User roles and responsibilities

The user roles and responsibility matrix for ABBC’s security compliance project can be derived from the security compliance process. Figure 5-2 on page 108 depicts the main process steps.

Production Network Asia Production Network Europe Internet

DMZ

WebSEAL Server

Production Network USA

Intranet

Management Network - Headquarter Austin/Texas

Tivoli Risk Manager AIX Appl. Servers Linux Appl. Servers Windows Appl. Servers DB2 Appl. Servers Tivoli Access Manager Policy Server ITSCM Server Mgmt Database Server Reporting Server Network Management Systems Management ITSCM Client ITSCM Client ITSCM Client ITSCM Client

ITSCM Client ITSCM Client _{ITSCM Client} ITSCM Client LDAP Corp. Directory ITSCM Client ITSCM Proxy Server ITSCM Client Mail Router as ITSCM Proxy ITSCM Client Tivoli Access Manager WebSEAL Server ITSCM Client Security Auditor

Figure 5-2 ABBC’s security compliance process

The general user roles in the security compliance process are:

򐂰 IT security management

IT security management is the owner and the sponsor of the security

compliance management process, and has the responsibility and authority for the overall process. This includes ensuring the measurement of process efficiency, enforcement of process standards and procedures, and handling recommendations for improvements.

򐂰 IT system administration teams

The IT system administration teams are responsible for the installation and availability of the Security Compliance Manager client in order to perform compliance management tasks. The teams have to control the compliance status of their machines by analyzing the compliance reports. In the case of security violations, the administration teams have to correct the control within a time frame of 14 days. Due to the relatively short time frame, the

administration teams require access to the Security Compliance Manager server to create ad-hoc snapshots. Using the ad-hoc snapshots, the administration teams can verify the effectiveness of their changes.

ITSCM Server and Database Administration teams Crystal Enterprise Reporting Server Maintenance team Development team Security Audit Team IT Management Development and Test Environment Security Policy register new systems,

report suppressions ad-hoc snapshots retrieve compliance information control security compliance status escalate compliance issues accomodate policy changes schedule reports schedule snapshots provide policies and reports test and develop

request policy and report changes

request risk acceptance

confirm risk acceptance

򐂰 Security audit team

This team manages the day-to-day activities involved in performing security compliance management. The security audit team is responsible for the creation and availability of security compliance reports for a time frame of 18 months as defined in ABBC’s security policy. The security audit team may escalate compliance issues to the IT security management, for example, if administration teams do not correct open issues in a timely manner.

򐂰 Security Compliance Manager maintenance team

The Security Compliance Manager maintenance team manages the

compliance management infrastructure, including all tasks not directly related to security monitoring, for example, managing user accounts, applying policies and collectors, registering clients, or monitoring client connectivity.

򐂰 Security Compliance Manager development team

The Security Compliance Manager development team implements, tests, and maintains security policies in Tivoli Security Compliance Manager and operational reports in Crystal Enterprise.

Figure 5-3 User roles’ access requirements on ITSCM server and operational reports

Delegated administration concept

ABBC is operating world-wide and organized its IT service infrastructure by the

IT System Administration teams Development team ITSCM Maintenance team

IT Security Management team

Security Audit Team

view reports administrative access ITSCM Operational Reports view reports, schedule reports ITSCM Server and Database administrative access

view the team’s IT systems create snapshots

view reports, schedule reports

compliance management project, we distinguish between UNIX, Windows, and database administration teams. Each team requires access to different systems, policies, collectors, and snapshots using the Security Compliance Manager administration console. Therefore, ABBC’s project team decides to implement a delegated administration structure providing the following advantages:

򐂰 Reduce time between detection and correction of non-compliance Delegated administration avoids time consuming interaction between a central security team and local administration teams. The administration teams in the geographical regions manage their own systems. As soon as a compliance deviation is detected, the local teams can start to correct the required settings and verify the result by creating new snapshots and reports.

򐂰 Minimal administration overhead

Technical issues like communication problems between Security Compliance Manager server and clients, or missing firewall rules, can be resolved by the local administration teams directly.

򐂰 Reduced costs

Delegation of administration tasks reduces the amount of work force required in the central team.

Figure 5-4 on page 111 illustrates the delegation model for the security compliance management project.

Figure 5-4 Administration delegation at the example of USA and Europe The project team decides to delegate the following functions to the local administration teams:

򐂰 Monitor client status

The local team verifies if all Security Compliance Manager clients are active and correct connection problems.

򐂰 Evaluation of security compliance reports

Based on the operational reports, the local teams elaborate on technical solutions for security deviations.

򐂰 Create ad-hoc snapshots and reports

The local teams should be able to verify corrections of compliance issues by creating ad-hoc snapshots for single machines or a small number of

machines.

򐂰 Manage users and user groups

Each team is able to add users to their own user groups.

Administration Team UNIX (USA) USA UNIX Systems Windows Systems DB2 Systems Europe UNIX Systems Windows Systems DB2 Systems Administration Team Windows (USA) Administration Team DB2 (USA) Central Monitoring Team Administration Team UNIX (Europe) Administration Team Windows (Europe) Administration Team DB2 (Europe) Manage clients Create ad-hoc snapshots

Manage ITSCM reports View operational reports Register clients/groups

Manage operational reports Manage policies Manage collectors Schedule snapshots

The following functions will be performed by the central security team:

򐂰 Schedule snapshots

Snapshots for a large number of systems are time consuming and require resources in the central Security Compliance Manager server. Therefore, the central security team coordinates the snapshot creation process centrally and schedules most snapshots to run during the night.

򐂰 Manage operational reports

The central team creates and maintains operational reports and publishes the reports. One of the reasons for keeping this function in the central team was that Crystal Enterprise development skill is not available in each

administration team.

򐂰 Registration of groups and clients

ABBC maintains a central database containing detailed information about the IT systems that are used world-wide. The central team pre-registers all IT systems based on this information. From that moment, the Security Compliance Manager database can be used to track the progress of the Security Compliance Manager client rollout by creating reports about inactive systems. In “Tracking of the rollout progress” on page 124, we describe this process and provide an example report.

򐂰 Manage policies and collectors for clients

The central security team is responsible for ensuring that the IT systems are equipped with the correct policies and collectors. Therefore, only the central team is allowed to configure which policies are deployed to which IT systems. “Implementing delegated administration” on page 125 describes, in detail, how to configure the delegated administration concept in the Security Compliance Manager administration console. “Publishing modified reports” on page 168 provides the same information for the Crystal Enterprise administration console.