How to Create a File Integrity Monitoring Strategy
Businesses of all sizes have strategies in place applying to various aspects of their operations. From marketing to finance and from sales to hiring, there are strategies to be developed and worked across departments.
However, one strategy commonly overlooked by businesses, regardless of size, is for the implementation and upkeep of file integrity monitoring (FIM) software and practices. And much like other strategies, it has common themes:
- It is vital to the organization’s success
- It takes thoughtful planning
- It clearly defines roles
- It is well-documented and commonly understood
Here are three different phases to work through in order to create a file integrity monitoring strategy that can work for any business.
Phase 1 - Self Audit
The very first step before laying out a plan is to conduct a thorough analysis of your internal IT systems, processes, and controls. This might require you to include people from various departments/teams in order to accurately gain insight into how information flows through your organization.
Regardless of your business’s size, the industry you belong to, or who will be working on Phase 1 of your FIM strategy, you’ll want to conduct a network assessment. A recent article from Adeolu Owokade has information on what is needed to conduct a self-assessment. As Owokade points out, it involves:
- A full inventory: determining what kind of devices are running on the network
- Determining support: if any of those devices were obsolete
- Assessing architecture: how the devices were connected
- Testing security: are there any security concerns that need to be addressed
PCI-DSS Self Assessment (If Applicable)
If you’re in an industry that collects payment card data, this step is not only recommended, but you may be required to conduct this self assessment on a recurring basis. A PCI-DSS self assessment can be conducted following the steps laid out by the Payment Card Industry Security Standards Council’s website and can help determine if greater security measures are required in order to maintain compliance.
Phase 2 - Planning
In order to provide the context needed throughout your organization, you should have stakeholders from each department and function involved. IT security isn’t just the responsibility of your IT people. It takes buy-in and active participation from your whole organization.
Talk with the various stakeholders within your organization and gain a firmer understanding of the type of information that their respective teams need access to and the type of information that isn’t needed or should be restricted.
In a FIM webinar conducted regulary, we discuss the importance of having accountability workflows in place. Once you’ve identified what information can be viewed and altered by different people within the organization, you should ensure that there are no unchecked powers. As it pertains to file integrity monitoring, users with unchecked powers can become dangerous to a business’s IT infrastructure. Even system admins and those creating these accountability checks should not be given free rein.
Events & Automation
Should an event occur, whether malicious or accidental, you should have systems in place that can stop and remediate unwanted changes to files. Some file integrity monitoring software will enable you to set rules around crucial files you monitor, giving you the ability to take action using the following criteria:
- Who changed the information
- What exactly changed
- When it was changed
- And the process used to change it, or the how
Thorough documentation provides context behind your organization’s actions. Creating comprehensive documentation surrounding your file integrity monitoring practices ensures there are not any questions about who is responsible for what.
Regardless of the size of your organization, your IT security strategy should be documented. While you’re likely not creating a 5 year, national IT security strategy, your documentation can (and should) contain items such as:
- Vision for organization-wide security efforts
- Roles and responsibilities
- A detailed implementation plan
- Defense measures
- Internal education and communication practices
- Action plans for various events
A solid file integrity monitoring strategy is only complete if you have a software in place that can perform the monitoring for you. It isn’t realistic for your team to manually monitor your critical files for changes. A needle in a haystack is an understatement of the improbability of a human successfully finding file changes without a software to support him/her.
But with that being said, a FIM tool is only successful if monitoring the right files. It needs to be configured to monitor the files that are important in order to detect and flag unwanted changes. To learn more about what you should look for in a FIM software, you can review Key Features to Look for in a File Integrity Monitoring Software.
Phase 3 - Test & Rollout
Create a controlled testing environment
Testing environments are fairly simple to create in a virtualized IT infrastructure. Most organization have the ability to spin-up servers using VMware or similar server virtualization software programs. This gives you the ability to fully test your file integrity monitoring strategy before rolling it out.
Based on how you have information structured, you should create a virtual testing environment that mimics what you’re currently using. If you have the ability to, creating clones of virtual machines is a good option, because you’ll be able to see how your FIM software responds in real-life situations, using an identical file structure, that could be cause for alarm and action.
If you haven’t done it before or need a refresher on how to create a virtual testing environment, VMware has a wealth of information on their blog.
Once your software and policies that revolve around your IT security are fully tested, it’s time to roll out your strategy across your organization. Since you’ve likely kept key stakeholders in the loop throughout phase 1 and phase 2, it shouldn’t be news to anyone that these initiatives are taking place.
Even though different departments may be aware of potential changes, it’s vital to the success of your FIM strategy that it is thoughtfully communicated across the organization. Before rolling out major changes, ensure that you have emails drafted, internal memos created, and/or other forms communications ready to go out. You’ll likely receive questions, so be prepared to field them with educated responses that non-IT personnel can understand.
Monitor & Regularly test
While FIM software programs are typically built so you don’t have to manually monitor files, it is a good idea to perform regular checks and tests. This should be done on either a monthly, quarterly, or at the very least, on a bi-annual basis.
- Key files being monitored and files that should be
- Alerting criteria and triggering events
- Key stakeholders and permissions
- Automated events
Interested in learning more about how FIM Software can fit into the overall picture of a firm IT security and file integrity monitoring strategy?
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".