Page 134 - Courses
P. 134
Logical Security Applications
TOPIC 1: OVERVIEW OF SECURITY
Introduction
Logical security can occur at various levels within the IT infrastructure, including:
Operating system (OS) and other system software applications.
Database management system.
Application system.
Learning Objectives
Identify how application security controls relate to an IT audit.
Learn the fundamentals of how databases and database management systems operate.
Discuss high-level database security controls.
Describe common operating system controls.
Logical Security Control Components
Components of logical security control include the following:
Authentication – Manner in which the user logs into the system.
Authorization – Manner in which the user gets approved to access the system.
Access Management – Assignment of initial and updated access; provides a level of separation of
duties (SoD).
Identification – Manner in which each user is uniquely identified.
Auditing and Follow-up – Includes periodic review of user access capability and analyzes logged
events for trends or anomalies.
Access Management Concepts
Access is assigned based on either data classification (e.g., public, sensitive, corporate restricted,
and confidential) or functionality (e.g., treasury, ordering, receiving, and journal entry activities).
There are two types of user access:
Individual – Access is manually assigned directly to the individual for each system. It is most
difficult to maintain and report.
Role – Access is assigned by predetermined roles allowing for distinction. It is most simple and
cost effective.
There are two types of database table permissions:
Field – Commonly found in database security.
Copyright © 2022 by The Institute of Internal Auditors, Inc. All rights reserved.
