Escolar Documentos
Profissional Documentos
Cultura Documentos
USER ACCESS
MANAGEMENT
1
ACCESS MANAGEMENT
To provide access to the IT environment only to
authorized, appropriate users and those users are
restricted to performing authorized, appropriate actions.
WHAT ARE THE RISKS RELATED TO MANAGE
ACCESS?
3
GUIDING PRINCIPLES IN IMPLEMENTING IT
SECURITY
Principle of Least Privilege - giving a person or a process the minimal
authority necessary to accomplish the job or task
Data classification - the level of security controls needed to protect data
is dependent on security classification (e.g., confidential, private, public,
or unclassified)
Separation of Duties - dividing a task and authority for a specific
business process among multiple users to prevent exploitation and fraud
by allowing two people to complete a task.
Defense in Depth is a concept used to describe layers of defense
strategies
4
MANAGE ACCESS PROCESS COMPONENTS
Logical Security
6
LOGICAL ACCESS PATH
OS/Network Security
Application Security
Database Security
7
ACCESS MANAGEMENT:
RECOMMENDED CONTROLS
1. General system security settings are appropriate. (T, PP)
2. Password settings are appropriate.(T, PP)
3. Access to privileged IT functions is limited to appropriate
individuals.(T, PP)
4. Access to system resources and utilities is limited to appropriate
individuals. (T, PP)
5. User access is authorized and appropriately established. (T,P, PP)
6. Physical access to computer hardware is limited to appropriate
individuals.
7. Logical access process is monitored. (T, P)
8. Segregation of incompatible duties exists within logical access
environment.(P)
8
GENERAL SECURITY SETTINGS
Security Mode
Disable
Enable warning vs. active mode
Trust mode
Audit logging enabled? What are logged?
Default accounts and passwords there are no default accounts with
default passwords or default accounts are renamed and passwords have
been changed
Generic accounts access is limited or none
9
PASSWORD SETTINGS
SECURITY SETTINGS FOR USER
AUTHENTICATION
Minimum password length (e.g., 8 characters)
Password composition (e.g., alpha/numeric characters, not words in
dictionary)
Frequency of Forced Password change (e.g., 90 days)
Number of passwords that must be used prior to using a password again
(e.g., 8 unique passwords)
Number of unsuccessful log on attempts allowed before lockout (e.g., 3
attempts)
Unlocking of blocked accounts (e.g., manually performed by security
administrator)
Idle session time out (e.g., 10 minutes)
Logging of unsuccessful login attempts
10
PRIVILEGED USERS
11
PRIVILEGED USERS
Testing should cover privileged user rights for all relevant technical
components of the logical access path that support the key controls.
Determine if the users privileged access rights are appropriate based on
their job responsibility
Determine if the number of privileged users appears appropriate.
Determine how system activities of privileged users are controlled (e.g,
logged, monitored?)
12
SYSTEM RESOURCES AND UTILITIES
13
USER ACCESS MANAGEMENT
14
USER ACCESS MANAGEMENT
Periodic review
Users access rights should be periodically reviewed to ensure that they
remain appropriate..
The review should cover access rights to all elements of the IT
infrastructure (i.e., computing, networking, databases).
Frequency of the review should be assessed to determine the design
effectiveness.
15
USER ACCESS MANAGEMENT
16
PHYSICAL SECURITY
17
PHYSICAL SECURITY
18
MONITORING
19
SEGREGATION OF DUTIES
Action Responsible
Request User
Authorize System owner
Security administration System/ security
administrator/ custodian
Monitoring/ Audit Security office/ Internal
audit
20
IT GENERAL CONTROLS
IT OPERATIONS
21
IT OPERATIONS
To provide a reliable processing environment
that is prepared for routine operating issues.
22
IT OPERATIONS
RECOMMENDED CONTROLS
Financial data has been backed up and is recoverable
Deviations from scheduled processing are identified and resolved
IT operations problems or incidents are identified, resolved, reviewed
and analyzed
23
BACK-UP AND RECOVERY
24
JOB SCHEDULING
25
JOB SCHEDULING
Scheduling
Ability to create/change/delete job schedules should be restricted
Monitoring
Independent post review of job executions to ensure successful
completion of runs and note aborted runs, job failures, changes in job
schedule.
Scheduled job failures should be handled as part of the incident
management process for successful resolution
26
PROBLEM AND INCIDENT MANAGEMENT
27
28