Page 135 - Courses
P. 135

Logical Security Applications

              Object – Provides a defined set of functionality.

            System security is designed under one of two philosophies: 1) the philosophy of least privilege (deny
            all), or 2) the philosophy of allow all permission. A system built under the least privilege philosophy
            allows for no system access by default, and all permissions must be assigned by the administrator.
            In contrast, a system that follows an allow all philosophy grants all users total access automatically,
            and the administrator must restrict access during system configuration.

            Access Management Concepts: Common Issues

            There are common issues associated with:

              Appropriately authorizing users.
              Processes for authenticating users, including ID and password, and integration throughout all
               software layers (i.e., network, operating system, database, and application.)
              Ensuring terminated user rights are revoked without delay.
              Ensuring prior and new access of transferred employees is addressed in a timely manner.
              Restricting access to system privileged accounts (e.g., service accounts, application system
               accounts, batch accounts) and safeguarding their passwords.
              Monitoring users with privileged access capability.
              Ensuring proper set-up of general system security settings.

            Common Logical Security Controls

              General system security settings are appropriate.
              Password settings are appropriate.
              Access to privileged IT functions is limited to appropriate individuals.
              Access to system resources and utilities is limited to appropriate individuals.
              User access is authorized and appropriately established.
              The logical access process is monitored.

             TOPIC 2: SECURITY APPLICATION LAYER

            Introduction

            The primary objective of logical security at the application layer is to limit a user’s access capability
            to only those functions and data they require to perform their job roles (sometimes referred to as
            restricting users to a “need-to-know” basis).

            The application layer contains the largest set of users and therefore has a higher degree of risk,
            primarily resulting in incorrect access rights assigned.

            Internal auditors must keep an open mind to ensure there are physical and logical separation of
            duties (SoD). For example, a bank reconciliation function could be physically separated from the


            Copyright © 2022 by The Institute of Internal Auditors, Inc. All rights reserved.
   130   131   132   133   134   135   136   137   138   139   140