Please enable JavaScript.
Coggle requires JavaScript to display documents.
4.4.5 and 5.4.5 LOGICAL ACCESS & ACCESS CONTROL SOFTWARE (ACCESS…
4.4.5 and 5.4.5 LOGICAL ACCESS &
ACCESS CONTROL SOFTWARE
Logical access is the ability to interact with computer resources granted
Identification
Authorization
Authentication
ACCESS CONTROL SOFTWARE
purpose of
access control software is to prevent the unauthorized access and modification to an organization’s sensitive data and the use of system critical functions.
it is necessary to apply access controls across all layers of an organization’s IS architecture, including networks, platforms or OSs, databases, and application systems
greatest degree of protection
in applying access control software against internal and external users’ unauthorized access
is at the network and platform/OS levels
OS access control software
is typically restricted to privilege users
interfaces with
network access control software
resides on network layer devices (
e.g., routers and firewalls) that
manage and control external access to organizations’ networks
interfaces with database and/or application systems access controls
to
protect system libraries and user data sets.
General operating and/or application systems access control
functions include
•
Create or change user profiles
. :!:
• Assign
user identification and authentication
:!!:
• Apply
user logon limitation rules
. :!?:
• Ensure
users’ access is commensurate with their job responsibilities.
:bookmark:
• Ensure notification
concerning proper use and access prior to initial login
. :speech_balloon:
• Create
individual accountability and auditability
by logging user activities. :writing_hand::skin-tone-5:
• Establish rules for access to specific information resources (e.g., system level application resources and data). :eight_pointed_black_star:
• Log events. :spiral_note_pad:
• Report capabilities. :speaking_head_in_silhouette:
Database and/or application-level access control
functions include the following:
• Create or
change data files and database profiles
:heavy_plus_sign:
• Verify
user authorization at the application and transaction leve
l :twisted_rightwards_arrows:
• Verify
user authorization within the application
• Verify
user authorization at the field level for changes within a database
• Verify
subsystem authorization
for
the user at the file level
:file_cabinet:
•
Log database/data communications access activities for monitoring access violations
Logical access controls are the primary means
used to manage and protect information assets.
enact and substantiate management-designed policies and procedures intended to protect these assets
controls are designed to reduce risk to a level acceptable to an organization.
Logical Access Exposures
Technical exposures
are one type of exposure that exists due to
accidental or intentional exploitation
of logical access control weaknesses
unauthorized activities interfering normal processing
implementation or modification of data and software
locking or misusing
user services
destroying data
compromising system usability
distracting
processing resources
spying data flow or users’ activities at either the network
OS (Platform)
Database
Application level
Technical exposures
include:
Data leakage
Involves siphoning or leaking information out of the
compdumping files to paper or can be as simple as
stealing computer reports and tapesuter. e.g
Computer shutdown
Initiated through terminals or personal computers
connected directly (online) or remotely (via the Internet) to the computer
individuals who know a high-level logon ID usually can initiate the shutdown process,
Familiarization With the Enterprise’s IT Environment
IS auditors to effectively assess logical access controls
first need to gain a
technical and organizational
understanding of the organization’s IT environment
which
areas from a risk standpoint warrant IS auditing attention
in planning current and future work. :warning:
This includes
reviewing the network, :chains:
OS platform, :sos:
database and application security layers associated with the organization’s IT information systems architecture :open_file_folder: :newspaper: :male-guard:
Paths of Logical Access
direct path of access
users are locally known individuals, with welldefined access profiles.
Direct access related to a LAN is more complex,
access path through
common nodes
back-end or front-end interconnected network of systems
for internally or externally based users
Front-end systems are network-based systems connecting an organization to outside, untrusted networks, such as corporate websites, where a customer can access the website externally to initiate transactions that connect to a proxy server application which in turn connects to a back-end database system to update a customer database.
General Points of Entry
to front- or back-end systems control
the access from an organization’s
networking or telecommunications infrastructure
into its information resources (applications, databases, facilities and networks)
approach followed is based on a client-server model
General modes of access into this infrastructure occur through the following
Network connectivity
Access is gained by
linking a PC to
a segment of an organizations’
network infrastructure
, either through a physical or a wireless connection
access requires user
identification and authentication to a domain-controlling server.
modes of access into the infrastructure can also occur through
network management devices,
such as routers and firewalls, which should be strictly controlled.
Remote access
user connects remotely to an organization’s server
which generally requires the user to identify and authenticate him/herself to the server for access to specific functions that can be performed remotely (e.g., email, File Transfer Protocol [FTP] or some application-specific function).
Complete access to view all network resources usually requires a virtual private network (VPN), which allows a secure authentication and connection into those resources where privileges have been granted.