at the general internal controls level, without getting technical, you
would be interested to know what kinds of network activity the organization
logs, and more importantly who reviews the logs and do they take action when
exceptions are noted? logs dont function as controls if no one looks at
them and takes action.....
once you are past the general concepts, based on the organization, there
may be specific logging requirements from their regulatory bodies and from
management or Best Practices, otherwise known as Common Sense.............
for example, if the organization is involved in research and development of
proprietary information, one would reasonably expect greater protection efforts
aimed at that data.........but a sales oriented organization would make part of
its network open to the world in search of new customers.........and in the
public sector, open records laws require access to records but not their
modification.....
so we are back to the old accounting jokes where the punch line is:
It depends.....
James Shannahan, CCP, CSQA, CISA
Sr. Information Systems Auditor
City of Milwaukee (Wisconsin, not North Carolina)
[EMAIL PROTECTED]
414 286 2382
Sr. Information Systems Auditor
City of Milwaukee (Wisconsin, not North Carolina)
[EMAIL PROTECTED]
414 286 2382
*neither the Comptroller nor I speak for each other*
>>> Jim Kaplan <[EMAIL PROTECTED]> 12/10/02 9:04:31 PM >>>
An AuditNet user submitted the following question. As I am not a technical
auditor I thought I would pose the question to the list.
I am an internal auditor and have been asked to review the network logging
procedures for adequacy. What kinds of things should a company log and review?
>>> Jim Kaplan <[EMAIL PROTECTED]> 12/10/02 9:04:31 PM >>>
An AuditNet user submitted the following question. As I am not a technical
auditor I thought I would pose the question to the list.
I am an internal auditor and have been asked to review the network logging
procedures for adequacy. What kinds of things should a company log and review?
