Agreed to a certain extent. We have not had good success with consultants in the policy and procedure areas. They all seem to write as if they are getting paid by the word/page, or by a measure of complexity.
So what I am outlining at the moment is: All production financial systems will be monitored. (we monitor them all, but I don't want the auditor to ding me because they catch us with a new system being configured that is not yet monitored). Any alerts will be responded to in accordance with incident response. After upgrades (service pack or greater)to the OS of in scope systems, a test event will be created to ensure alarms are still firing (I will use a change to the administrators group as the test event). Evidence of the alert will be saved. After upgrades to the SEIM itself, the same test event will be created. Quarterly, if no upgrades, then the same test event will be created. The SEIM is much more capable than that, but I'm trying to keep it very simple. Just enough to pass the SOX auditor. On Wed, Jul 17, 2013 at 11:45 AM, Brian Desmond <[email protected]>wrote: > *Have you thought about hiring a consultant to write this for you? > Sounds like you need someone with experience in this space.* > > * * > > * * > > * * > > *Thanks,***** > > *Brian Desmond***** > > *[email protected]***** > > * ***** > > *w – 312.625.1438 | c – 312.731.3132***** > > * * > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kevin Lundy > *Sent:* Thursday, June 27, 2013 10:02 AM > *To:* [email protected] > *Subject:* [NTSysADM] SOX and SEIM**** > > ** ** > > Hi all,**** > > **** > > I'm looking for examples of SOX narratives for SEIM utilization. We have > a new SEIM (McAfee Nitro) for monitoring our network. Since it also > monitors our financial systems it is considered a key control, thus I need > a narrative.**** > > **** > > I'm really struggling with the contents of the narrative. If anyone has a > narrative they are willing to share, I would love to have a reference. > (I'm willing to sign an NDA if necessary). Alternatively, if any of you > are or have been an auditor, what types of evidence would you be looking > for?**** > > **** > > Thanks in advance for any help!**** > > **** > > Kevin**** >
