05. The Nature and Evaluation of IT General Controls
05.04. User Access Administration
Briefly reflect on the following before we begin:
- What is the role of role-based access control in user access administration?
- How do user access administration controls protect sensitive information?
- What are the challenges in managing user access in large organizations?
User access administration addresses a crucial component of IT General Controls: managing and controlling access to the organization’s IS. It is a fundamental aspect of information security and is pivotal in protecting sensitive information from unauthorized access. In this section, we will introduce the concept of role-based access control and user access provisioning to manage access rights effectively. Role-based access control (RBAC) is a method where access rights are assigned based on the user’s role within the organization by ensuring that employees have access to the information necessary for their job functions and nothing more. We will also discuss the intricacies of implementing RBAC, discussing its benefits and challenges. This includes how it enhances security while also making the administration of user privileges more efficient.
Next, we will shift our discussion to the relevant risks and corresponding ITGCs related to user access administration, which is essential for ensuring that user access rights are appropriate and secure. We will explore controls, including access request and approval processes authentication mechanisms and periodic access reviews that are crucial in preventing unauthorized access and maintaining the integrity of information systems. Evaluating these controls is a critical skill for IS auditors and hence. We will discuss selected aspects of assessing the effectiveness of user access administration controls by examining how organizations manage and monitor user access through a summarized audit program.
User Access Administration Process
The IS user access administration process is pivotal in securing and efficiently managing user access to critical organizational resources.
New User Access Management
It encompasses several vital aspects, beginning with new user access management. When a new employee joins an organization or an external partner requires access to specific systems, the process starts with an access request initiated by the HR department or an authorized manager. This request outlines the user’s role, the systems they need access to, and the necessary access levels. The IT department then creates user accounts, ensuring that they align with the principle of least privilege, granting only the minimum access required for the individual’s job function. Following this, authentication mechanisms are established, often involving usernames, passwords, or multifactor authentication (MFA). New users may also undergo training on security protocols, acceptable use policies, and data protection to understand their responsibilities regarding system access and data handling.
Terminated User Access Management
Terminated user access management is imperative when employees depart or no longer require access. Prompt action is vital to revoke access swiftly, preventing unauthorized use and data breaches. This process begins when HR or department managers inform the IT department of the change in the employee’s status. Subsequently, IT personnel disable or delete user accounts, revoking all access privileges. It’s important to note that data owned or accessed by the departing employee should be backed up and, if necessary, transferred to relevant colleagues to ensure business continuity and data retention compliance. Periodic access reviews and audits help identify dormant or overlooked accounts, enabling organizations to maintain control and security.
Transferred User Access Management
Another facet of access administration is transferred user access management. When employees change departments or take on a new role within the organization, their access privileges must be adjusted to align with their new responsibilities. This adjustment involves a modification request initiated by HR or department managers, prompting IT personnel to modify the user’s access permissions. Depending on the nature of the role change, the employee may also require additional training or awareness sessions to understand their updated responsibilities and access rights.
Privileged User Access Management
In addition to standard user access, organizations must diligently manage privileged user access. Privileged users include IT administrators, system administrators, and other personnel with elevated access rights. Given the high privileges of these users, it is crucial to implement strict controls to prevent misuse or unauthorized access. Privileged user access management typically involves a more rigorous approval process and continuous monitoring. A comprehensive review and approval process is initiated when an employee’s role requires privileged access. This process often necessitates authorization from senior management or department heads. Privileged users are subject to more stringent authentication measures, such as strong passwords, regular password changes, and multifactor authentication. Monitoring elite user activities is crucial to detect any unusual or potentially malicious behaviour promptly. This is often accomplished through security information and event management (SIEM) systems that track and analyze user activities in real-time. Periodic access reviews and audits are also conducted to ensure that privileged users maintain their level of access only as long as necessary. The principle of least privilege is fundamental here, ensuring that privileged users have access only to the systems and data required for their specific job functions, minimizing the risk of data breaches or misuse.
Emergency Access Management
In certain urgent situations, authorized individuals may require immediate access to critical systems or data to address cybersecurity incidents, system failures, or other emergencies. The emergency access management process defines who can grant emergency access privileges and under what circumstances. To prevent misuse or unauthorized access, individuals requesting emergency access must provide a clear and documented justification for their request. This justification should demonstrate the necessity and urgency of the access. Approvals from appropriate authorities are typically required before granting emergency access.
