|
-
August 26th, 2004, 06:23 PM
#11
found this: http://www.sawmill.net
you may also consider a syslog daemon : http://www.kiwisyslog.com/products.htm#sysloggen to concentrate all logs in one point
I have no exp on those--- i use to scan my logs by my own - (some vb+scripts+php+cobol stuff). if you like programming, you can try :P
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
August 26th, 2004, 06:33 PM
#12
Angelic:
Please feel free to show this to your boss.
I believe that as a financial institution your company falls under Sarbanes-Oxley -
Some of the security questions are answered here
Of particular note is the following:-
Q: What do you see as the most direct tie between Sarbanes-Oxley and an organization's security program?
A: There are several links between Sarbanes-Oxley requirements and a company's security program. They include: ensuring appropriate awareness of company security policies and commitment by management; designing and implementing appropriate security controls; and documenting and auditing security policies, and making sure they are understood by management and end users.
Also, from here comes:-
Yet in the law there is a provision mandating that CEOs and CFOs attest to their companies' having proper "internal controls." It's hard to sign off on the validity of data if the systems maintaining it aren't secure. "It's the IT systems that keep the books," Saidman said. "If systems aren't secure, then internal controls are not going to be too good."
Ever considered a risk assessment? Has your boss? Would your boss think that a risk assessment would be a prudent thing to do? It's mandated under Sarbanes-Oxley.
If he doesn't can you please give the name of your company and any other company names or subsidiaries your company may operate under so that I might avoid ever doing business with them in the future.... Thank you.... 
[Edit]
Angelic and Caca:
I have a tutorial here on the implementation of a cost effective system.
[/Edit]
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
August 26th, 2004, 07:12 PM
#13
"I don’t think that worrying about an employee getting burglarized is that big of a risk."
That's the official word.
See what I'm dealing with guys?! He suggested password protecting the tapes we bring home, so I guess I'll have to look into that...
-
August 26th, 2004, 07:22 PM
#14
Man, next time you write wrong my nick AGAIN i will hunt you down ! 
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
August 26th, 2004, 07:29 PM
#15
Member
Sarbanes Oxley is one federal regulated body that may be mandated under your current employer. Usually SOX is only required of those companies that have public stockholders. If this is not the case then I would recommend reviewing the GLB Act. If your company holds any personal information (which most financial institutions do) about thier clients, then this document may help solidify your position, GLB Act Section 501-504 specifically.
All the suggestions here are right on and would meet your requirements based on the GLB Act. I just finished up an external audit and having these pieces in place went a long way to making the auditors happy.
Good Luck
-
August 26th, 2004, 07:31 PM
#16
Originally posted here by AngelicKnight
"I don’t think that worrying about an employee getting burglarized is that big of a risk."
That's the official word.
See what I'm dealing with guys?! He suggested password protecting the tapes we bring home, so I guess I'll have to look into that...
I know how you feel. Getting money out of my company is like getting blood out of a rock. They are willing to buy stuff once something has happened though. I live is southern california and when the fires got going last year (to within 4-5 miles of the office) the CFO was finally coaxed into buying some more stuff for us.
What about the DVD's? They can be played in any $20 DVD player. What if one of your houses burns down? (Then you are without the backups) I know the "what if" situation may not be the best way to approach your boss, butm maybe breaking into his house is. j/k
N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)
-
August 26th, 2004, 08:18 PM
#17
The DVDs don't go home fortunately. They just stay in the President's office.
So I had never heard of Sarbanes Oxley before. This'll make a good research project!
-
August 27th, 2004, 03:06 PM
#18
One suggestion for your tape problem may be keeping them in a safety deposit box in a bank.
what we do where i work is we have the main tape backup system, but then we also have a backup off site tape system who's tapes get sent to a safety deposit box in a bank (since most bank safes are fireproof ) with our "everyday" tapes, every 3 weeks (about the life of our tape sets) we move them to an off-site storage that is still close enough for us to walk over, but it will protect the tapes if the IT/computer science building burns and crumbles.
as far as your infrastructure goes, attached is a picture of how ours is and maybe it will help you (it is pretty cheap to impliment) we use smoothwall firewall (free) on an older box that has been "bumped down" from normal use - it is still a p4 1.4 GHz with dual gigabit cards.
i didn't put the routers in there, but for the most part, the router lives where the letters on the line are (ex: DMZ and Rest of Network) and before the first firewall (for the internet connection) we are on a shared OC-3 and have all windows computers (except the firewalls and the servers). Our servers are a mix of win2k AS, win2k3 ES, HP-UX and TRU-64. (many of our servers are internal so they didnt' show up on my little diagram)
I hope this helps, if you need any more details let me know.
[gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo  [/shadow]
CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM
-
August 27th, 2004, 06:17 PM
#19
I'd make suggestions, but from your description you are really just starting from scratch, and as usual there is as much different advice flowing around here as there are people dispensing it. All I can say is good luck. My experience working for a financial services company was that the industry itself is incredibly backwards in technology adoption. It might take a break-in to illustrate your point. You might also consider getting some consultants in on it as if you have some people whose sole job it is to analyse for security, you will have a better chance of making headway with management. For some reason they seem to be of the opinion that they hired you, so obviously you are just making up ways to spend money. :/
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
