ISACA Journal - 2012 Volume 6

HelpSource

We invite you to send your information systems audit, control and security questions to: HelpSource Q&A bgansub@yahoo.com or publication@isaca.org

Fax to: + 1.847.253.1443 Or mail to: ISACA Journal 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA

gan Subramaniam, CISA, CISM, CCnA, CCSA, CIA, CISSP, ISO 27001 LA, SSCP, is the global IT security lead for a management consulting, technology services and outsourcing company’s global delivery network. Previously, he served as head of IT security group compliance and monitoring at a Big Four professional services firm. With more than 16 years of experience in IT development, IS audit and information security, Subramaniam’s previous work includes heading the information security and risk functions at a top UK-based business process owner (BPO). His previous employers include Ernst & Young, UK, Thomas Cook (India), and Hindustan Petroleum Corp., India. As an international conference speaker, he has chaired and spoken at a number of conferences around the world.

I am trying to audit an access control management system. As an auditor,

what are the subcontrols that I must consider and evaluate to assess the effectiveness of the system and the appropriateness of the access privileges granted?

ISO 27001:2005, the international
standard on information security,
• An inventory of systems to which access is
required must exist. These systems must ideally
be classified in terms of confidentiality and the
sensitivity of the information held or processed
within the particular system/application.

• Every system must have a designated information owner who is responsible for making decisions on access. Of course, the owner can delegate the work to someone else.

• The data residing inside the system must be classified as per the enterprise’s data classification standard, if one exists.

Access control policies also dictate the authentication modes, which can be single-factor or dual-factor authentication. The nature of information again determines the quantum of factors to be used for authentication. In some extreme cases, more than two may be required.

Access rights must be provided to a specific set of individuals who require access, not to one and all. Designated approvers should approve the granting of such rights. The type of access required, whether ordinary or privileged, must also be identified and limited to types of access (e.g., read or write). Privileged users can do more damage to the system (intentionally or unintentionally), given their unrestricted and unfettered access rights.

A periodic review of access rights must take place. This review must be done by a team or must function outside of IT operations to ensure independence. The review should identify those individuals or groups that have unnecessary access. The results of the review must be provided to key stakeholders, in particular to the owners of the information systems or data.

It is a common pitfall that vendors enjoy privileges equal to employees on systems when they should not. The responsibilities and role of the vendors’ representatives must be clearly defined in their contracts. Any contract silent on these issues is inadequate. It is also important to ensure that the vendors’ employees’ access is discontinued after their termination of employment; this requires properly defined mechanisms to disable access of vendors’ staff. The same principle applies for the organisation’s own employees; exit management processes must clearly define the roles and responsibilities of stakeholders and access control teams.

Logs must be generated on inappropriate access attempts. In particular, unsuccessful logins must be logged, tracked and reviewed. Action must be taken when such attempts are combined with malicious intent.

Access controls become an issue when generic identifiers (which can indicate the potential sharing of passwords) are allowed to access systems. As a result, the identifiers cannot be tagged to named individuals. Password sharing is one of the worst scenarios in access control because accountability is lost.

Whether we talk about legacy systems or the modern cloud, all of the above principles apply. They are independent of any technology. They apply to user accounts in applications and in operating systems. It is very important that trails exist for granting and disabling access. The trails can be system-based or paper-based, depending on the firm. Some industry regulations require the archiving of access control documents.

Above all, with all the sophisticated access control mechanisms in place, the sharing of passwords amongst users negates the very purpose of access control systems. Security awareness, as always, is a must in order for an enterprise to have an effective access control system.

Whilst auditors may not be able to question the need when it is determined by the business, it is essential that proper rationale be available for granting access.