Access Controls Audit Program
Audit Program Overview
Access to computer resources should be controlled to protect them
against unauthorized use, damage, loss, or modifications. Proper
access controls will assist in the prevention or detection of
deliberate or accidental errors caused by improper use or manipulation
of data files, unauthorized or incorrect use of computer programs,
and/or improper use of computer resources.
Suggested interviewees for ICQ:
A. Documentation Librarian
B. System Programming Manager
C. Applications Programming Manager
D. Director of Information Systems
E. Data Base Administrator
Control Objective #1 - Access to Program Documentation
- Observe the storage location of documentation if it is kept
in printed form or determine how access to on-line documentation
is restricted. Determine if the documentation is adequately secured.
- Review documentation check out logs to see if only authorized
persons are gaining access to documentation. Determine if checked
out documentation is properly logged and can be located.
Control Objective #2 - Access to Systems Software
- Interview the person responsible for access to system software.
Determine if the methods used to limit access to systems software
to authorized persons are adequate.
- Review documentation check out logs to see if only authorized
persons are gaining access to documentation. Determine if checked
out documentation is properly logged and if it can be located.
- Test to see that access to systems software is limited by
terminal address.
Control Objective #3 - Access to Production Programs
- Interview the person responsible for controlling access to
production programs (source and object code) and job control instruction.
Determine if passwords and utilities that affect program access
are adequately controlled. Also determine if controls are adequate
to limit access to only those who need it to do their jobs.
Control Objective #4 - Access to Data Files
- Review the procedures for limiting access to data files. Determine
if programs not in the production library are adequately restricted
from processing against data files and if controls are adequate
to restrict access to data files to only authorized persons.
Control Objective #5 - Access to On-line Systems
- Determine who has access to confidential data. Verify with
the owner of the data that these persons have authorization to
access this data.
- Test to see that access to applications, data, or entry and
update of transactions is limited by terminal address and hours
of operation.
- For employees that have requested that their addresses and
phone numbers not be disclosed, determine if this information
is adequately protected from disclosure.
Control Objective #6 - Access to Data Bases
- Interview the data base administrator and determine if controls
are adequate to restrict access to the data base and data base
change utilities.
- Determine how concurrent access to the same data item is prevented
and if it is adequate.
Control Objective #7 - Password Administration
- Review the procedures for controlling passwords and determine
if they are complete (using 3.4.4 of 1992 EDP Control Objectives
as a guide).
- Review records or interview users to determine when passwords were last changed.
- In a department where an employee has recently terminated,
determine if the employee's password has been deleted and if the
passwords of other employees in the department have been changed.
- Determine how access to password tables is restricted. Determine
if access is restricted to only those who really need to access
the table.
- Test to see that there is a limit on the number of unsuccessful
attempts to sign on (or login).
Control Objective #8 - Policies for Access Security
- Review the policies for access security. Determine if they
are complete.
- Interview the person(s) responsible for access security and
determine if they are aware of and follow the policies for access
security.
- Review logs that record accesses. Compare the logs to the
list of authorized persons. Determine if access violations are
being investigated in accordance with procedures.
Effect of Weaknesses
Access controls are designed to limit access to documentation,
files, and programs. A weaknesses in or lack of such controls
increases the opportunity for unauthorized modification to files
and programs, as well as misuse of the computer hardware. Weaknesses
in documentation and/or controls over machine use may be compensated
by other strong IS controls. However, weaknesses in systems software,
program, and data security significantly decrease the integrity
of the system. Weaknesses in this area must be considered in the
evaluation of application controls.
Notes:
Written policies for security over access to automated resources
typically address guidelines and responsibilities in the following
areas:
- access to program documentation
- access to system software
- access to program and job control instructions
- access to data files
- access to applications
- passwords
- investigation of access violations
To review access controls, the reviewer may need to obtain copies
of the automated logs or journals that record/monitor access to
the following:
- program documentation
- systems software
- production programs and job control language
- production data files
- critical application systems
- password tables
Without such documentation, the reviewer may not be able to determine
how access to systems software is controlled, in what kind of
restrictive area systems software is kept, who are authorized
to access and change systems software, and whether certain powerful
utilities are being used to circumvent access controls to systems
software.
Production programs (source and object code ) and job control
instructions are kept in a restricted area - using secure authentication
methods to gain access. Programmers and other unauthorized personnel
need to be expressly prohibited from adding, replacing, or deleting
production programs. The updating of the production program storage
area should be monitored through the use of a report detailing
all updates to the production program storage area, and a review
of the programs in the production storage area. Someone should
be specifically assigned this monitoring responsibility.
Production data files also need to be kept in restricted areas.
Like production programs, programmers and unauthorized users should
be expressly prohibited from updating or deleting production data
files. Formal procedures should be in place to limit access to
confidential data to authorized persons only.