Hardware Risk

pma111
pma111 used Ask the Experts™
on
What kinds of risks do you associate with your network hardware outside of “security” / i.e. physical access? Do your auditors take any focus outside your physical “security” controls protecting hardware, in terms of hardware control, if so can you let me know some examples of what? Do these risks match up with those associated with physical security issues, in terms of likelihood/impact?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Physical access to equipment should be a consideration. Auditors will often insist on viewing the logged access to server rooms.

Author

Commented:
Thanks, but I was kind of asking for risks associated with hardware above and beyond, or in addition to physical security controls, i guess firmware, capacity, support, redundancy etc - that kind of thing
Commented:
It kinds of depends what your business is but I'll generalize one some things for you.
If you are a hospital or are subject to HIPAA or PCI regulations then there will be additional items.
If you are a member of any stock exchange, there will be additional items.
I'm not really sure how each is weighted but physical security (or lack thereof) can impact most of the items below.  We go as far as 802.1x L2 port lockdown, in whcih logs are kept on the radius server....you've got to have logs to back everyting up./

some questions
Business continuity - is there a plan, who manages the plan, whats the test scenario, etc
If you do offsite transport of backups - how is that data secured during transport and wherever it is housed.
Are employee records safeguarded?  What are the controls in place to protect this personal information?  What is the policy/procedure if there is a data breach?
Is there an information security policy document, who owns it and how is change management of it governed?  How are the IT staff trained on it?

The defense ate me up on this and the ex-employee thief got me good.  Ticked me off!  Wasn't an auditor it was an employee stealing data, which made me realize where I was lacking when it went to court is:

Evidence collection procedure
chain of custody, this really ticked me off, I mean we're not that big....But the defense said that because when the hard drive left my office and went to the forensics site that I had no shipper to prove it and no chain of custody document from when my guy removed it from the computer....ARRGH!  Just a simple word doc with time/date, who, sign here, serial # of drive, that sort of BS.
How is misuse of company data monitored?  Do you keep logon logs?  Do you keep printer logs?  (Fortunately I did - this person printed 1000's of print jobs one weekend as well as plugged in a couple external hard drives).  Do you monitor and store web traffic?  I knew this person went to an online storage site because of my websense logs.  

THe auditors tend to get really carried away on how you know who logged in to what server.  Like if all 3 of your guys have the domain.admin password then that is bad.  Each must have seperate logins for whatever their job role is.  That role must be defined as well, in writing.....

How fun, I do not envy you.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial