I just finished a process like that about 6 months ago to comply with an audit
requirement. (LOL yeah security got audited)
We developed a database that integrated with the change management process..
captured all the rules and changes thereto. we have
a little workflow to the process such that before a request got to CM it was
reviewed for sensibility (sent to Security
engineering) and signed off on; Sent on to Security operations who translated
the request and review into an actual ruleset
change - concentrating on the optimization part according to a published
guideline - which was authorized by security operations
management, prior to being submitted to the CM workflow application/process.
the database also aged all the rules according to a published standard or an
aging date that did not exceed the standard (i.e.
this rule is needed temporarily for 2 weeks) which sent an email to the
original requestor and Sec Engineering requesting
validation of the continuing need for the rule. If no response was received
that the rule was needed or a response was received
that it wasn't needed the rule was removed. If the rule was still needed, the
aging date was moved forward an appropriate time.
HTH,
--david
----- Original Message -----
From: "Bein, Matthew" <BeinM@ummhc.org>
To: "'Bret Watson'" <lists@ticm.com>; <security-management@securityfocus.com>
Sent: Monday, October 17, 2005 08:55
Subject: RE: Rule management process
Funny, I was just about to post the same thing.. Has anyone sent you a
response?
Matthew
-----Original Message-----
From: Bret Watson [mailto:lists@ticm.com]
Sent: Wednesday, October 12, 2005 9:41 AM
To: security-management@securityfocus.com
Subject: Rule management process
Hi All,
we are in the last stages of our SSE-CMM lvl1 process improvement.
One last thing I'm a little stuck on is developing a process for
ensuring our rule set is i. sensible, ii. optimised and iii. does not
have unused rules.
Has anyone else done something like this ?
Thanks