While emergency access is essential in crises, it should be subject to strict controls and monitoring. The process should specify how the organization tracks and records emergency access activities, including the duration of access and the actions taken during the emergency. Emergency access should be granted for a specific duration, typically limited to the duration of the emergency. It is essential to ensure this access is revoked promptly once the crisis is resolved to prevent ongoing unauthorized access. Organizations should define the circumstances under which emergency access can result in escalated privileges.
The process should outline the authentication mechanisms used to verify the identity of individuals requesting emergency access. Additionally, robust audit trails must be maintained to record all activities using emergency access privileges. This audit trail helps in post-incident analysis and accountability. All emergency access requests, approvals, and activities should be thoroughly documented. Reporting mechanisms should be in place to provide transparency and enable reviews of emergency access usage. Documentation helps ensure accountability and compliance with regulatory requirements. Organizations should periodically review and update their procedures to maintain the integrity of the emergency access process. Employees who may be involved in emergency access management should receive training on these procedures and understand their roles and responsibilities.
The emergency access management process should be closely integrated with the organization’s incident response plan. It should specify how and when emergency access is invoked during cybersecurity incidents, natural disasters, or other crises. Coordination with incident response teams is essential. Organizations operating in regulated industries should align their emergency access management process with industry-specific compliance requirements. This includes ensuring that emergency access activities are documented and reported by relevant regulations.
Role-based Access Controls
Whether the access provisioning, de-provisioning, or updates are handled at the end-user or privileged user level, managing such access is handled effectively using role-based access controls or RBACs. It is a sophisticated approach to user access management that provides organizations with a structured and scalable method for controlling access to information systems and resources. In RBAC, permissions and access rights are assigned based on user roles and responsibilities within the organization. This model streamlines the process of granting, modifying, and revoking access, making it more efficient and reducing the risk of unauthorized access or permissions creep. The foundation of RBAC lies in the role assignment process. This approach defines roles based on job functions, responsibilities, and organizational access needs. For example, roles may include “Financial Analyst,” “HR Manager,” or “Sales Representative.” Each role is associated with permissions and access rights that align with the tasks and responsibilities typically performed by individuals in that role. Roles are defined in collaboration with department heads, HR, and IT teams to ensure accuracy and completeness.
Once roles are established, individuals within the organization are assigned specific roles based on their job titles or responsibilities. This assignment process simplifies access management as users inherit the permissions associated with their assigned role. For instance, when a user is designated as an “HR Manager,” they automatically gain access to HR-related systems and data without the need for additional individual permission assignments. Conversely, when roles change due to promotions, transfers, or shifts in responsibilities, access rights can be adjusted by simply updating the user’s role assignment. RBAC defines access rights and permissions at a granular level. Permissions specify what actions or operations a user can perform, such as read, write, delete, or execute, while access rights define the resources or data that can be accessed. For example, an “HR Manager” role may grant permission to read and update employee records in the HR database. Defining access at this level of detail ensures that users have only the necessary privileges to fulfill their job duties, reducing the risk of data breaches or unauthorized actions.
Organizations often implement hierarchical role structures within RBAC to accommodate complex access requirements. In this setup, roles are organized hierarchically, with higher-level roles encompassing broader access rights and lower-level roles inheriting permissions from their parent roles. For instance, a “Department Head” role might include all the access rights of the roles within their department. This simplifies management by allowing higher-level changes to cascade down to subordinates.
RBAC in Action
Consider the onboarding of a new employee as an example of RBAC in action. When new employees join the organization, the HR department assigns them a predefined role, such as “Junior Software Developer.” This role is associated with permissions to access development tools, project repositories, and relevant documentation. As the employee gains experience and takes on additional responsibilities, they may be moved to the “Software Developer” or “Senior Software Developer” roles, each with a corresponding set of expanded permissions. When the employee changes roles, their access rights are automatically adjusted, ensuring they have the appropriate level of access without manual intervention.
