Please enable JavaScript.

Coggle requires JavaScript to display documents.

12.4.5 13.4.5 14.4.5 (FEDERATED IDENTITY MANAGEMENT (partnering…

- - - - user access to the system
      - and user authority to access/use computer resources, such as files, programs and terminals.
    - - personal accountability
      - and SoD in the access of data.
  - - - on the importance and level of security that is needed to ensure that unauthorized access has not been granted
    - - reduces the number of rules required to adequately protect resources which, in turn, facilitates security administration and maintenance efforts.
- - - - which can be sometimes be complicated due to different security requirements and rules set by each enterprise.
    - - ensuring polices accurately reflect the rules of each member can be time consuming, costly and complex
- - - - relevant documentation,
      - inquiry
      - observation,
      - risk assessment
      - and risk evaluation techniques.
    - - appropriate hardware
      - and software security features
      - and identifying any deficiencies or redundancies.
    - - first step of the audit and involves obtaining a clear understanding of the technical, managerial and security environment of the IS processing facility.
        
        • Evaluate the security environment to assess its adequacy by
        
        , and comparing them
        
        practices and procedures used by other organizations.
        
        with appropriate security standards or
        
        reviewing
        
        and procedures
        
        observing practices
        
        written policies,
      - typically includes interviews, physical walk-throughs, review of documents and risk assessments.
    - - The access path is the logical route an end user takes to access computerized information
        Starts with terminal and ends with data to be accessed
      - IS auditor should evaluate each component for proper implementation and physical and logical access security.
      - Special consideration should be given to the:
        
        • Origination and authorization of the data
        
        • Validity and correctness of the input data
        
        • Maintenance of the affected OSs (patching, hardening and closing the unnecessarily open ports)
    - - Technical experts are often required to control and maintain the various components of the access path, as well as the OS and computer mainframe
        
        IS auditor should meet with the IS manager and review organizational charts and job descriptions.
      - Key people include the .
        
        security administrator, :information_desk_person:
        
        network
        control manager
        
        and systems software manager
      - security administrator should be asked to identify the responsibilities and functions of the position. :information_desk_person:
        
        IS auditor should compensate by expanding the scope of the testing of access controls. if answers provided to this question
        
        do not support sound control practices #
        
        or do not adhere to the written job description #
        
        IS auditor should determine whether the security administrator is aware of the logical accesses that must be protected,
        
        has the motivation and means to actively monitor logons to account for employee changes,
        
        and is knowledgeable in how to maintain and monitor access.
    - - reporting features of access control software provide the security administrator with the opportunity to monitor adherence to security policies.
        
        Unsuccessful access attempts should be reported and should identify the time, terminal, logon and file or data element for which access was attempted.
    - - application systems manual should contain documentation
        
        on the programs that generally are used throughout a data processing installation to support the development, implementation, operations and use of application systems
      - manual should include information about the, and
        
        platform the application can run on
        
        DBMSs,
        
        ,compilers, interpreters
        
        telecommunication monitors
        
        other applications that can run with the application.