Many Windows managers still do not realize the significance of maintaining detailed documentation to meet their compliance requirements. To keep their heads off the chopping block with auditors, and to meet legal requirements, Windows managers must maintain compliance documentation and keep it up to date.
When I was a systems analyst building CICS regions for an IBM mainframe and creating the online applications change management system, most of the folks I worked with hated to create documentation for the systems and applications they supported. They seemed to think it was unnecessary when it was much easier to just talk directly to the analyst or programmer responsible when someone needed to know more about the applications or systems.
As a result, most of the documentation that did exist was poorly written and left out significant information. It was confusing to read.
After that, I moved into IT auditing and began to realize the importance of documentation from an audit and compliance perspective. While reviewing systems and applications documentation, it took much longer to perform the audit when there wasn't good documentation. In addition, the areas I audited that had poor documentation invariably received bad audit reports because audit findings depend largely upon documentation.
Laws, regulations and contracts requiring documentation
Most, if not all, data protection laws and regulations require the organizations they cover to maintain documentation. Here are just a few of the U.S. laws:
Sarbanes Oxley Act (SOX) – The Public Company Accounting Oversight Board, which oversees SOX compliance activity, repeatedly emphasizes the importance of documentation within its auditing standards. Those standards dictate, for example, that a Windows manager must maintain detailed documentation for account creation, changes and deletion.
Health Insurance Portability and Accountability Act (HIPAA) – In the law's technical safeguards, it says that as part of standard audit controls, hardware, software and/or procedural mechanisms must be implemented that record and examine activity in information systems that contain or use electronic protected health information. In a Windows environment, this requires that all access to protected health information be logged.
Federal Information Security Management Act (FISMA) – You must document system information, such as interconnections with other systems and implementation details for each security control, in the system security plan. For Windows shops, that includes Windows domain trust relationships and Active Directory universal groups. Systems hardware and software inventory and major applications, including hardware make and model numbers, software version numbers, patch levels and a functional description of the component -- such as each database, Web server, fileserver and directory server -- must also be documented.
You'll find similar audit and documentation requirements in international data protection laws, such as Canada's Personal Information Protection and Electronic Data Act and the European Union's Data Protection Directive 95/46/EC.
In addition to laws and regulations, you may be contractually obligated to maintain documentation. For example, if your organization processes credit card payments, you must comply with the documentation requirements of the Payment Card Industry Data Security Standard, or PCI DSS.
Basically, all of these laws and contractual agreements require that the operating systems upon which personally identifiable information, or PII, is collected, processed and/or stored must be well documented.
Don't assume that your organization's legal team knows how these requirements translate to compliance action items for IT. If none of your staff attorneys have any background or knowledge about how information systems actually work, chances are they will not even realize the importance of having documented procedures and technology in place to comply with data protection laws and regulations. Now is a good time to discuss these issues with your legal team.
What auditors look for
The primary ways in which auditors ensure control objectives are being met are by:
Reviewing available documentation of your Windows environment in the form of logs, monitoring records and reports
Reviewing written descriptions of your administrative activities
Most auditors heavily rely on the Control Objectives for Information and related Technology, or COBIT, published by the IT Governance Institute, when performing audits. Download COBIT from www.isaca.org and look it over carefully to determine the additional documentation you should have for your own organization based upon your business activities.
When establishing your Windows documentation procedures, keep in mind that auditors are typically looking for documentation such as the following:
Roles and responsibilities -- The roles and responsibilities for each person who works with applications and systems should be documented in detail. These citations should include an organizational chart, along with a documented chain of command.
Procedures -- Each IT area should have documented procedures to support the corporate policies and standards. The procedures should be specific to the applications and systems that the area supports. The procedures should be detailed enough to allow someone to follow them in the event of a proverbial truck that runs over the administrator who usually performs the procedures.
Meaningful and understandable details about the systems and/or applications for which you are responsible -- Include information about the business purpose of the systems or applications, changes and updates that have been made, when security patches were applied and so on.
Detailed change information -- All changes to applications and systems should include the following:
- Name of the person making changes
- Date and time the changes were made
- Type of change
- Reasons why the changes were necessary
- Name of the manager who reviewed and approved of the change
- Change success or failure
- List of impacted data files, systems, applications and other network resources
People who make changes to systems and applications must be held accountable for those changes from the point of view of not only the laws and regulations but also from the viewpoint of managers and auditors. Including the name of the person making changes also allows management and auditors to speak directly to the person if clarifications are necessary, if additional changes are needed or to assist with an investigation.
Ultimately, each organization must determine the extent of documentation to maintain based upon its own unique computer and network environments, along with its services, products, legal requirements and risks.
Rebecca Herold, CISSP, CISA, CISM, CIPP, FLMI, has more than 17 years of experience in IT, information security, privacy and compliance. She is owner and principal of Rebecca Herold, LLC. She is an adjunct professor for the Norwich University Master of Science in Information Assurance program and is writing her 11th book. Her articles can be found at www.privacyguidance.com and www.realtime-itcompliance.com.
This was first published in January 2008