Password Management
An organization’s password management policies are a crucial component of its overall IS security strategy designed to establish guidelines, procedures, and best practices for creating, managing, and securing passwords used to access various systems, applications, and resources within the organization’s IT environment. Here’s a description of critical aspects typically covered in such policies:
- Password Complexity Requirements
- Passwords should meet specific complexity criteria, including a minimum length and a combination of uppercase and lowercase letters, numbers, and special characters.
- Passwords should not be based on easily guessable information like common words, phrases, or patterns (e.g., “password123” or “admin”).
- Passwords should be unique and not reused across multiple accounts or systems.
- Password Change Frequency
- Define how often users are required to change their passwords. This can vary depending on the organization’s risk tolerance but is usually set to 60 to 90 days.
- Encourage users to change their passwords immediately if they suspect unauthorized access or a security breach.
- Password Storage and Encryption
- Specify that passwords must be securely stored using robust encryption techniques. Storing plain-text passwords is a security risk.
- Emphasize the importance of protecting password databases from unauthorized access.
- Multi-Factor Authentication (MFA)
- Promote using MFA or two-factor authentication (2FA) for systems and applications that contain sensitive data or provide critical access.
- Explain the benefits of MFA in adding an extra layer of security beyond passwords.
- Password Recovery and Reset Procedure
- Outline the process for users to recover or reset their passwords if they forget them or are locked out of their accounts.
- Ensure that password recovery methods, like security questions or email verification, are secure and reliable.
- Account Lockout Policies
- Define rules for account lockouts after a certain number of failed login attempts. This discourages brute-force attacks.
- Describe how users can unlock their accounts or seek assistance from IT support if locked out.
- Password Sharing and Accountability
- Prohibit the sharing of passwords among employees. Each user should have their unique credentials.
- Establish accountability by requiring users to safeguard passwords and report suspicious activity promptly.
- Employee Training and Awareness
- Emphasize the importance of user training and awareness regarding password security.
- Educate employees about common password-related threats like phishing and social engineering attacks.
- Third-party Access and Vendor Passwords
- Specify how third-party vendors or contractors who require access to the organization’s systems should manage their passwords.
- Ensure that vendors adhere to the organization’s password policies.
- Monitoring and Auditing
- Describe how the organization will monitor password usage and conduct regular audits.
- Detail the frequency and scope of password audits to identify any anomalies or non-compliance.
- Password Policy Enforcement
- Explain the consequences of violating password policies, including potential disciplinary actions.
- Encourage employees to report suspected security breaches or password-related incidents.
- Regular Policy Review and Updates
- Highlight that password policies should be reviewed periodically and updated to align with evolving security threats and industry best practices.
- Ensure that employees are aware of changes to the policy.
- Secure Password Managers
- Encourage using reputable password manager tools to help users securely generate and store complex, unique passwords.
- Provide guidelines for selecting and using password managers effectively.
- Account Deactivation and Password Removal
- Outline procedures for deactivating accounts of employees who leave the organization or change roles.
- Specify how passwords are removed or reset for inactive or terminated accounts to prevent unauthorized access.
- Exceptions and Escalations
- Describe the process for handling exceptions to password policies, such as granting temporary exemptions for specific situations.
- Establish escalation procedures for addressing complex or high-risk cases.
Segregation of Duties
An integral part of access administration is the principle of segregation of duties (SoD). SoD is a critical control mechanism aimed at preventing conflicts of interest and reducing the risk of fraud or errors within an organization. It ensures that no single user or role has unchecked control over critical processes or sensitive data. The principle of SoD is embedded in access management by defining which combinations of access rights are incompatible. For instance, a user who can approve financial transactions should differ from the person responsible for executing those transactions. To implement SoD effectively, organizations identify critical business processes and map out the necessary access controls. Access reviews and audits play a crucial role in verifying that SoD policies are upheld. Regular assessments are conducted to confirm that no individual or role has accumulated conflicting access rights. Whenever discrepancies are identified, corrective actions are taken to remediate the situation, which may involve modifying user permissions or redesigning business processes to align with SoD requirements.
