We invite you to send your information
systems audit, control and security
Fax to: + 1.847.253.1443
Or mail to:
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
gan Subramaniam, CISA,
CISM, CCnA, CCSA, CIA,
CISSP, ISO 27001 LA, SSCP,
is the global IT security lead
for a management consulting,
technology services and
outsourcing company’s global
delivery network. Previously,
he served as head of IT
security group compliance
and monitoring at a Big Four
professional services firm.
With more than 16 years of
experience in IT development, IS
audit and information security,
work includes heading the
information security and risk
functions at a top UK-based
business process owner (BPO).
His previous employers include
Ernst & Young, UK, Thomas Cook
(India), and Hindustan Petroleum
Corp., India. As an international
conference speaker, he has
chaired and spoken at a number
of conferences around the world.
I am trying to audit an access control
management system. As an auditor,
what are the subcontrols that I must consider
and evaluate to assess the effectiveness of the
system and the appropriateness of the access
ISO 27001:2005, the international
standard on information security,
• An inventory of systems to which access is
required must exist. These systems must ideally
be classified in terms of confidentiality and the
sensitivity of the information held or processed
within the particular system/application.
• Every system must have a designated
information owner who is responsible for
making decisions on access. Of course, the
owner can delegate the work to someone else.
• The data residing inside the system must
be classified as per the enterprise’s data
classification standard, if one exists.
Access control policies also dictate the
authentication modes, which can be single-factor
or dual-factor authentication. The nature of
information again determines the quantum of
factors to be used for authentication. In some
extreme cases, more than two may be required.
Access rights must be provided to a specific
set of individuals who require access, not to one
and all. Designated approvers should approve the
granting of such rights. The type of access required,
whether ordinary or privileged, must also be
identified and limited to types of access (e.g., read
or write). Privileged users can do more damage to
the system (intentionally or unintentionally), given
their unrestricted and unfettered access rights.
A periodic review of access rights must take
place. This review must be done by a team or
must function outside of IT operations to ensure
independence. The review should identify those
individuals or groups that have unnecessary
access. The results of the review must be
provided to key stakeholders, in particular to the
owners of the information systems or data.
It is a common pitfall that vendors enjoy
privileges equal to employees on systems when
they should not. The responsibilities and role
of the vendors’ representatives must be clearly
defined in their contracts. Any contract silent on
these issues is inadequate. It is also important
to ensure that the vendors’ employees’ access
is discontinued after their termination of
employment; this requires properly defined
mechanisms to disable access of vendors’ staff.
The same principle applies for the organisation’s
own employees; exit management processes must
clearly define the roles and responsibilities of
stakeholders and access control teams.
Logs must be generated on inappropriate
access attempts. In particular, unsuccessful logins
must be logged, tracked and reviewed. Action
must be taken when such attempts are combined
with malicious intent.
Access controls become an issue when generic
identifiers (which can indicate the potential
sharing of passwords) are allowed to access
systems. As a result, the identifiers cannot be
tagged to named individuals. Password sharing
is one of the worst scenarios in access control
because accountability is lost.
Whether we talk about legacy systems or the
modern cloud, all of the above principles apply.
They are independent of any technology. They
apply to user accounts in applications and in
operating systems. It is very important that trails
exist for granting and disabling access. The trails
can be system-based or paper-based, depending
on the firm. Some industry regulations require the
archiving of access control documents.
Above all, with all the sophisticated access
control mechanisms in place, the sharing of
passwords amongst users negates the very purpose
of access control systems. Security awareness, as
always, is a must in order for an enterprise to have
an effective access control system.
Whilst auditors may not be able to question
the need when it is determined by the business, it
is essential that proper rationale be available for