IS Auditing Guideline: G36 Biometric Controls 

 
Follow us:
        

  Download (174K)

1. BACKGROUND

1.1 Linkage to Standards

1.1.1  Standard S6 Performance of Audit Work states, ‘IS audit staff should be supervised to provide reasonable assurance that audit objectives are accomplished and applicable professional auditing standards are met. During the course of the audit, the IS auditor should obtain sufficient, reliable and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence.
1.1.2 Standard S10 IT Governance states, ‘The IS auditor should review and assess whether the IS function aligns with the organisation’s mission, vision, values, objectives and strategies…The IS auditor should review and assess the effectiveness of IS resources and performance management processes.

1.2 Linkage to COBIT

1.2.1 Control process AI1 Identify automated solutions states, ‘Control over the IT process of identify automated solutions that satisfies the business requirement for IT of translating business functional and control requirements into an effective and efficient design of automated solutions by focusing on identifying technically feasible and cost-effective solutions is achieved by:

  • Defining business and technical requirements
  • Undertaking feasibility studies as defined in the development standards
  • Approving (or rejecting) requirements and feasibility study results

and is measured by the:

  • Number of projects where stated beliefs were not achieved due to incorrect feasibility assumptions
  • Percent of feasibility studies signed off by the business process owner
  • Percent of users satisfied with functionality delivered

1.2.2  Control process AI3 Acquire and maintain technology infrastructure states, ‘Control over the IT process of acquire and maintain technology infrastructure that satisfies the business requirement for IT of acquiring and maintaining an integrated and standardised IT infrastructure by focusing on providing appropriate platforms for the business applications in line with the defined IT architecture and technology standards is achieved by:

  • Producing a technology acquisition plan that aligns to the technology infrastructure plan
  • Planning infrastructure maintenance
  • Implementing internal control, security and auditability measures

and is measured by the:

  • Percent of platforms that are not in line with the defined IT architecture and technology standards
  • Number of critical business processes supported by obsolete (or soon to be) infrastructure
  • Number of infrastructure components that are no longer supportable (or will not be in the near future)

1.2.3 Control process AI5 Procure IT resources states, ‘Control over the IT process of procure IT resources that satisfies the business requirement for IT of improving IT’s cost-efficiency and its contribution to business profitability by focusing on acquiring and maintaining IT skills that respond to the delivery strategy, an integrated and standardised IT infrastructure, and reducing IT procurement risk is achieved by:

  • Obtaining professional legal and contractual advice
  • Defining procurement procedures and standards
  • Procuring requested hardware, software and services in line with defined procedures

and is measured by the:

  • Number of disputes related to procurement contracts
  • Reduced purchasing cost
  • Percent of key stakeholders satisfied with suppliers
  • Percent of platforms

1.2.4 Control objective AI3.1 states, ‘Produce a plan for the acquisition, implementation and maintenance of the technological infrastructure that meets established business functional and technical requirements and is in accord with the organisation’s technology direction. The plan should consider future flexibility for capacity additions, transition costs, technical risks and the lifetime of the investment for technology upgrades. Assess the complexity costs and the commercial viability of the vendor and product when adding new technical capability’.

1.3 COBIT Reference

1.3.1 Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT processes and consideration of COBIT’s control objectives and associated management practices.
1.3.2 The process and control objectives to be selected and adapted may vary depending on the specific scope and terms of reference of the assignment. To meet the requirement, the processes in COBIT most likely to be relevant, selected and adapted are classified below as primary and secondary.
1.3.3 Primary:

  • PO1—Define a strategic IT plan.
  • PO3—Determine technological direction.
  • PO5—Manage the IT investment.
  • PO8—Manage quality.
  • PO9—Assess and manage IT risks.
  • PO10—Manage projects.
  • AI1—Identify automated solutions.
  • AI3—Acquire and maintain technology infrastructure.
  • AI5—Procure IT resources.
  • DS1—Define and manage service levels.
  • DS3—Manage performance and capacity.
  • DS4—Ensure continuous service.
  • DS5—Ensure systems security.
  • DS7—Educate and train users.
  • M1—Monitor and evaluate IT performance.
  • M2—Monitor and evaluate internal control.
  • ME3—Ensure regulatory compliance.