Monitoring of Current User Access
Efficient user access management necessitates monitoring current user access appropriateness to ensure users maintain access levels consistent with their job roles. This involves continuous surveillance of user activities and permissions. IT departments deploy various tools and technologies to achieve this, including user activity logs, access control lists, and automated systems that track user behaviour. When monitoring reveals discrepancies or anomalies, immediate action is taken to investigate and rectify unauthorized access or suspicious activities. Routine access reviews, often conducted by IT administrators or security teams, help maintain compliance and data security. These reviews involve examining the permissions and activities of individual users to determine whether any adjustments are needed. They are essential for ensuring user access aligns with changing job roles and responsibilities. Automated alerts and anomaly detection systems can further enhance monitoring capabilities, promptly flagging any unusual activities for investigation.
User Access Administration Considerations
In terms of its role within an organization, user access administration acts as a gatekeeper for IT resources since it determines and enforces who can access specific data and systems under what conditions and tracks their activities for security purposes. This gatekeeping is crucial for protecting sensitive information and maintaining the integrity and reliability of IT systems.
Effective User Access Administration involves several key activities. First, it requires a comprehensive understanding of the various roles within an organization and the specific access needs associated with each role. This understanding helps set up role-based access controls, a standard method for managing user permissions. Second, it involves implementing robust authentication methods. These can range from traditional password-based authentication to more advanced techniques like biometric verification or two-factor authentication. Next, user access administration monitors and audits user activities to detect any unusual or unauthorized actions that could indicate a security breach. It also serves as a compliance tool, ensuring user activities align with organizational policies and regulatory requirements. Periodic review and updating user access rights are also integral to user access administration. Employees’ access needs change as they change roles, leave the company, or take on new responsibilities. With regular updates, organizations can avoid having users with outdated or excessive access rights, increasing the potential for security lapses. In addition to security, user access administration also plays a role in operational efficiency. Organizations can avoid delays and improve productivity by ensuring employees have timely and appropriate access to the systems and information they need. Efficient user access management enhances the user experience, reducing frustration and allowing employees to focus on their core responsibilities.
Lastly, user access administration is not a set-it-and-forget-it process. It requires ongoing management and adaptation to organizational changes and the broader IT environment. As new systems are implemented or existing systems evolve, access controls must be reviewed and adjusted accordingly.
Relevant Risks
In IS user access administration, organizations face several primary risks that can significantly impact their operations and strategic objectives. Understanding these risks is vital for effective risk management and ensuring access is granted to the organization’s critical data and IS on a need-to-know basis. Let’s consider some of these risks.
- Unauthorized access
- Unauthorized access occurs when individuals access systems or data they cannot view or use. Such unauthorized access can lead to sensitive information being exposed, misused, or stolen, posing significant threats to the organization’s security and compliance status.
- Excessive privileges
- Sometimes, users are granted more access rights than necessary for their job functions. This excessive access can lead to accidental or deliberate misuse of data and systems, increasing the risk of breaches and compliance issues.
- Inadequate monitoring
- Without proper oversight, inappropriate or unauthorized user actions can go undetected, potentially leading to data breaches or other security incidents. Implementing robust monitoring tools and conducting regular audits of user activities are essential to ensure IT systems’ secure and compliant use.
- Ineffective access revocation
- Employees’ access needs change as they leave, join, or move within an organization. Promptly update access rights in these situations to protect the organization. Former employees might retain access to systems, or new employees might need more access, hindering productivity.
- Lack of user training
- Users need to be adequately trained on the importance of data security, and the correct use of IT systems can inadvertently cause security breaches. Providing regular training and fostering a culture of security awareness is vital in reducing the risks associated with user errors.
- Weak password policies
- Weak password management poses a significant risk. Simple or reused passwords can be easily compromised, leading to unauthorized access. Enforcing strong password policies and encouraging password management tools can help mitigate this risk.
- Regulatory non-compliance
- Regulations often mandate strict controls over who can access certain types of data. Non-compliance can result in legal penalties and reputational damage. Ensuring that access controls align with regulatory requirements is essential.
- Cloud integration challenges
- Cloud environments often require different access control mechanisms compared to traditional on-premises setups. Adapting user access policies and controls to manage cloud-based resources effectively is crucial in this evolving IT landscape.
