Auditing a Security Information Management System 

Download Article

A security information management system (SIMS) can be broadly defined as a set of hardware devices and applications that gather, analyze and respond to security events. SIMS delivers real-time, centralized monitoring of complex networks and IT domains. It is used by large enterprises to monitor security events and alerts from a wide host of network devices and systems such as an intrusion detection system (IDS), firewall or antivirus servers. SIMS can also be configured to receive custom probes from any in-house developed application. All the collected events can be analyzed/filtered based on custom criteria and displayed using a graphic interface.

Most of the large application/software vendors, such as IBM or Symantec, have an offering in this area. This article discusses controls with the IBM Tivoli NetCool architecture in mind, but the underlying control principles are applicable to other vendor offerings as well.

Detailed Description of SIMS Architecture

SIMS typically has three-layer architecture: agent, aggregation and display.

Agent Layer

This layer consists of probe devices that listen from various devices such as IDS or firewalls. Generally, probes do not directly communicate with individual devices, but they communicate with a central console or log management unit. Probes can be classified in three broad categories:

  • Vendor/device-specific probe—CheckPoint and Cisco Firewalls may have separate probes.
  • Generic Simple Network Management Protocol (SNMP) probes, which can listen from any device configured to send SNMP traps
  • Some SIMS also allow for writing custom probes tailored toward specific applications.

Rules can be applied at this level, to filter and send the selected events to the aggregation layer. For active Internet-facing IDS or firewall devices, event logs can be massive, and sending all the events to the aggregation layer would require a huge investment in network infrastructure. This additional cost may not be justifiable, especially if the bulk of those alerts are low risk.

Aggregation Layer

All the events collected by the probes are sent to the aggregation server. This is a central point where all the events are stored, filtered, correlated and analyzed. A wide variety of configuration options is available to sort out the critical alerts and send them forward to the display layer. These configurations are determined by management based upon the environment and specific security threats to the business.

Display Layer

This layer displays the real-time status of various events, services and key performance indicators (KPIs) that are gathered in the aggregation layer. Various groups including IT operation, line-of- business managers and senior IT managers review these metrics in customized views (images/graphs) and take appropriate action.

Key Focus Points for Auditors

As with any application infrastructure auditing (as there are multiple devices and servers included), the focus needs to be on general controls as well as application-specific controls. Selection of general controls should be based on the available time and the specific control environment. Some key general controls are noted here, and additional controls, such as system access and system development life cycle (SDLC), can be added by the respective auditing team based on their individual needs:

  • Configuration and change management—As discussed previously, configurations of various parameters are key to ensuring that the “right” events are escalated to the display layer. Thus, it is critical to focus on the configuration and change management process to ensure that configurations are not tampered with or easily changed without appropriate approval. Also, the logging of those changes is important, to keep an audit trail.
  • Availability—The primary purpose of having a SIMS is to provide management with a proactive way to monitor all security events and take appropriate action. Consequently, high availability for the key component of a SIMS needs to be a focus of the audit. All the hardware devices and application components should be continuously monitored by tools such as NFS Patrol to ensure availability and provide adequate alerts in case of possible problems. An expected control would be some sort of management review of the availability reports on at least a weekly basis.
  • Interface controls—Data to the SNMP probes use the User Datagram Protocol (UDP), which is a session-less protocol with no integrity checks. This poses a great challenge for ensuring that SNMP probes sent from various log modules (or other modules) are completely and accurately received by the probes. SIMS, by default, does not have any controls to check this; hence, a custom-automated control must be implemented to ensure accuracy and completeness.
  • Missing events—Probes generally are connected to the log modules, which connect data from various individual devices. As long as one of the individual devices is sending alert data to the log modules, probes will continue to get alerts. In other words, if an individual firewall is working but not sending the alerts to the probe, this would not be identified. Since the device is working, the monitoring discussed in the “availability” bullet earlier will not be able to detect it. Therefore, there is a need to create custom controls to ensure that all devices connected to the probes are also monitored for expected transmission/alerts. An example would be to track alerts from each Internet Protocol (IP) (linked to a device) and compare it against a set frequency, e.g., 10 alerts each hour. The number of alerts and the time interval should be decided for individual devices based upon benchmarking and analysis of past alert data.


With the increase in the number of devices monitoring security events, use of SIMS to correlate events and generate alerts is gaining popularity in large corporations. In most cases, the actual alerting process has shifted from the security device owners to the groups managing SIMS. Because of the criticality of SIMS in protecting the network from threats and vulnerabilities, auditors must ensure that adequate controls are in place in the SIMS infrastructure.


Shahab Nayyer, CISA, CIA
is a senior technology auditor with Wells Fargo & Company in Charlotte, North Carolina, USA. Nayyer is the vice president of the ISACA Charlotte Chapter and has taught various CISA review classes organized by the chapter.

Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.