1.3.4 Secondary:

  • PO6—Communicate management aims and direction.
  • AI6—Manage changes.
  • DS9—Manage the configuration.
  • DS10—Manage problems.
  • DS11—Manage data.

1.3.5 The information criteria most relevant to biometric controls are:

  • Primary—Effectiveness, efficiency and availability
  • Secondary—Confidentiality, integrity and reliability

1.4 Purpose of the Guideline

1.4.1 The traditional means of identification and authentication—the keystones to access control—is based on ‘something you know’, such as a personal identification number (PIN) or password and ‘something you have’, such as smart cards or automated teller machine (ATM) cards. Apart from the need to rely upon ones memory either to memorise the password or to carry the card, both these approaches do not distinguish the person in a unique manner. Passwords and token-based systems have their drawbacks and often lead to bottlenecks, especially during crisis. With the advancement of technology, there is a paradigm shift toward a more reliable means of access control to ‘something you are’, i.e., biometric-based access controls.
1.4.2 Accuracy is the critical characteristic of a biometric access control system. Usually identification is a ‘one-to-many’ search of an individual’s characteristics from a database of stored images, while authentication is a ‘one-to-one’ search to verify a claim to an identity made by an individual. A biometric is normally applied for identification in physical access controls and for authentication in logical access controls. The system fails if it is not able to separate an authentic person from an impostor. It is important that the incidence of either a false rejection (false negative) or a false acceptance (false positive) is low and at a rate considered acceptable to the organisation as a result of a cost/risk assessment.
1.4.3 With increased deployment of security architecture incorporating biometric technology, it has become imperative that the IS auditor be aware of the risks and countermeasures related to such technology. The IS auditor reviewing a system of biometric controls should have good insight into the technology, business process and control objective to ensure that the business objectives are achieved.
1.4.4 It is in this context that there is a need for a guideline to provide guidance to IS auditors who review biometric controls while carrying out audit assignments.

1.5 Guideline Application

1.5.1 This guideline provides guidance in applying IS Auditing Standard S6 Performance of Audit Work and S10 IT Governance.
1.5.2 The IS auditor should consider this guideline in determining how to achieve implementation of the previously mentioned standards, use professional judgement in its application and be prepared to justify any departure.
1.5.3 When applying this guideline, the IS auditor should consider its guidance in relation to other relevant ISACA standards and guidelines.

2. BIOMETRIC CONTROLS

2.1 Introduction

2.1.1 The word ‘biometric’ is derived from the Greek words ‘bio’ and ‘metric’ meaning ‘life measurement’. It is defined as the automated identification or verification of an individual based on physiological or behavioural characteristics. The science of biometrics exploits the advantage of uniqueness of an individual’s physiological or behavioural characteristics.
2.1.2 Biometric controls refer to the use of individual’s physiological or behavioural characteristics to design policies, procedures, practices and organisational structures to provide reasonable assurance that business objectives, with reference to identification and authorisation, are achieved and that undesirable events will be prevented or detected and corrected.
2.1.3 Typically biometric systems perform the functions listed in figure 1.

Image

2.2 Identification vs. Authentication

2.2.1 Biometrics is the automated process for identifying or authenticating the identity of a living person based on physiological or behavioral characteristics.
2.2.2 In biometrics, identification involves a one-to-many search of individual characteristics from the repository of data. Authentication in biometrics involves the one-to-one search to verify a claim to an identity made by the individual.
2.2.3 Typically, a biometric uses identification in physical controls and authentication in logical controls.

2.3 Performance Measures

2.3.1 Performance measures are designed to provide a baseline for help in evaluation of products. IS auditors should consider these measures in evaluating the performance of the biometric systems during the course of the audit assignment. The primary measures in biometric systems are as follows and shown in figure 2.   

