[logs] SIM solution - Objectives ? (Firewall logging)

[Paul Melson]

> If you look at ISO 17799 for log monitoring (where a lot of things like
COSO, CoBIT, and )they are not 
> prescriptive on the period of reconciliation.
>
> ISO17799-s10.10.2 (this could be old) calls for the creation of procedures
to monitor system use, and 
> review of the results of this monitoring shall happen regularly,
including:
> *	Authorized access,
> *	Privileged operations,
> *	Unauthorized access attempts,
> *	System alerts or failures, and
> *	Changes to, or attempts to change, system security settings and
controls.
>
> And yes, unless you wash the feet of the auditors after they step over the
palm branches laid before 
> them, "good enough" should suffice.

I have to disagree and say that BS/ISO 17799 requires time frames
(SLA's/OLA's) for both monitoring and review to take place and that a
response to any exceptions be initiated.  This is covered in 8.1.3 in the
context of incident response and investigation.  If you go the CoBIT/ITIL
route, you will have to build additional controls around those time frames
to prove that you're performing the review and the response and that you're
doing both within the windows that you say you are.  And at least where I
work, both our internal auditors and our third-party auditors (from a Big 3
firm) ask for this proof.

So, can you build something that is brainlessly 'compliant' using a rigidly
literal interpretation of a standard combined with very weak internal P&P
documents?  Of course.  But it's just teaching to the test.  You're not
accomplishing anything.  You're doing work solely to make auditors happy.
At that point your cart is so far out ahead that your horse can't see it
anymore.

PaulM