Audit Checklist On Logical Access 6d1z36

Module 4

5. AUDIT CHECKLIST ON LOGICAL ACCESS CONTROLS The following is an illustrative questionnaire that could be used to review Logical Access Controls within operating systems and databases No 1. 2. 3.

1.

2. 3. 4. 5.

Checkpoints Access Management Policy and Procedure Whether the access management policy and procedure are documented? Whether the access management policy and procedure are approved by the management? Whether the access management policy and procedure document includes: Scope and objective. Procedure for ID creation, approval, review, suspension, and deletion. Granting access to third parties. management. access rights assignment & modifications. Emergency access Granting. Monitoring access violations. Review and update of document. Access Management Whether ID & access rights are granted with an approval from appropriate level of IS and functional head? ( the ID creation, granting of access right and approval process) Whether the organization follows the principle of segregation of duties adequately in granting access rights? ( Access rights should be given on need to know and need to do basis – without unchecked concentration of power.) Whether IDS are in a unique format? ( the naming conventions for the IDs) Whether invalid attempts are monitored and IDs are suspended on specific attempt? ( the parameters set for unsuccessful attempt) Whether the organisation follows complex composition for parameters? (Complex composition of parameter should be used as to make it difficult for guess and prevent unauthorised s from access e.g. special character and numbers should be part of , Restrict use of organisation’s name, 123, xyz or other generic as ).

1

Section 3 6.

7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18.

19.

20. 21. 22.

Whether granting access to the third parties is according to the Access Management policy and procedure? (The organization should specify and implement a process for granting access to third parties like contractors, suppliers, auditors, consultants etc.) Whether s are forced to change on first log-on and at periodic intervals? ( parameters for first log on and aging). Whether the organisation implemented clear screen and clear desk policies? (Terminals should be automatically logged off if remaining idle for specific time.) Whether the organisation restricted concurrent log- on? (One ID should not be allowed to be logged-in for two different terminals at the same time) Whether s’ IDs are shared? ( whether s’ IDs are shared among the employees/ s or not?) Whether multiple IDs are allocated to a single individual? Are access policy and procedure documents communicated / available to the respective s? Whether IDs and are communicated to the in a secured manner? ( the procedure for communicating ID and for the first time and after suspension). Whether the organisation reviews IDs and access rights at periodic intervals? Whether the organisation monitors logs for the access? Whether policy and procedure documents reviewed and updated at regular intervals? Whether the access to scheduled job is restricted to the authorised? Whether an emergency creation is according to the policy and procedure for Access Management? ( the emergency access granting procedure, including approvals and monitoring). Whether periodic review process ensures s align with business needs and removal on termination/transfer? (Review and evaluate procedures for creating s and ensure that s are created only when there’s a legitimate business need and that s are removed or disabled in a timely fashion in the event of termination or job change.) Whether s are shadowed and use strong hash functions? (Ensure the strength of s and access permission to files. Review and evaluate the strength of system s and the use of controls such as aging.) Review the process for setting initial s for new s and communicating those s and evaluate the tracking of each to a specific employee. Whether the use of groups and access levels set for a specific group determines the restrictiveness of their use? (Evaluate the use of s, access rights at the group level)

Module 4 23. 24. 25. 26.

1.

2. 3.

Ensure that the facility to logon as super/root is restricted to system console for security reasons. Check whether the parameters to control the maximum number of invalid logon attempts has been specified properly in the system according to the security policy. Check whether history maintenance has been enabled in the system to disallow same s from being used again and again on rotation basis. the parameters in the system to control automatic log-on from a remote system, concurrent connections a can have, s logged on to the system at odd times (midnight, holidays, etc.) and ensure whether they have been properly set according to security policy. Maintenance of sensitive s Ascertain as to who is the custodian of sensitive s such as super/root and if that person is maintaining secrecy of the , whether the has been preserved in a sealed envelope with movement records for usage in case of emergency. From the log file, identify the instances of use of sensitive s such as super and if records have been maintained with reason for the same. Ensure that such instances have been approved/ authorized by the management. From the log file, identify the instances of unsuccessful logon attempts to super and check the terminal ID / IP address from which it is happening. Check if appropriate reporting and escalation procedures are in place for such violations

3