- Insider threats
- Insiders with malicious intent can exploit their legitimate access to systems for harmful purposes. Continuous monitoring and behaviour analysis, combined with strong access controls, can help detect and prevent such insider threats.
Effectively managing these risks involves implementing robust access controls, regular reviews and monitoring of user activities, strong password policies, continuous training and awareness programs, and adapting to the evolving IT environment. Mitigating these risks is essential for maintaining the security and integrity of an organization’s information systems and ensuring operational efficiency and regulatory compliance.
Relevant IT General Controls Objectives and Activities
In IS user access administration, a subset of IT General Controls (ITGC), several crucial controls ensure information systems’ effective access management to roles and profiles. These controls are vital in aligning existing IS with business objectives, managing risks, and ensuring successful outcomes. Let’s consider the primary ITGC objectives for this category.
User Access Provisioning Control
The primary objective of this control is to ensure that new user access to information systems is granted promptly and accurately, aligning with their job roles and responsibilities. It aims to establish a systematic and well-documented process for accessing newly onboarded employees or individuals who require access due to role changes. It ensures that access is provided promptly, following predefined role-based access models. This control helps prevent delays in employee productivity and reduces the risk of unauthorized access.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Implement a standardized process where new employees or individuals with changing roles submit access requests based on predefined roles. The appropriate authorities should review and approve these requests before access is granted.
- Utilize identity and access management (IAM) systems to automate user access provisioning. When a new user is added to the HR system, the IAM system can automatically create accounts and assign appropriate access rights based on the user’s role.
- Regularly audit user access provisioning activities to ensure compliance with access policies and identify deviations or anomalies. This audit may involve reviewing and comparing access logs against approved access requests.
User Access De-Provisioning Control
This control ensures that access to information systems is promptly revoked when users no longer require it, such as when they leave or change job roles. It focuses on the secure and timely removal of access rights for individuals whose roles change or who depart the organization. It is crucial for preventing unauthorized access to sensitive data and systems. De-provisioning controls should include removing physical and electronic access privileges, such as disabling accounts, revoking permissions, and collecting physical access credentials.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Develop a comprehensive exit checklist that includes removing user access rights as one of the critical steps when an employee leaves the organization. This checklist should be followed for all departing employees.
- Implement automated de-provisioning processes that trigger when HR records indicate an employee’s departure. This ensures access is promptly revoked, reducing the risk of unauthorized access after an employee leaves.
- Conduct periodic access recertification reviews to verify that all user accounts are still necessary and that terminated employees have removed their access. This review process should involve managers and data owners.
Periodic Access Reviews Control
The purpose of this control is to conduct regular reviews of user access rights to identify and rectify any discrepancies or violations of access policies. It involves scheduled assessments of user access to information systems. The goal is to verify that individuals have appropriate access based on their roles and responsibilities and that there are no unauthorized or conflicting access rights. Reviews may include validation of access lists, comparison with HR records, and approvals for exceptions or changes.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Establish a workflow-driven access review process that automates the review cycle. Managers and data owners receive notifications to periodically review and confirm the access rights of their team members.
- Maintain detailed audit trails of access review activities, including who performed the reviews, when they were conducted, and the results. These audit trails provide transparency and accountability.
- Define a process for handling exceptions identified during access reviews. If a user’s access rights need to be adjusted, this process should involve documented approvals and justifications.
Password Management Control
The primary objective of this control is to implement robust password policies and procedures to ensure user passwords are secure and regularly updated. Password management control focuses on strengthening the security of user accounts by establishing password policies, such as complexity requirements and expiration periods. It also includes mechanisms for securely storing and transmitting passwords and enforcing password changes regularly. Effective password management reduces the risk of unauthorized access due to compromised or weak passwords.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Enforce password complexity policies that require users to create strong, unique passwords. Implement rules for password length, memorable characters, and regular password changes.
- Configure systems to send notifications to users when their passwords are about to expire. Encourage users to change their passwords promptly to maintain security.
- Store passwords securely using hashing algorithms to protect them from unauthorized access. Implement salting techniques to enhance password security further.
