do not have detailed information security policies and do not see the value in having policies. An information security policy is similar to a contract. It is an agreement between owners of the system and service with the users and customers that all activities and interactions with systems and data are approved and authorized and follow standard processes. Good security policies can actually improve business practices since users and owners will have a much better understanding of security practices and rules for protecting data integrity, confidentiality and availability.

Examples of General Computer Controls:
Operating system hardening
All critical servers must be configured securely and have documented configuration standards. This means that all unnecessary services are disabled, user access is strictly controlled and logged, access permissions are enabled on key files, and all critical files and programs are carefully monitored for unauthorized changes. A vulnerability management program that includes implementing system patches in a timely manner also needs to be in place.

System Logging
The logs should be managed through standard time stamps and stored in a secure, tamper-resistant location. Logs should be reviewed assessed for effectiveness to ensure that they capture adequate information to determine what has been done, by whom and when. In the event of a security or data breach, this information is crucial when trying to determine what happened, how much information was compromised and by whom.