Page 139 - Courses
P. 139

Logical Security Applications


              These are built-in accounts used by the application or intelligent robot (BOT) for specific
               functionality.
              For an application BOT to run, it must be assigned a network ID that it can run under. Usually,
               this network ID interfaces with one of the built-in application accounts. Such network accounts
               are usually defined as service accounts.
              Additional application accounts could come with the system for other batch processes or the
               organization could define customized application accounts for such usage. Examples include
               data backup, move data, process data, and application built-in account.
              Even though such accounts serve to run processes, BOT, or the application itself, users could
               access these accounts depending on how the account is restricted.
              Each account should be logged and closely monitored.
              Each account usually requires a password, and such passwords should be restricted and known
               to a limited number of personnel.

            Contractors

            Most organizations use contractors that are assigned standard business or IT functionality
            depending on their duties. Contractor access should be closely monitored. Typically, contractor
            passwords expire every 30 days.

            Controls

            Consideration of access controls includes:

            Access is Approved

              Assignments to the general user population.
              Assignments by individual or role.
              Roles unique at the process-level.
              Activities logged and monitored.

            Access is Appropriate

            Users are assigned a specific role based on job duties. Some organizations have established
            preapproved roles that a user with a certain job function is automatically assigned. For example, an
            accountant would be assigned a preapproved accountant’s role.

            Access is Periodically Monitored

              A report of user access capability and role is periodically reviewed to validate current user role
               assignment.
              This report would include the user account; the person’s name, job title, location, and
               application role; and other information that will allow the reviewer to validate the
               appropriateness of users and roles.

            Copyright © 2022 by The Institute of Internal Auditors, Inc. All rights reserved.
   134   135   136   137   138   139   140   141   142   143   144