Page 141 - Courses
P. 141

Logical Security Applications

                   o  Existing users who transferred do not have access to prior department removed and new
                       access granted.
                   o  Terminated users still have access to the network or specific applications and web pages.

            From the reports of role activity assignments and user access capability, perform analytical
            procedures:
              Using the role activity assignments report, review the activities/functions assigned to each role
               (looking for SoD issues).
              Compare current and previous role activity assignment reports to ensure variations are
               documented and approved.
              Sort the user access capability report by user, role, job title, and function.
              Review roles with no or minimal users (such roles may no longer be used or could be combined
               with other roles).
              Review roles with large numbers of users to ensure excessive access has not been granted.
               Simplicity is an essential part of effective security.
              Perform additional sorts based on dat available. For example, if last login date is included,
               identify and create audit observation for all dormant accounts (those that are active but have not
               been used in the last 31+ days).

            Obtain a report of users with privileged access capability and test to ensure privileged access
            assigned is appropriate. This could be combined with other tests.

            Interview users who periodically review user’s access capability and test to ensure their review
            procedures are reasonable to identify inappropriate access. In addition, review adequacy of training
            materials or other guidance provided on the manner in which access should be reviewed.
              During the reviewer’s periodic evaluation, items will be noted to change. Test a sample of
               changes to validate that requested changes were correctly completed.

            If the application creates audit trails, then test the appropriateness of monitoring procedures of
            selected users’ activity; especially those with privileged access capability. The internal auditor may
            then potentially extract audit trials and review for any trends or anomalies. Follow-up as applicable.

            Master Audit Plan and IT Audit Plan Suggestions

            An organization will have many applications. Given an internal audit activity’s limited resources, one
            consideration is to rank applications in risk order and perform the previously described tests on a
            rotational basis. The suggested testing procedures should include the entitlement review process
            (where authorization and access assigned is evaluated.)

             TOPIC 3: SECURITY DATABASE LAYER

            Introduction

            The primary objective of security at the database layer is to restrict the general user population.
            Normally, access to the database layer is limited to Database Administrators (DBAs).
            Copyright © 2022 by The Institute of Internal Auditors, Inc. All rights reserved.
   136   137   138   139   140   141   142   143   144   145   146