Things to watch

Access control sounds easy to achieve but in fact it is often one of the most difficult to prove to the Auditor. One of the most common problems is that access is not always determined by the business owner of the information and so may not be appropriate.

Often the Auditor will not find any published access control policy so it is difficult to see who should have access to what. If one fails at this stage of not having a policy in place, then the Auditor is going to have a hard time determining that you comply with it!

User access management is the real start of the access control process and the Auditor will investigate this. The Auditor will check that there are formal records of all user IDs and that they have been appropriately authorised. Typical issues that are found here are 'movers and leavers' and managing third parties such as contractors. This term relates to users who have moved jobs and gained new privileges without surrendering any old ones or users who have left but are still on the system. This is made more complex and difficult to manage when the user is a contractor or other third party where there are no centralised records held.

User IDs and passwords are the most common methods of authentication, and passwords are known to be a weak control - especially if not managed properly. No accounts should be shared unless there is a justified management reason for this and this is the only time when passwords should be shared. Only too often it is possible to find passwords that are written on post-it notes, stored in the back of the diary or written somewhere else. Users will often, when asked, give their passwords away to another person. The Auditor will check and see if this happens.

Once access rights are set up they are often never reviewed as many organisations do not have the tools to do this and the operating systems do not make this easy. The Auditor will review a sample of access rights to determine their appropriateness as well as check for redundant accounts.

When talking to a random sample of users the Auditor will ask them how they go about choosing passwords and what rules exist for the selection of 'strong' passwords. Does staff know how to choose strong passwords or does the system enforce the use of strong passwords - the Auditor will check.

Access control can be tightened by use of controls such as password enabled screen savers, enforced paths, segregation in networks and node authentication. If implemented the Auditor will check their effectiveness.

A walk around at lunchtime or after work will determine how many PCs are left logged in at the end of the day.

Where there is access to diagnostic ports on either computers or telephone equipment the Auditor will check to see that there is adequate control - often this is left wide open for the third party to use at will with no controls in place. Often these facilities can be found by non-authorised third parties and can be misused.

Often there are either no, or inappropriate, log on banners warning that the system is for authorised use only.

Often there are no limits to the amount of times that a user can get their password wrong and this is never monitored to determine if there is any evidence of attempted unauthorised access. Are users checked regularly and are users locked out after a predetermined number of failures?

Mobile computing and teleworking are becoming commonplace in all organisations these days. Many organisations have given scant regard to the requirements for security based on a risk assessment for information processing being performed outside the physically secure organisational area. The press has many reports of portables being stolen from high profile organisations and individuals. The computers are generally not worth much, but the information held on them can be of considerable value both to the organisation as well as their competition or opponents.

The problem with off site working is that many of the processes and procedures that exist on site are not present off site. These can include the ability to restrict access, provide the capability for making backups, updating malicious software protection and physical security. Many staff are just given the equipment and left to it without any advice on protection to be implemented or any risk assessments taking place. The Auditor will review the workplaces of a selection of staff that work off site to determine if the requirements for appropriate security have been met and the staff suitably trained.

An Introduction To Information, Network and Internet Security
Things to watch Access control sounds easy to achieve but in fact it is often one of the most difficult to prove to the Auditor. One of the most common problems is that access is not always determined by the business owner of the information and so may not be appropriate. Often the Auditor will not find any published access control policy so it is difficult to see who should have access to what. If one fails at this stage of not having a policy in place, then the Auditor is going to have a hard time determining that you comply with it! User access management is the real start of the access control process and the Auditor will investigate this. The Auditor will check that there are formal records of all user IDs and that they have been appropriately authorised. Typical issues that are found here are 'movers and leavers' and managing third parties such as contractors. This term relates to users who have moved jobs and gained new privileges without surrendering any old ones or users who have left but are still on the system. This is made more complex and difficult to manage when the user is a contractor or other third party where there are no centralised records held. User IDs and passwords are the most common methods of authentication, and passwords are known to be a weak control - especially if not managed properly. No accounts should be shared unless there is a justified management reason for this and this is the only time when passwords should be shared. Only too often it is possible to find passwords that are written on post-it notes, stored in the back of the diary or written somewhere else. Users will often, when asked, give their passwords away to another person. The Auditor will check and see if this happens. Once access rights are set up they are often never reviewed as many organisations do not have the tools to do this and the operating systems do not make this easy. The Auditor will review a sample of access rights to determine their appropriateness as well as check for redundant accounts. When talking to a random sample of users the Auditor will ask them how they go about choosing passwords and what rules exist for the selection of 'strong' passwords. Does staff know how to choose strong passwords or does the system enforce the use of strong passwords - the Auditor will check. Access control can be tightened by use of controls such as password enabled screen savers, enforced paths, segregation in networks and node authentication. If implemented the Auditor will check their effectiveness. A walk around at lunchtime or after work will determine how many PCs are left logged in at the end of the day. Where there is access to diagnostic ports on either computers or telephone equipment the Auditor will check to see that there is adequate control - often this is left wide open for the third party to use at will with no controls in place. Often these facilities can be found by non-authorised third parties and can be misused. Often there are either no, or inappropriate, log on banners warning that the system is for authorised use only. Often there are no limits to the amount of times that a user can get their password wrong and this is never monitored to determine if there is any evidence of attempted unauthorised access. Are users checked regularly and are users locked out after a predetermined number of failures? Mobile computing and teleworking are becoming commonplace in all organisations these days. Many organisations have given scant regard to the requirements for security based on a risk assessment for information processing being performed outside the physically secure organisational area. The press has many reports of portables being stolen from high profile organisations and individuals. The computers are generally not worth much, but the information held on them can be of considerable value both to the organisation as well as their competition or opponents. The problem with off site working is that many of the processes and procedures that exist on site are not present off site. These can include the ability to restrict access, provide the capability for making backups, updating malicious software protection and physical security. Many staff are just given the equipment and left to it without any advice on protection to be implemented or any risk assessments taking place. The Auditor will review the workplaces of a selection of staff that work off site to determine if the requirements for appropriate security have been met and the staff suitably trained.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security