Segregation of Duties Control
This control aims to prevent conflicts of interest and fraud by ensuring that users’ access rights are structured to prevent them from having conflicting or incompatible roles. Segregation of duties seeks to minimize the risk of fraud or errors by enforcing separation between individuals’ responsibilities. It ensures that no single user has access that could enable them to both perpetrate and conceal fraudulent activities. For example, a user who can create vendor records should not be able to approve payments to those vendors. Segregation of duties control is critical for maintaining integrity and accountability in business processes.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Implement automated tools that analyze user access rights to identify conflicts. These tools should flag instances where users have conflicting access privileges.
- Define role-based access models that clearly outline which roles have access to specific functions or data. Ensure that these models are followed during user access provisioning.
- Require documented approvals from appropriate authorities when users need access to functions that may conflict with their current roles. This ensures that conflicts are addressed before access is granted.
User Access Authentication Control
This control implements secure authentication mechanisms to verify users’ identities and ensure only authorized individuals can access systems and data. User access authentication control focuses on the methods and technologies used to confirm the identity of users before granting access. This includes multi-factor authentication (MFA), biometrics, smart cards, and strong password policies. By verifying user identities, this control reduces the risk of unauthorized access and protects against identity theft or impersonation.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Implement MFA for critical systems and applications to require users to provide multiple forms of authentication, such as a password and a one-time token, before granting access.
- Integrate biometric authentication methods, like fingerprint or facial recognition, for enhanced user access security, particularly for high-risk systems or sensitive data.
- Enforce strict password policies, including minimum password length, complexity requirements, and lockout policies, to ensure that user authentication is robust and secure.
Emergency Access Control
The primary purpose of this control is to establish a controlled and documented process for granting temporary emergency access to individuals when exceptional circumstances require immediate access to systems or data. It addresses situations where regular access procedures cannot be followed due to urgent requirements, such as system outages or critical business needs. It defines a structured process for authorizing, monitoring, and auditing emergency access. This control helps prevent abuse of emergency privileges and ensures that any actions taken during such access are well-documented and reviewed after the emergency is resolved.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Establish a documented process for requesting and approving emergency access. All requests should require authorization from appropriate management or security personnel.
- Implement detailed access logging during emergency access scenarios to record all actions taken by authorized users. These logs should be reviewed and audited after the emergency is resolved.
- Conduct post-emergency reviews to evaluate the necessity and appropriateness of emergency access granted. This review should include documenting lessons learned and recommendations for improvement.
Summarized Audit Program
As discussed in Chapter 3, an audit program is a structured and comprehensive plan that outlines the procedures and activities to assess the effectiveness of an organization’s control environment. Based on the core concepts of IS user access administration ITGCs discussed above, presented below is a summarized audit program highlighting select relevant risks, corresponding ITGCs, and potential ways (audit procedures) to assess the operating effectiveness of such ITGCs. Please note that this is not an exhaustive audit program covering all applicable risks and controls and is provided for your reference only.
| Detailed Description of the Risk and Its Impact | Relevant IT General Control Activity | Detailed Test of Controls Audit Procedure |
|---|---|---|
| Unauthorized access to information systems can lead to data breaches and compromise of sensitive information. | Implement stringent user access controls, including user account creation, role assignment, permission granting, and regular review of access rights. Responsibilities include ensuring access is granted based on job roles and is reviewed and updated regularly. Frequency: User access rights are scanned quarterly. | Review documentation for two recent quarterly access reviews. Inspect user account creation forms and access rights granted against job roles. Verify that access rights are appropriate for each user’s job role and that reviews are conducted regularly. |
| Excessive user privileges can result in unauthorized activities and potential security incidents. | Regularly monitor and enforce the principle of least privilege to ensure users have only the access necessary for their job functions. Frequency: Monthly review of user privileges. | Inspect two monthly reports of user access rights. Analyze user privileges for appropriateness based on job function. Determine that users are granted only necessary privileges and identify any instances of excessive access. |
| Inactive user accounts pose a security risk as they can be exploited for unauthorized access. | Regularly identify and deactivate or delete inactive user accounts. Responsibilities include monitoring account activity and taking prompt action on inactive accounts. Frequency: Inactive accounts are reviewed and managed monthly. | Review records of 2 monthly reviews for inactive user accounts. Check that inactive accounts are appropriately managed and that actions such as deactivation or deletion are documented. |
