Protecting computer systems and networks from unauthorized access is no longer just a good idea for businesses. The U.S. government often requires protection through such regulations as Sarbanes-Oxley (for publicly traded companies) and HIPAA (covering health care information).
One common factor in all of these regulations is the requirement to track and manage all changes to these critical systems. For instance, a company must record when someone adds or changes user accounts on a server storing credit card information.
What Is This Solution?
This solution, known as configuration assessment and change auditing, addresses two key elements. The first element is to establish a complete picture or snapshot of your key applications and servers such as those handling credit card processing, customer relationships, employee payroll, inventory management, and order tracking. Just as you can’t protect your building without knowing where all the doors and windows are, you can’t secure your network applications without knowing all the various users and access points. Configuration assessment products automatically take an inventory of your critical systems, record their baseline use and function, and give you a complete picture of your network security.
Once this assessment is complete, change auditing enters the picture. This records any changes that are made to a server or application’s configuration. It records who made the changes and when. Change auditing is the computer equivalent of the sign-in sheet in your building lobby. Anytime users enter the application outside normal channels, their entry (i.e., login) is recorded, and whatever actions they take are tracked. This is a requirement of most major compliance regulations. Why? Because when a problem occurs, it’s easy to track down who is responsible and to see what they did.
What Are the Benefits of This Solution?
Configuration management and change auditing solutions offer a number of benefits for small to medium businesses. In today’s high-tech world, even a small business will have key applications such as credit card processing and order tracking. Manually securing each of those applications and servers, and keeping track of every change to every one of them to satisfy your auditors, is cumbersome.
The following are specific key benefits common to configuration management and change auditing products:
- Analyzing business-critical applications and servers and providing a risk profile for your business’s network
- Instantly and automatically detecting any changes to your secure system
- Repairing unauthorized or unapproved changes without human intervention
Checklist: When Is This Solution Right for Your Company?
Here are some questions to consider:
- Do you have three or more applications or servers that hold information critical to your business?
- Do you have to comply with any specific regulatory requirements, such as SOX and HIPAA?
- Are there more than two people with potential access (either authorized or not) to your business-critical servers?
- Do you spend a significant amount of time preparing for audits?
- Did your last audit identify deficiencies in your change management systems that you have to remedy before the next audit occurs?
If you answer yes to at least three of these questions, you should consider acquiring a configuration management and change auditing solution for your business.