IT GENERAL CONTROLS

USER ACCESS
MANAGEMENT

1
 ACCESS MANAGEMENT
To provide access to the IT environment only to
authorized, appropriate users and those users are
restricted to performing authorized, appropriate actions.
WHAT ARE THE RISKS RELATED TO MANAGE
ACCESS?

Confidential/proprietary information may be disclosed to

unauthorized persons
Integrity of data, applications, and other IT resources may be
impaired.
IT operations may be disrupted or data, applications and
other IT resources may be destroyed.

3
GUIDING PRINCIPLES IN IMPLEMENTING IT
SECURITY
Principle of Least Privilege - giving a person or a process the minimal
authority necessary to accomplish the job or task
Data classification - the level of security controls needed to protect data
is dependent on security classification (e.g., confidential, private, public,
or unclassified)
Separation of Duties - dividing a task and authority for a specific
business process among multiple users to prevent exploitation and fraud
by allowing two people to complete a task.
Defense in Depth is a concept used to describe layers of defense
strategies

4
 MANAGE ACCESS PROCESS COMPONENTS

Logical Security

Users People Technology Network security

System Owners
OS security
Security Officer
Application security
System custodians/
DB security
security Policies and Procedures
Security devices
administrators

Security Policy & Guidelines

Security Baseline Standards
Data Classification
Security Awareness Programs
User Access Management
System Configuration Maintenance
Security Monitoring
5
UNDERSTANDING THE LOGICAL ACCESS PATH

The logical (virtual) pathway by which users

gain access to software and data
The logical access path often includes multiple
layers of hardware and software security
which users must successfully pass through to User
gain access to IT resources/assets (applying
Defense in Depth principle)
Understanding of logical access path helps us
identify technologies that need to be examined
and tested.
Data

6
LOGICAL ACCESS PATH

Business Users IT Users

OS/Network Security

Application Security

Database Security
7
ACCESS MANAGEMENT:
RECOMMENDED CONTROLS
1. General system security settings are appropriate. (T, PP)
2. Password settings are appropriate.(T, PP)
3. Access to privileged IT functions is limited to appropriate
individuals.(T, PP)
4. Access to system resources and utilities is limited to appropriate
individuals. (T, PP)
5. User access is authorized and appropriately established. (T,P, PP)
6. Physical access to computer hardware is limited to appropriate
individuals.
7. Logical access process is monitored. (T, P)
8. Segregation of incompatible duties exists within logical access
environment.(P)
8
GENERAL SECURITY SETTINGS

Security Mode
Disable
Enable warning vs. active mode
Trust mode
Audit logging enabled? What are logged?
Default accounts and passwords there are no default accounts with
default passwords or default accounts are renamed and passwords have
been changed
Generic accounts access is limited or none

9
PASSWORD SETTINGS
SECURITY SETTINGS FOR USER
AUTHENTICATION
Minimum password length (e.g., 8 characters)
Password composition (e.g., alpha/numeric characters, not words in
dictionary)
Frequency of Forced Password change (e.g., 90 days)
Number of passwords that must be used prior to using a password again
(e.g., 8 unique passwords)
Number of unsuccessful log on attempts allowed before lockout (e.g., 3
attempts)
Unlocking of blocked accounts (e.g., manually performed by security
administrator)
Idle session time out (e.g., 10 minutes)
Logging of unsuccessful login attempts
10
PRIVILEGED USERS

Who are Privileged users:

Users with full system access rights (e.g., system administrator, DB
administrator)
Users with access rights to security administration functionality
Users with access to sensitive system functions (e.g., sensitive utilities
and tools, ACCESS ALL)

11
PRIVILEGED USERS

Testing should cover privileged user rights for all relevant technical
components of the logical access path that support the key controls.
Determine if the users privileged access rights are appropriate based on
their job responsibility
Determine if the number of privileged users appears appropriate.
Determine how system activities of privileged users are controlled (e.g,
logged, monitored?)

