Commonly, there is either a complete lack of, or very outdated, security policy coupled with a system using 98 percent-plus default settings. In short, there’s no real focus on IT security. And I want to stress that this is for any operating system; for any application.
In short, lacking a recent IT security policy you will fail an IT security audit. (Do not confuse “security assessment” with “security audit.” An assessment can be used to help you prepare for an audit.)
In short, IT systems and applications security mechanisms should be driven by business policy that identifies risks, evaluates the probability and impact of these risks on systems and the business, and defines a “protection” scheme, a.k.a. security requirements. And it should include a section specifying the requirements to determine that it’s all working as intended.
In this sense, audit refers to “an auditor” who comes to inspect your policies, how effective the implementation of that policy meets your goals, as well as industry and legal requirements. I mention this because AIX also has a mechanism named “audit.” Do not confuse the context of audit process with the mechanism and vice versa.
Getting back to our title: “How to FAIL a Security Audit.” The result of an IT audit should also “FAIL” every time there’s no use of an audit mechanism. Likewise, no syslog “active” monitoring is also grounds for a “failed IT audit.” The difference between syslog and audit lies in who and where the decisions are made about what information is reported.
Security Management is a Business Responsibility
Unfortunately, too many people “responsible for the business” see implementing security measures only as an added expense. To them I want to say: “Penny wise is pound foolish.” Many companies never survive a serious security breach. Usually system administrators are aware of common risks, but lack the business perspective to identify business risks. For example, they lack the budget authority to make the time and money expenditures needed to even implement so-called best practice/common sense IT security measures. Result: IT audit FAILURE!
Security Management Is Managing Risk
Business management of security is managing risks. IT systems represent/contain/produce financial assets. That is right, think of automated systems as money! You might be able to survive losing your uninsured wallet and the assets it contains—but could you survive losing all your bank accounts (no/poor security policy is comparable to no insurance/under insured). Yes, there is some cost—but what risks are covered. In short, your security policy should accept risks that have low probability and impact—that you can survive without coverage but be sure you have mechanisms in place to mitigate unacceptable risks. Psst! An unknown risk is an accepted risk!
Be ready! And Be Sensible!
Get started on securing your business! too much insurance can bankrupt you. Do a risk analysis, get started on validating the security of your business. Your first step would be to read your security policy. Yes, you can spend too much, but it seems it is much easier to invest too little!
Keep coming back to SecuringAIX. I'll be sharing "recipes" for implementing AIX security mechanisms such as syslog, audit, RBAC, aixpert and trusted execution. Just remember you need to write the menu!