June 2nd, 2006, 08:20 PM
Share/Application ACL and Review
I am hoping someone might point me towards an intuitive application. With all the SOX (Sarbanes Oxley) Rules and Regulations in place and a need for general security and access rights review.
It has come to my attention that when someone in my company changes positions or gets hired in or whatever it might be, their old access is not changed. Just new access needed. There is no review of the process or anything else.
I am looking for an application that I can input user ID's Different systems, applications, share drives, etc. and determine what access rights they have. Then quarterly I can send an email to various department and application owners to review so they can tell me if said UID should still have access to whatever systems.
I would also love to see an application for windows 2k3 server that would automagically tell me what persmissions are associated with each folder/subfolder. This is assuming I have full administrative control to the server (which I do).
This will encompass multiple systems including (windows shares, AS/400 applications, Various other applications (ie: JBA, B&L, The list goes on))
If anyone has any other Ideas thoughts on SOX compliance that might aide me while I get familiar with all the different things I need to answer to and understand that would be great.
Duct tape.....A whole lot of Duct Tape
Spyware/Adaware problem click
June 2nd, 2006, 09:13 PM
HIPAA compliant... Similar issues.
We use role based access. We create a group for each position. We grant the appropriate rights to the group. Then we place the user in the group. Voila, the appropriate rights are granted. If a user leaves and is replace they are removed from the group, (all access is therefore denied), and the new user is put in the group. Voila, all appropriate rights are granted.
It works quite well across 350+ users... It might be harder across a larger organization but then again, once set up it eases a lot of administrative grief in the long run.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
June 2nd, 2006, 09:29 PM
SOX w/ COBIT
DS5.4 User Account Management
Ensure that requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are addressed by user account management. An approval procedure outlining the data or system owner granting the access privileges should be included. These procedures should apply for all users, including administrators (privileged users), internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information are contractually arranged for all types of users. Perform regular management review of all accounts and related privileges.
DS5.3 Identity Management
All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) should be uniquely identifiable. User access rights to systems and data should be in line with defined and documented business needs and job requirements. User access rights are requested by user management, approved by system owner and implemented by the security-responsible person. User identities and access rights are maintained in a central repository. Cost-effective technical and procedural measures are deployed and kept current to establish user identification, implement authentication and enforce access rights.