Gan Subramaniam, CISA, CISM, CCNA, CCSA, CIA, CISSP, ISO 27001 LA, SSCP
I am trying to audit an access control management system. As an auditor, what are the subcontrols that I must consider and evaluate to assess the effectiveness of the system and the appropriateness of the access privileges granted?
ISO 27001:2005, the international standard on information security, stipulates this list of access control requirements:
Access control policies also dictate the authentication modes, which can be single-factor or dual-factor authentication. The nature of information again determines the quantum of factors to be used for authentication. In some extreme cases, more than two may be required.
Access rights must be provided to a specific set of individuals who require access, not to one and all. Designated approvers should approve the granting of such rights. The type of access required, whether ordinary or privileged, must also be identified and limited to types of access (e.g., read or write). Privileged users can do more damage to the system (intentionally or unintentionally), given their unrestricted and unfettered access rights.
A periodic review of access rights must take place. This review must be done by a team or must function outside of IT operations to ensure independence. The review should identify those individuals or groups that have unnecessary access. The results of the review must be provided to key stakeholders, in particular to the owners of the information systems or data.
It is a common pitfall that vendors enjoy privileges equal to employees on systems when they should not. The responsibilities and role of the vendors’ representatives must be clearly defined in their contracts. Any contract silent on these issues is inadequate. It is also important to ensure that the vendors’ employees’ access is discontinued after their termination of employment; this requires properly defined mechanisms to disable access of vendors’ staff. The same principle applies for the organisation’s own employees; exit management processes must clearly define the roles and responsibilities of stakeholders and access control teams.
Logs must be generated on inappropriate access attempts. In particular, unsuccessful logins must be logged, tracked and reviewed. Action must be taken when such attempts are combined with malicious intent.
Access controls become an issue when generic identifiers (which can indicate the potential sharing of passwords) are allowed to access systems. As a result, the identifiers cannot be tagged to named individuals. Password sharing is one of the worst scenarios in access control because accountability is lost.
Whether we talk about legacy systems or the modern cloud, all of the above principles apply. They are independent of any technology. They apply to user accounts in applications and in operating systems. It is very important that trails exist for granting and disabling access. The trails can be system-based or paper-based, depending on the firm. Some industry regulations require the archiving of access control documents.
Above all, with all the sophisticated access control mechanisms in place, the sharing of passwords amongst users negates the very purpose of access control systems. Security awareness, as always, is a must in order for an enterprise to have an effective access control system.
Whilst auditors may not be able to question the need when it is determined by the business, it is essential that proper rationale be available for granting access.
Gan Subramaniam, CISA, CISM, CCNA, CCSA, CIA, CISSP, ISO 27001 LA, SSCP, is the global IT security lead for a management consulting, technology services and outsourcing company’s global delivery network. Previously, he served as head of IT security group compliance and monitoring at a Big Four professional services firm. With more than 16 years of experience in IT development, IS audit and information security, Subramaniam’s previous work includes heading the information security and risk functions at a top UK-based business process owner (BPO). His previous employers include Ernst & Young, UK, Thomas Cook (India), and Hindustan Petroleum Corp., India. As an international conference speaker, he has chaired and spoken at a number of conferences around the world.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2012 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.