12
SYSTEM RESOURCES AND UTILITIES

Identify and obtain a list of critical/sensitive resources, including data

modification utilities associated with the relevant applications that could
affect the integrity of the financial data if not appropriately secured.
Determine that access rights granted to these resource sand utilities are
appropriate.

13
USER ACCESS MANAGEMENT

New hires & transfers

Users are granted access rights on the basis of an approved request. and
limited only to access required to carryout their job responsibilities.
Unique user ID is assigned to each user. No group IDs exist and shared
by multiple users.
Changes to users access should be approved and their role re-evaluated
to prevent role creep which is caused by incremental additions to
access over time, causing segregation of duties risks.

14
USER ACCESS MANAGEMENT

Periodic review
Users access rights should be periodically reviewed to ensure that they
remain appropriate..
The review should cover access rights to all elements of the IT
infrastructure (i.e., computing, networking, databases).
Frequency of the review should be assessed to determine the design
effectiveness.

15
USER ACCESS MANAGEMENT

Terminations and resignations

Access rights should be promptly disabled and/or removed once users
leave the company.
If there is no or ineffective periodic review, extended testing of
terminations and resignations is performed

16
PHYSICAL SECURITY

Physical access to the data center

All access points(doors and windows) are secured
Guards
Access cards , biometrics
Issuance and retrieval of security devices (e.g., access cards, tokens) are
properly controlled
Determine if the access rights granted are appropriate based on their job
description/function
Sensitive areas are monitored (e.g., by closed circuit television (CCTV)

17
PHYSICAL SECURITY

Environmental controls in the data center, existence of:

HVAC (humidity, ventilation, air-conditioning)
Uninterruptible power supply (UPS) and generator sets
Server racks
Secured cabling

18
MONITORING

Related to assessing the system security on a recurring basis.

Internal review of compliance with security policies (e.g. Vulnerability
Assessment, Attack and Penetration testing, Internal IT Audit.)
Periodic review of security policies, guidelines, baseline standards and
procedures
Security patch management
Anti-virus definition updates

19
SEGREGATION OF DUTIES

For segregation of duties, the person setting-up the access

should be different from the person requesting, approving, and
monitoring.

Action Responsible
Request User
Authorize System owner
Security administration System/ security
administrator/ custodian
Monitoring/ Audit Security office/ Internal
audit

20
IT GENERAL CONTROLS
IT OPERATIONS

21
IT OPERATIONS
To provide a reliable processing environment
that is prepared for routine operating issues.

22
IT OPERATIONS
RECOMMENDED CONTROLS
Financial data has been backed up and is recoverable
Deviations from scheduled processing are identified and resolved
IT operations problems or incidents are identified, resolved, reviewed
and analyzed

23
BACK-UP AND RECOVERY

Vital information assets for back up: Degree of backup:

Data Differential (from last backup)
Databases structures Incremental (from full backup)
Applications (with Full
configurations) Frequency of backups:
System software with Daily
configurations
Weekly
Method of backup
Monthly
Physical (e.g., tapes, discs)
Testing of back up files
Server replication/mirroring
Backup site
Manual vs scheduled job

24
JOB SCHEDULING

Job scheduling applies to batch processing at data center

Potential risks
Unauthorized runs
Erroneous files used
Erroneous job sequence
Aborted runs/job failures

25
JOB SCHEDULING

Scheduling
Ability to create/change/delete job schedules should be restricted

Monitoring
Independent post review of job executions to ensure successful
completion of runs and note aborted runs, job failures, changes in job
schedule.
Scheduled job failures should be handled as part of the incident
management process for successful resolution

26
PROBLEM AND INCIDENT MANAGEMENT

Understand process and roles/responsibilities for reporting, recording,

escalating and resolving problems and incidences.
Obtain sufficient evidence to determine that problems or incidents (e.g.,
from computer operations, users) are identified, referred to appropriate
group, escalated, monitored and analyzed in a timely manner.
Determine how they monitor and report incidences
Inquire if there have been any major problems or incidents during our
initial meetings and during year-end update procedures.

27
28