Logical Security Applications

              Restrict password usage such as requiring alpha and numeric characters, limiting login attempts,
               password change intervals, etc.

            Role Revisions

            Periodically, role revisions are required due to system updates or organizational changes. Revisions
            may include the creation of new roles or the revision of existing roles.

            IP Filtering

            Internet Protocol (IP) filtering is a mechanism to restrict locations from which users can access an
            application. Such restrictions can be configured from the network or internally to the application. If
            internal to the application, the IP ranges allowed are usually contained in the general configuration
            settings. Internet Protocol (IP) filtering rules usually take the form of a single IP address or a range of
            IP addresses. For example, users could be restricted from logging into the application from specific
            parts of the network or externally to the network.

            IP filtering can be used to limit locations from which users can log into cloud-based systems. For
            example, the IP filtering ranges for a particular cloud-based general ledger (GL) system could be
            limited to only coming from the organization’s network. This will force the user to authenticate to
            the organization’s network prior to accessing the cloud-based system.

            User Events

            User Events include:

            New User
              A new user is authorized to the application.
              A new user is assigned a role.

            Additional Access Request
            Users can be assigned additional access capability due to changes in job function.

            Transferred User
            A transferred user’s access from the previous job role is removed and access is added based on the
            new job role.

            Terminated User
              A terminated user is an employee or contractor who has ended employment and must be denied
               access to the system.
              A terminated user’s account could be disabled or removed. Some applications do not allow
               removal since this would remove all user actions and audit trail. (Orphans)
              Users’ disabled accounts are normally placed into inactive roles to keep them separated from
               the active users.
              Terminated roles should be continuously monitored for inappropriate use.

            Copyright © 2022 by The Institute of Internal Auditors, Inc. All rights reserved.