Author: admini

At Citizens & Northern Bank, a $1.2 billion community bank headquartered in Pennsylvania, log management is a requirement for complying with information security regulations such as Gramm-Leach-Bliley and Sarbanes-Oxley. The auditors who review the bank’s systems interpret those laws to mean that it should be actively monitoring those logs. “As administrators responsible for various network devices and operating systems, we need to know what typical behavior is,” says Pete Boergermann, head of MIS at Citizens & Northern.

The FFIEC has stated that “log files are critical to the successful investigation and prosecution of security incidents and can potentially contain sensitive information.

While collecting and storing logs is important, it’s only a means to an end — knowing what is going on and responding to it. Network intrusion detection systems often produce false alarms of various kinds (“false positives”, etc.) leading to decreased reliability of their output and inability to act on it. Comprehensive correlation of network intrusion logs with other records such as firewalls logs, server audit trails allows companies to gain new detection capabilities from such correlation (such as real-time blocking and attack mitigation).

It’s also critical that logs be converted into a universal format which allows financial institutions to compare and correlate different log data sources.

http://www.bankinfosecurity.com/articles.php?art_id=242

Internal auditors at the Massachusetts Department of Revenue (MDOR) — which administers the tax and child support laws of the Commonwealth of Massachusetts — use a combination of automated and manual data surveillance techniques to proactively monitor, evaluate and test individual accesses of confidential financial information stored in databases. MDOR’s data surveillance function, referred to as “Transaction Tracking,” is a continuous process performed by the Office of Internal Audit’s Information Security Unit (INFOSEC), which is part of MDOR’s Inspectional Services Division.

Instead, the surveillance process must be structured, ongoing and proactive — similar to an audit program of continuous transaction testing and sampling. To be effective, surveillance programs must encompass policy and awareness; monitoring, detection and investigation; and a structured disciplinary process.

Set Clear Policies Before implementing a data surveillance program, it is critical that organizations establish a clear data access policy and notify all employees that violations will result in disciplinary action. Although most organizations currently have policies prohibiting the nonbusiness use of workplace technologies and systems, a separate policy is needed to address access of confidential information for personal reasons. The policy must set forth the prohibitions against accessing data for nonbusiness reasons, provide specific examples of accesses that are prohibited, and emphasize that violations will result in discipline, including termination and potential criminal prosecution.

During the orientation process at MDOR, each new employee is required to review the department’s confidentiality policy, sign an acknowledgment that they understand it, and view a “Protecting Privacy” video detailing the consequences of data access violations. Further, employees are reminded when they log into the network that their activities are being monitored and must be directly related to their official responsibilities.

A Blended Approach
In data surveillance programs, the monitoring process must be continuous and not used solely to respond to, or investigate, specific allegations of employee “browsing” of the database. All employees with access to confidential information must be subject to this monitoring, and the process must be structured and applied consistently. Although the process of monitoring database activity may appear to be highly technical, MDOR has implemented a blended approach that combines information technology (IT) strategies, audit sampling methods and traditional investigative techniques. If the employee is unable, or refuses, to provide a response for accessing a certain account, auditors refer the case to MDOR’s Office of Internal Affairs for further investigation.

http://www.technewsworld.com/rsstory/57211.html