Please enable JavaScript.
Coggle requires JavaScript to display documents.
1.4.5 & 2.4.5 IDENTITY AND ACCESS MANAGEMENT and SYSTEM ACCESS…
1.4.5 & 2.4.5 IDENTITY AND ACCESS MANAGEMENT and SYSTEM ACCESS PERMISSION
IT assets under logical security can be grouped in four layers—networks, platforms, databases and applications.
network and platform layers provide pervasive general systems control over ,
users authenticating into systems,
system software
and application configurations,
data sets
, load libraries
A load library contains programs ready to be executed.
and any
production data set libraries
Database and application controls generally provide a greater degree of control over
user activity within a particular business process by controlling access to records, specific data fields and transactions.
information owner or manager
should provide
written authorization for users or defined roles
to gain access to information resources under their control.
should hand over this documentation directly to the security administrator :information_desk_person: to ensure that mishandling or alteration of the authorization does not occur.
information asset owner should review
access controls
periodically
with
a
predetermined authorization matrix
that defines
the least-privileged access level
and authority for an individual/role with reference to his/her job roles and responsibilities.
beacause of
authorization creep and impairment effectiveness of access controls which escalates by
Personnel and departmental changes
access is not removed when personnel leave an organization, thus increasing the risk of unauthorized access.
malicious efforts,
carelessness
security administrator :information_desk_person: invokes the appropriate system access control mechanism
upon receipt of a proper authorization request from the information owner or manager
to grant a specified user the rights for access to, or use of, a protected resource.
IS auditor should be aware that access is granted to the organization’s information systems using the principles of ,
need-to-know
least privilege and
SoD
Logical access capabilities
implemented by
security administration
in a
set of access rules
that stipulate
which users (or groups of users) are authorized to access a resource :silhouette:
at a particular level (e.g., read-, update- or execute-only) and :level_slider:
under which conditions (e.g., time of the day or a subset of computer terminals). :sunny: :partly_sunny: :barely_sunny: :partly_sunny_rain:
:one: IDENTITY AND ACCESS MANAGEMENT
critical building block
First line of defense because it prevents unauthorized access (or unauthorized processes) to a computer system or an information asset.
Access to systems and data
should be appropriately
authorized and commensurate with the role of the individual
Authorization generally takes the form of signatures (physical or electronic)
The IS auditor should be aware of
the
strengths and weaknesses
of various architectures
as well as the
risk associated
with the different architectures and how they may be addressed.
Benefits
On the basis of identification and authentication
and
by analyzing the security profiles of the user and the resource
,
it is possible to
determine if the requested access is to be allowed.
it is needed for most types of
access control and is necessary for establishing user accountability.
Logical access controls are used to manage and protect information assets.
success of logical access controls is tied to the strength of the authentication method.
strength of the authentication is proportional to the quality
of the method used.
:two:SYSTEM ACCESS PERMISSION
Refers to a technical privilege, such as the ability to read, create, Modify or delete a file or data; execute a program; or open or use an external connection.
System access to computerized information resources
is established, managed and controlled at the
physical
Physical access controls restrict the entry and exit of personnel to an area such as an office building, suite, data center or room containing information processing equipment such as a LAN server
includes badges, memory cards, guard keys, true floor-to-ceiling wall construction fences, locks and biometrics
and/or logical level.
Logical system access controls restrict the logical resources of the system (transactions, data, programs, applications) and are applied when the subject resource is needed.
Such controls may be
built into the operating system (OS),
invoked through separate access control software
and incorporated into real-time performance monitors
application programs
database,
network control devices
and utilities
principles that should be used by IS auditors when they evaluate the appropriateness of criteria for defining permissions and granting security privileges
Physical or logical system access to any computerized information should be on a documented
NEED TO KNOW BASIS
Other considerations for granting access are
ACCOUNTABILITY
(e.g., unique user ID) and
TRACABILITY
(e.g., logs).
Logical Access controls
MANDATORY AND DISCRETIONARY ACCESS CONTROLS (MAC and DAC)
MAC
used to validate access credentials that
cannot be controlled or modified by normal users or data owners; they act by default.
ground level of critical security :umbrella_on_ground: without possible exception,
if this is required by corporate security policies or other security rules.
Only an administrator :information_desk_person:may
change the category of a resource
, and
NO ONE may grant a right of access that is explicitly forbidden in the ACCESS CONTROL POLICY
MACs are prohibitive; anything that is not expressly permitted is forbidden.
DAC
may be configured or
modified by the users or data owners
activated or modified at the discretion of
the data owner.
data owner-defined sharing of information resources,
where the data owner may select who will be enabled to access his/her resource and the security level of this access.
DACs cannot override MACs; DACs act as an additional filter, prohibiting still more access with the same exclusionary principle.
Development of a security-conscious culture increases the
effectiveness of access controls.
