Page 12 - IIA MAGAZINE_March 2017_English
P. 12
IT Audit TO COMMENT on the article,
EMAIL the author at awais1116@hotmail.com
BY MUHAMMAD AWAIS NASEEM EDITED BY NAGESH SURYANARAYANA
Auditing Logical Access
The Overlooked Areas Job descriptions or role to determine the Access Revocation
appropriateness. Issue: While verifying the user access
Auditing logical access area may seem revocation process IT Auditors generally
intuitive for IT auditors but its importance Admin Activity Review adopt an approach of obtaining list of
can never be over emphasized, with latest Issue: The other important area which Leavers from HR and compare with the
security threats and Cyber Security attacks the IT auditors generally overlook is the active users on applications using a unique
it is common that a successful cyber-attack review of the activity logs of privilege users reference e.g. employee ID to validate the
may lead to a hacker gaining unauthor- / administrators. Though the focus is more status of the user (active or inactive). While
ized access to critical system and data and of the existence of admin logs to review this procedure provides the status of the
allows them to alter or compromise the the privilege user activities “which acts user account (active of revoked) it does not
system/data.
This article discusses as a detective control”, need of preventive provide the assurance
the common mistakes controls to eliminate such occurrence is for full audit period.
IT auditors make while not emphasized. No doubt you need to Solution: While the
auditing the Logical trust your own personnel to certain extent, auditor performs the
access area, though this warrant such requirement due to the above procedure,
Logical Access area is role of administrators being critical for the there is a need to
important to all system continuity of business. ensure the adequacy
elements i.e. DB, OS, Solution: IT auditor should interview of the demobilization
Applications etc, from relevant personnel to determine if admin process by verifying
now on where required activity is being logged and periodically the last working day
we will be focusing reviewed. Due to the extensive number of employee (From
on Application level of logs it’s not humanly possible to review HR List) with the
access to narrate some manually, hence an effective SIEM or Logs last login or disable
examples. correlating tools should be implemented date (Extracted
and configured to capture critical events from application).
Access Rights Review such as e.g. user creation/deletion, access For instance the policy mandated the
provisioning and revocation and unusual revocation of employee access to the
Issue: One of the most common mistake by activities noted after office hours etc.. for system on last day or within 5 days, this test
the IT auditors while auditing the LA area timely detection of such occurrence. will provide assurance on timely revocation
is to just relay on the periodic access rights of the employee access to eliminate misuse
review performed by the management, or violation of user access.
certain cases it’s just a formality to sign the
access rights review document without Conclusion :
even reviewing the adequacy and need of Access management is being one of the
user rights like it’s a tick box activity, may critical areas of the overall security posture
be just to meet audit requirements. of the organization, enhanced focus/ro-
Solution: An IT auditor should interview bust assessment on this area will enable IT
the reviewer of access rights and ascertain Auditor to provide good insight on their
how he or she performs this review and current security posture and reasonable
on what basis the validity of user rights is assurance to the management & key stake-
assessed or determined. holders.
IT auditor should also perform sample
basis testing of such access provided to Muhammad Awais Naseem
users to verify adequacy of the rights pro-
vided to the users are in line with his/her Senior IT Auditor, EY
12 INTERNAL AUDITOR - MIDDLE EAST MARCH 2017