Image

2.3.2 False rejection rate (FRR) or type I error—The measure of the percentage of times a valid subject has been falsely rejected by the system. FRR (%) = number of false rejections * 100/total number of unique attempts.
2.3.3 False acceptance rate (FAR) or type II error—The measure of the percentage of times an invalid subject has been falsely accepted by the system. FAR (%) = number of false acceptance * 100/total number of unique attempts.
2.3.4 Cross-over error rate (CER)—A measure representing the percent at which FRR equals FAR. This is the point on the graph where the FAR and FRR intersect. The cross-over rate indicates a system with good balance over sensitivity and performance.
2.3.5 Enrollment time—The time taken to initially enroll a new subject with a system by providing samples for creation of reference templates.
2.3.6 Failure to enroll rate (FTER)—Used to determine the rate of failed enrollment attempts. FTER = number of unsuccessful enrollments/total number of users attempting to enroll. 
2.3.7 Throughput rate—The time taken by the system to validate transaction data with the data in repository to process the identification or authentication function. This is the rate at which enrolled subjects are processed for acceptance or rejection by the system.

2.4 Types of Biometric Systems

2.4.1 Biometric systems are broadly classified under two categories; one based on physiological characteristics, i.e., ‘what we are’ and the other based on behavioural characteristics, i.e., ‘what we do’.
2.4.2 Various biometric systems based on physiological characteristics are listed in figure 3.

Image

2.4.3 Various biometric systems based on behavioural characteristics are listed in figure 4.

Image

2.5 Data Storage

2.5.1 Reference templates should be stored in an accessible repository for easy retrieval and comparison.
2.5.2 Local storage within the biometric reader device enables quick availability of reference templates and faster matching and allows flexibility in deployment. However, the system will require re-enrollment upon system crash if not adequately supported by the backup and restore process.
2.5.3 Large organisations store reference templates in a central repository that allows users to enroll at central locations and be recognised by networked biometric devices. A central repository allows backup, restore and auditable features. Retrieval will be relatively slower, especially where the data size/volume is large.
2.5.4 Reference templates should be stored on smart cards where the user carries the biometric reference samples and the user is responsible for the privacy, confidentiality, availability and integrity of the reference template. Smart cards may also have additional security features, such as encryption and digital signatures to further secure the device.
2.5.5 Confidentiality and integrity of data should be managed so that personal information is protected from unauthorised access.

2.6 Risks and Controls in Biometric System

2.6.1 The IS auditor should be aware of the risks and control measures typical to the biometric system. The most common risks and countermeasures are listed in figure 5.

Image

3. AUDIT PROCEDURE

3.1 Selecting and Acquiring the Biometric System

3.1.1 The IS auditor should consider reviewing the following processes relating to selecting and acquiring a biometric system:

  • The goals of installing the biometric system, and alignment of these goals to the business objectives of the organisation
  • The study on the selection of the biometric system, based on risk analysis and asset classification, including consideration of privacy and legal matters
  • The risk analysis impacts and mitigation plan
  • The impact on business from the use of biometric controls
  • The effect of biometric controls on employees, customers and business partners
  • The return on investment for a biometric system vs. traditional access systems, such as user ID and password authentication
  • The obsolescence of the biometric product
  • The compliance of the product to industry and national/international standards
  • The market analysis of product performance and supplier service support
  • Vendor certification and product certification
  • The intrusiveness of the system for data collection
  • User acceptability within similar industry and in other industry/organisations
  • Legal considerations and users’ rights (privacy)

3.2 Operation and Maintenance of the Biometric System

3.2.1 The IS auditor should consider reviewing the following aspects relating to operation and maintenance of the biometric system:

  • The biometric policy and its alignment to the security policy of the organisation
  • The security confidentiality, integrity and availability (CIA) of biometric information, restricted access to data repository
  • Monitoring the efficiency of the biometric system through analysis of data, such as enrollment time, success rates, failure rates, throughput time, down time, false positives, false negatives, mean time between failure (MTBF), mean time to repair (MTTR) and FTER
  • The interface of the biometric system with other applications and systems (e.g., single sign-on)
  • Interface with other biometric systems in the organisation
  • Analysis of operation and maintenance cost
  • Data storage capacity requirements
  • Data security, backup and restore procedures
  • Upgrade and patch management
  • Destruction of user records after termination from the company
  • Business continuity in case of biometric system failure and availability of standby systems/compensating controls
  • Appropriate change control where role-based access is used

