So there is a challenge for you as a security officer, or as an internal auditor – face up to the fact that the sooner you deal with the organisational grooming, the better for all concerned. So today, every organization should take the security of their systems and applications seriously. Start by ensuring that you have effective policies and procedures in place to control privileged access to every system, including your workstations, and applications, and make sure that you can enforce them.

And remember that regulations do not make allowances for unintentional errors, just as speed cameras are not able to differentiate between the accidental speeding granny and the Jensen Button wanabee. Human error is one of the biggest risks faced by companies, especially as pressure to reduce costs means that more and more tasks are being carried out by less staff. So here are a few suggestions when you have a look at these policies and procedures.

Policies must be realistic – The policy must fit the requirements and ensure that the complexity is not such that users are inclined to try and bypass it.


Policies must be enforceable - Having well documented procedures that can be bypassed will be quickly exposed by any audit. The only effective way to make policies both realistic and enforceable is to automate the critical processes. For example, having policies that require privileged users to have the correct authorizations must be enforceable. Likewise, policies that require regular changing of passwords only work effectively if they are automated.

Policies must auditable - Having policies in place is a good first step, but they will not hold up to regulatory scrutiny unless there are audit trails proving the policy is in place and enforced on an ongoing basis. However, simply having an audit capability is not the solution. The sheer scale and diversity of systems in an enterprise require that tools are cross-platform. In other words, IT security staff must be able to provide reports that are consistent across all platforms and take account of the information produced by heterogeneous systems.

When you consider the amount of time and effort required to collect raw data from key systems and applications, including critical network devices, there can be literally hundreds if not thousands of logs that must be examined for the purpose of an audit report. This data needs to be converted into a standardized, audit compliant report format that can auditor can read.

So when you’re examining what options are open to you remember like your personal grooming options, don’t expect miracles overnight, make sure you stick to the treatment regime, and most of all make sure that the results are there for all to see. So treat yourself for Christmas – Botox your policies before it’s too late.