Page 138 - Courses
P. 138
Logical Security Applications
Security Risks
The primary risks are dependent on the business systems deployed, and may result from lack of
separation of duties (SoD) within and among the various business system functions. Mostly, risk is
associated with inappropriate access.
Concepts
Types of user accounts at the application layer include:
Business Users
Assignments to the general user population.
Assignments by individual or role.
Roles unique at the process-level.
Activities logged and monitored.
IT Personnel
Assigned based on job duties taking separation of duties into consideration.
Generally assigned a read-only access to production data and information.
Not permitted to promote program source code to production.
Privileged Accounts
IT or business users can have privileged access capability. These users have a higher access to
devices or data than others.
There can be several levels of privileged access.
IT engineers, technicians, and administrators may have domain or system administrator rights,
which can access configuration settings or other IT functionality
System Administrator ID
The application comes with one built-in account that has access to all system functionality.
The best practice is to disable this account and have all users log into the application through
their own ID, assigning certain users privileged access capability. As denoted earlier, there could
be various levels of privileged access.
If the system administrator ID cannot be disabled, then access to this ID is very limited (normally
to IT personnel). Access is only used when necessary. There could be required uses of the ID. For
example, certain configuration parameters can only be modified using this account versus one
assigned to an individual with privileged access.
Activities of the system administrator ID are logged and monitored.
Application/BOT Accounts
Copyright © 2022 by The Institute of Internal Auditors, Inc. All rights reserved.