| Lack of user access documentation can lead to untracked changes and accountability issues. | Maintain comprehensive documentation for all user access changes, including account creation, modification, and deletion. Frequency: Documentation is updated with every change in user access. | Review documentation for 40 recent user access changes. Verify that all changes are properly documented, including the rationale and approvals. |
| Failure to remove access rights upon user role change or termination can lead to unauthorized access. | Promptly adjust or remove access rights when a user’s role changes or upon termination. Frequency: Access rights are reviewed and updated with every change in employment status. | Inspect documentation for 40 recent employment terminations and 40 role changes. Determine whether access rights were appropriately modified or removed in response to the change in employment status. |
| Unauthorized access to information systems can lead to data breaches and compromise of sensitive information. | Implement stringent user access controls, including user account creation, role assignment, permission granting, and regular review of access rights. Responsibilities include ensuring access is granted based on job roles and is reviewed and updated regularly. Frequency: User access rights are scanned quarterly. | Review documentation for two recent quarterly access reviews. Inspect user account creation forms and access rights granted against job roles. Verify that access rights are appropriate for each user’s job role and that reviews are conducted regularly. |
| Excessive user privileges can result in unauthorized activities and potential security incidents. | Regularly monitor and enforce the principle of least privilege to ensure users have only the access necessary for their job functions. Frequency: Monthly review of user privileges. | Inspect two monthly reports of user access rights. Analyze user privileges for appropriateness based on job function. Determine that users are granted only necessary privileges and identify any instances of excessive access. |
In the Spotlight
For additional context on performing effective user access reviews, please read the article titled “Effective User Access Reviews” [opens a new tab].
Ramaseshan, S. (2019). Effective user access reviews. ISACA Journal, 4. https://www.isaca.org/resources/isaca-journal/issues/2019/volume-4/effective-user-access-reviews
Knowledge Check
Review Questions
- What is the primary purpose of the “Emergency Access Control” in user access administration?
- How can organizations enforce strong password policies in user access administration as part of “Password Management Control”?
- What is the “Segregation of Duties” principle in user access administration, and why is it important?
- What is the role of “User Access Provisioning Control” in information systems user access administration?
- Why must organizations periodically review and update user access procedures and controls?
Mini Case Study
Imagine you are an IT auditor for a large financial institution responsible for safeguarding sensitive customer data. The organization has recently experienced a security breach, which has raised concerns about the effectiveness of its information security controls. As part of your audit, you must identify and recommend three IT General Controls most appropriate for enhancing data security. Additionally, propose a robust audit procedure for evaluating the effectiveness of these controls.
Required: Please provide the names of the three user access administration-focused IT General Controls you recommend and explain why each control is relevant to the scenario. Then, outline the audit procedure you would conduct to assess the implementation and effectiveness of these controls in the organization’s information security framework.
A method of assigning access rights based on the user's role within the organization, enhancing security and efficiency.
Procedures for requesting, evaluating, and approving user access to information systems.
Security measures used to verify the identity of users, ranging from passwords to biometric verification.
Regular examinations of user access privileges to maintain appropriate access levels and security
Part of user access administration, involves creating user accounts and establishing authentication mechanisms for new users.
In user access administration, involves swiftly revoking access when employees depart or no longer require access.
Adjusts user access privileges to align with new responsibilities or departmental changes.
Manages access for users with elevated access rights, implementing strict controls and continuous monitoring.
Defines who can grant emergency access privileges and under what circumstances, ensuring controlled access during crises.
Methods of converting data into a code to prevent unauthorized access during transaction processing and data storage.
An authentication method that requires users to provide multiple verification factors, improving access security
Tools used for managing user permissions and access rights in IT systems.
Involves users having more access rights than necessary, increasing the risk of data breaches and compliance issues.
The lack of oversight in user activities can lead to undetected unauthorized access or security incidents.
Risk that arises when access rights are not promptly updated, leading to potential unauthorized use of systems or data.
Risks posed by insiders with malicious intent exploiting their legitimate access for harmful purposes.
Focuses on the secure and timely removal of access rights for individuals whose roles change or who depart the organization
Implements robust password policies and procedures to ensure user passwords are secure and updated regularly.
