Auditing Logical Access- The Overlooked Areas
Auditing logical access area may seem intuitive for IT auditors but its importance can never be over emphasized, with latest security threats and Cyber Security attacks it is common that a successful cyber-attack may lead to a hacker gaining unauthorized access to critical system and data and allows them to alter or compromise the system/data.
This article discusses the common mistakes IT auditors make while auditing the Logical access area, though Logical Access area is important to all system elements i.e. DB, OS, Applications etc, from now on where required we will be focusing on Application level access to narrate some examples.
Access Rights Review
Issue: One of the most common mistake by the IT auditors while auditing the LA area is to just relay on the periodic access rights review performed by the management, certain cases it’s just a formality to sign the access rights review document without even reviewing the adequacy and need of user rights like it’s a tick box activity, may be just to meet audit requirements.
Solution: An IT auditor should interview the reviewer of access rights and ascertain how he or she performs this review and on what basis the validity of user rights is assessed or determined.
IT auditor should also perform sample basis testing of such access provided to users to verify adequacy of the rights provided to the users are in line with his/her Job descriptions or role to determine the appropriateness.
Admin Activity Review
Issue: The other important area which the IT auditors generally overlook is the review of the activity logs of privilege users / administrators. Though the focus is more of the existence of admin logs to review the privilege user activities “which acts as a detective control”, need of preventive controls to eliminate such occurrence is not emphasized. No doubt you need to trust your own personnel to certain extent, this warrant such requirement due to the role of administrators being critical for the continuity of business.
Solution: IT auditor should interview relevant personnel to determine if admin activity is being logged and periodically reviewed. Due to the extensive number of logs it’s not humanly possible to review manually, hence an effective SIEM or Logs correlating tools should be implemented and configured to capture critical events such as e.g. user creation/deletion, access provisioning and revocation and unusual activities noted after office hours etc.. for timely detection of such occurrence.
Issue: While verifying the user access revocation process IT Auditors generally adopt an approach of obtaining list of Leavers from HR and compare with the active users on applications using a unique reference e.g. employee ID to validate the status of the user (active or inactive). While this procedure provides the status of the user account (active of revoked) it does not provide the assurance for full audit period.
Solution: While the auditor performs the above procedure, there is a need to ensure the adequacy of the demobilization process by verifying the last working day of employee (From HR List) with the last login or disable date (Extracted from application). For instance the policy mandated the revocation of employee access to the system on last day or within 5 days, this test will provide assurance on timely revocation of the employee access to eliminate misuse or violation of user access.
Access management is being one of the critical areas of the overall security posture of the organization, enhanced focus/robust assessment on this area will enable IT Auditor to provide good insight on their current security posture and reasonable assurance to the management & key stakeholders.