Audit Controls Tom Walsh CISSP President Tom Walsh

Tom Walsh • Certified Information Systems Security Professional (CISSP) • Co-authored a book on

Why do we audit? • Investigations – Troubleshooting – Employee misconduct – Forensic evidence

What do we audit? • Operating system – Programs/files modifications – Directory or file

What do we do with audit logs? • Controlling access to logs – Are

Other Issues. . . • Are warning banners are displayed at logon to any

Determining Audit Controls Management: “We need audit controls. ” IT: “Okay, what activities do

Participation This panel discussion offers you the opportunity to share your thoughts on audit

Slides: 8

Download presentation

Audit Controls Tom Walsh, CISSP President

Tom Walsh • Certified Information Systems Security Professional (CISSP) • Co-authored a book on HIPAA Security • Invited speaker at national conferences • Former information security manager for large healthcare system in Kansas City, MO • DOE-certified safeguards and security instructor • A little nerdy, but overall, a nice guy Copyright © 2003, Tom Walsh Consulting, LLC 2

Why do we audit? • Investigations – Troubleshooting – Employee misconduct – Forensic evidence • Random sampling to keep users in check – Users are randomly selected for audit – Audit data is provided to their managers • Compliance – Because it is required in HIPAA Copyright © 2003, Tom Walsh Consulting, LLC 3

What do we audit? • Operating system – Programs/files modifications – Directory or file access or failed attempts – Password changes, strength, etc. • Application – Order entry, changes, updates, deletions, etc. – Access control lists to Data Owners • Network – Internal (User’s logging on and off) – External (Vendors, workforce members, file transfers, etc. ) Copyright © 2003, Tom Walsh Consulting, LLC 4

What do we do with audit logs? • Controlling access to logs – Are they stored on a separate system? – System administrators - Should they have access to audit logs? • Reviewing logs – Network engineer? Information Security Officer? Clinical manager? Internal audit? • Storing logs (retention) – Operating system – Application – Network Copyright © 2003, Tom Walsh Consulting, LLC 5

Other Issues. . . • Are warning banners are displayed at logon to any system or network to notify users of auditing and monitoring activities? • Have Data Owners determined the events that will trigger an audit trail? • Have we checked with our vendors on audit capability and performance impact? • What tools are available for quickly reviewing audit data? • What are other organizations doing? Copyright © 2003, Tom Walsh Consulting, LLC 6

Determining Audit Controls Management: “We need audit controls. ” IT: “Okay, what activities do you need to capture in an audit log? ” Management: “We need audit controls. ” IT: “How long will you want to retain the audit logs? ” Management: “We need audit controls. ” IT: “What performance impacts are you willing to accept? ” Management: “We need audit controls. ” “… and so it goes…” Copyright © 2003, Tom Walsh Consulting, LLC 7

Participation This panel discussion offers you the opportunity to share your thoughts on audit controls and to hear from our panel of experts. Thank you for being here! Copyright © 2003, Tom Walsh Consulting, LLC 8