Page 26 - CITP Review
P. 26

Security authorization & authentication

            The logical access control effectiveness is somewhat dependent on separate authorization and
            authentication controls. Authorization is about the login credentials and restricting the access to users on
            a need-to-know basis; however, authorization controls by themselves are not adequate for higher risks.
            Specifically, a hacker or intruder will try to obtain or guess login credentials and, if successful, will be able
            to gain access to a network. To prevent this scenario, authentication controls are needed.

            The objective of authentication controls is that the person using those credentials is who the person
            claims to be. Authentication could be some form of multifactor access controls such as additional
            credentials, temporary PINs, security questions, and biometrics; the ultimate authentication control is
            biometric (for example, fingerprint) and the control is the person. The user would need the appropriate
            login credentials to be authorized to use the system, and then the system would authenticate that person
            with the additional layer of access controls.
            The CITP would need to consider the need for authentication and whether the appropriate access
            controls are in place and operating effectively.




            Business continuity and disaster recovery


            Backup and recovery involves the appropriate backup of data, a suitable business continuity plan, and an
            effective disaster recovery plan. Just like all other ITGCs, the specific scope of this control is dependent
            on the entity and its proprietary risk associated with backup and recovery.



            Business continuity plan and disaster recovery plan
            Some deleterious IT events require only a restoration of data backups, followed by any recovery of
            events, transactions, and data that occurred in the short interim between the backup and recovery. But
            some events are more catastrophic and include severe damages to the operational IT and systems.

            For instance, if a system crashes or malicious attacks cause systems to be down a lengthy time, the
            entity needs a business continuity plan (BCP), which takes into account server interruptions, a lengthy
            interruption, and the need to not only restore data but also fix or restore computers, operating systems,
            and other affected components.

            A disaster recovery plan (DRP) is needed in the event that the entity is the victim of a catastrophic event
            such as a fire, flood, tornado, or hurricane where technologies, systems, and data are completely
            destroyed, as well as facilities and supplies needed to properly operate and function. A DRP provides for
            restoring the data as well as all aspects of the systems, should they be destroyed or become unavailable
            for an unaccepted length of time.

            The scope of what the CITP does regarding BCP or DRP depends on the extent to which the entity relies
            upon its IT for operations, and the objective. For financial audits, the audit objective involves the degree
            to which a disaster or significant event can lead to the RMM. Sometimes it will potentially lead to the


            © 2019 Association of International Certified Professional Accountants. All rights reserved.    1-18
   21   22   23   24   25   26   27   28   29   30   31