Buck Kulkarni, CISA, CGEIT, PgMP
Regulations differ in the scope, focus and level of prescriptive detail they provide to enable compliance. While the US Serbians Act demands integrity of financial information, the Payment Card Industry Data Security Standard (PCI DSS) demands security of payment card information and the US Health Insurance Portability and Accountability Act (HIPAA) demands confidentiality of patient information. Despite this diversity, there are a few areas of underlying commonality across regulations, e.g., the need for a demonstrated set of controls on how an organization permits or prohibits access to its sensitive data. Single-factor authentication is considered inadequate in e-banking, e-commerce, third-party processing of sensitive information, health care and other situations. This has led to many organizations using card-based, biometrics-based and other authentication methods to strengthen their data security. As these tools proliferate across businesses and governments, auditors will need to understand how they function, what their strengths and weaknesses are, and what to look for. This article aims to describe nuances of biometric authentication methods that will help the audit community.
When auditors evaluate an organization’s access control, they should look for, at a minimum, the following building blocks:
An organization with a coherent information security policy and architecture will be able to demonstrate its access control technology as the horizontal organizational standard, as well as its implementation to individual vertical applications and data sets, as shown in figure 1.
Access control and authentication is of particular interest to auditors, as it is one of the common themes across all regulations, all best practices and governance frameworks. Single-factor authentication, based on user IDs and passwords, served well for nearly 50 years, until sophisticated hacking techniques overwhelmed this simple authentication method. With increasingly valuable data (including financial information, trade secrets, production processes and designs, personal information, and many other forms of data) stored on computer systems, the use of single-factor authentication can lead to unnecessary risk of compromise when compared to the benefits of a dual-factor authentication scheme.1 Governments, on the other hand, are struggling to balance the convenience of travelers against terrorist threats, and they need increasingly sophisticated tools to achieve this.2, 3 These are humongous tasks that make the proverbial finding of the needle in a haystack easier.
To meet these challenges, businesses and governments are increasingly turning to biometric authentication solutions. Providing fingerprints while getting a new passport, entering another country, accessing an application or even while taking up new employment is increasingly common.
Modern biometrics-based solutions have grown in complexity, and some features an auditor can expect to find are:
ISACA IT Audit and Assurance Guideline G36 Biometric Controls4 provides a conceptual and practical framework for auditing biometric systems. It describes the basic functions, types, risks and countermeasures to empower the auditor to plan and execute the audit. Figure 2 shows the functions described by G36 and some specific information the auditor should seek to audit each functionality.
From simple time-and-attendance clocking on a stand-alone machine to safeguarding sensitive information worth billions to protecting a country’s borders, biometric systems have come of age and their deployment is exploding globally. Biometric systems operate on different body parts that offer unique characteristics, such as fingerprints, irises, noses and veins in the palms (or other body areas), and this technology will expand rapidly as national security and commercial considerations demand more and stronger tools. These tools can add a lot to security, but every tool brings forth new vulnerabilities in its wake.
IT auditors will be increasingly challenged to understand these technologies, vulnerabilities, applications and implications for the business process so that they can provide the required level of assurance to their customers. Auditors need to invest their time in learning the nuances of this technology to meet this challenge successfully.
1 “Vulnerability, Using Single-factor Authentication,” Open Web Application Security Project (OWASP), OWASP.org, April 20102 US Homeland Security, Visitor & Immigrant Status Indicator Technology (VISIT), US 2004, www.dhs.gov/files/programs/usv.shtm3 Dubai Naturalization & Residency Department, Dubai Government, 20074 ISACA, IT Audit and Assurance Guideline G36, Biometric Controls, www.isaca.org/standards
Buck Kulkarni, CISA, CGEIT, PgMPis the founder and president of GRCBUS Inc., a New Jersey, USA-based IT governance, risk and compliance consulting firm with a mandate to help customers “get compliant, stay compliant.” As a certified IT auditor, program manager and IT governance professional, Kulkarni (with his team) has executed many IT audit, assessment and remediation assignments over the years and helps organizations achieve compliance with the US Serbians Act, the Payment Card Industry Data Security Standard (PCI DSS), and the US Health Insurance Portability and Accountability Act (HIPAA), as well as with governance frameworks such as COBIT, ISO 27001, the Software Engineering Institute (SEI)’s Capability Maturity Model (CMM) and others as appropriate to the goals and size of the organization.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.