3.3 User Training and Acceptance

3.3.1 The IS auditor should consider reviewing the following aspects relating to user training and acceptance of the biometric system:

  • Communication of biometric policy within the organisation
  • Commitment to securing the biometric information and privacy of genuine users
  • Commitment to relevant privacy and biometric laws and regulations
  • Awareness by the users of the biometric authentication system
  • Identification of owner roles and responsibility for the biometric system
  • Identification of training needs, training schedule, help desk and support service
  • Training on usage of the system, protection, and system and self hygiene
  • Availability of documented training material and sign boards
  • Acceptance by users of the system in the organisation
  • Risk of uncooperative users to damage or sabotage the system

3.4 System Performance

3.4.1 The IS auditor should consider reviewing the following aspects relating to system performance of the biometric system:

  • Interface of the system with applications
  • Process for enrollment, re-enrollment and removal of users
  • Subject and system contact requirements
  • Testing, verification, validation and approval of the system
  • Testing of access definition and administrator privileges
  • Protection against tampering or sabotage
  • Protection against compromise of data
  • Backup of data
  • Business continuity planning (BCP) in case of system failure and testing of BCP
  • Periodic testing (e.g., brute force)
  • Resistance to counterfeiting and reliability over prolonged usage

3.5 Application and Database Controls

3.5.1 The IS auditor should consider reviewing the following aspects relating to access controls and configuration settings of the biometric system:

  • Platform security configuration settings, including restricting access to all biometric information of individuals to only those with a current and strict business need
  • Intrusion detection controls
  • Transaction controls
  • Encryption of network, including lines
  • Encryption of stored data in repository
  • Change management (software and hardware)
  • Database administration and maintenance
  • Installation of hardware and software

3.6 Audit Trials

3.6.1 The IS auditor should consider reviewing the following aspects relating to audit trail of biometric system:

  • Access log
  • Activity log
  • Change log
  • Log of denial of access
  • System downtime log

4. AUDIT CONSIDERATIONS

4.1 Historic Concerns Over Biometric System Use

4.1.1 The following are concerns that need to be addressed when considering the use of biometrics:

  • Privacy concerns—Certain health events such as diabetes or strokes cause changes in the blood vessel pattern in the retina. Organisations using a retina-based biometric system may improperly obtain health information that may be used to the detriment of the system user. All laws and regulations regarding using and capturing physical characteristics must be considered prior to installing any biometric system.
  • Intrusiveness of data collection—The user’s sensitivity to intrusion into his/her personal space during a scan
  • Perceived health maladies—Concern over contagious diseases by contact with a contaminated surface (e.g., fingerprint scanner)
  • Skill to use the system—Certain users may not have the required skill (e.g., literacy or ability) to use the system or may suspect the actual performance of the system. Operating conditions (e.g., greasy hand, dusty areas) may hamper the performance of the system.
  • Robustness of the system—Biometric technology is not foolproof and needs to overcome problems related to reliability of biometric applications. Impact of false rejections and acceptance, from both operational and reputation viewpoints, must be reviewed. Risk of tampering and sabotage by insiders also cannot be ruled out.
  • Cost of deployment—Cost of deploying biometric devices on every access point may be expensive and may consume resources.
  • Accuracy—The possibility of unauthorised users gaining access and authorised users being denied access exists.
  • Resistance to change—There may be instances of users who are resistant to use biometric systems.
  • Local regulatory and statutory requirements with respect to use of biometric systems and acceptability of system to the using community

5.     EFFECTIVE DATE

 5.1 This guideline is effective for all IS audits beginning on or after 1 February 2007. A full glossary of terms can be found on the ISACA web site at www.isaca.org/glossary.