Académique Documents
Professionnel Documents
Culture Documents
About ISACA
With more than 100,000 constituents in 180 countries, ISACA® (www.isaca.org) is a leading global provider of
knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security,
enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit,
independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS
auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It
also advances and attests IT skills and knowledge through the globally respected Certified Information Systems
Auditor® (CISA®), Certified Information Security Manager ® (CISM®), Certified in the Governance of Enterprise
IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.
ISACA continually updates and expands the practical guidance and product family based on the COBIT®
framework. COBIT helps IT professionals and enterprise leaders fulfill their IT governance and management
responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.
Disclaimer
ISACA has designed and created this Identity Management Audit/Assurance Program (the “Work”) primarily as an
educational resource for governance and assurance professionals. ISACA makes no claim that use of any of the
Work will assure a successful outcome. The Work should not be considered inclusive of all proper information,
procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining
the same results. In determining the propriety of any specific information, procedure or test, governance and
assurance professionals should apply their own professional judgment to the specific circumstances presented by the
particular systems or information technology environment.
Reservation of Rights
© 2013 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified,
distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of
all or portions of this publication are permitted solely for academic, internal and noncommercial use and for
consulting/advisory engagements, and must include full attribution of the material’s source. No other right or
permission is granted with respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
ISBN 978-1-60420-298-4
Identity Management Audit/Assurance Program
Expert Reviewers
Diane D. Bili, Canada
Francis Kaitano, CISA, CISM, CISSP, MCSD, Contact Energy, New Zealand
Kamal Khan, CISA, CISSP, MBCS, CITP, Saudi Aramco, Saudi Arabia
Ability Takuva, CISA, Earnst & Young LLP, USA
Knowledge Board
Marc Vael, Ph.D., CISA, CISM, CGEIT, CRISC, CISSP, Valuendo, Belgium, Chairman
Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands
Steven A. Babb, CGEIT, CRISC, UK
Thomas E. Borton, CISA, CISM, CRISC, CISSP, Cost Plus, USA
Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK
Salomon Rico, CISA, CISM, CGEIT, Deloitte LLP, Mexico
ASIS International
Hewlett-Packard
IBM
Symantec Corp.
Table of Contents
I. Introduction ............................................................................................................................................... 5
II. Using This Document............................................................................................................................... 6
III. Controls Maturity Analysis ..................................................................................................................... 9
IV. Assurance and Control Framework ...................................................................................................... 10
V. Executive Summary of Audit/Assurance Focus..................................................................................... 11
VI. Audit/Assurance Program ..................................................................................................................... 15
1. Planning and Scoping the Audit ....................................................................................................... 15
2. Risk Management ............................................................................................................................. 18
3. Policies ............................................................................................................................................. 19
4. Technical Standards ......................................................................................................................... 21
5. Identity MAnagement ....................................................................................................................... 22
6. Single Sign-on (SSO) and Federated Identity Management (FIdM) ................................................ 34
VII. Maturity Assessment ........................................................................................................................... 37
VIII. Maturity Assessment vs. Target Assessment ..................................................................................... 40
I. Introduction
Overview
ISACA has developed the IT Assurance FrameworkTM (ITAFTM) as a comprehensive and good practice-
setting model. ITAF provides standards that are designed to be mandatory, and are the guiding principles
under which the IT audit and assurance profession operates. The guidelines provide information and
direction for the practice of IT audit and assurance. The tools and techniques provide methodologies,
tools and templates to provide direction in the application of IT audit and assurance processes.
Purpose
The audit/assurance program is a tool and template to be used as a roadmap for the completion of a
specific assurance process. The ISACA Assurance Committee has commissioned audit/assurance
programs to be developed for use by IT audit and assurance practitioners. This audit/assurance program is
intended to be utilized by IT audit and assurance professionals with the requisite knowledge of the subject
matter under review, as described in ITAF, section 2200—General Standards. The audit/assurance
programs are part of ITAF, section 4000—IT Assurance Tools and Techniques.
Control Framework
The audit/assurance programs have been developed in alignment with COBIT®—specifically COBIT
4.1—using generally applicable and accepted good practices. They reflect ITAF, sections 3400—IT
Management Processes, 3600—IT Audit and Assurance Processes, and 3800—IT Audit and Assurance
Management.
Many enterprises have embraced several frameworks at an enterprise level, including the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The
importance of the control framework has been enhanced due to regulatory requirements by the US
Securities and Exchange Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and
similar legislation in other countries. They seek to integrate control framework elements used by the
general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used, it
has been selected for inclusion in this audit/assurance program. The reviewer may delete or rename these
columns to align with the enterprise’s control framework.
Step 1 is part of the fact gathering and pre-fieldwork preparation. Because the pre-fieldwork is essential to
a successful and professional review, the steps have been itemized in this plan. The first-level steps, e.g.,
1.1, are in bold type and provide the reviewer with a scope or high-level explanation of the purpose for
the subsidiary steps.
Beginning in step 2, the steps associated with the work program are itemized. To simplify the use of the
program, the audit/assurance program describes the audit/assurance objective—the reason for performing
the steps in the topic area. Each review step is listed below the control. These steps may include assessing
the control design by walking through a process, interviewing, observing or otherwise verifying the
process and the controls that address that process. In many cases, once the control design has been
verified, specific tests need to be performed to provide assurance that the process associated with the
control is being followed.
The maturity assessment, which is described in more detail later in this document, makes up the last
section of the program.
The audit/assurance plan wrap-up—those processes associated with the completion and review of work
papers, preparation of issues and recommendations, report writing and report clearing—has been
© 2013 ISACA. All rights reserved. Page 6
Identity Management Audit/Assurance Program
excluded from this document, since it is standard for the audit/assurance function and should be identified
elsewhere in the enterprise’s standards.
COSO Components
As noted in the introduction, COSO and similar frameworks have become increasingly popular among
audit and assurance professionals. This ties the assurance work to the enterprise’s control framework.
While the IT audit/assurance function uses COBIT as a framework, operational audit and assurance
professionals use the framework established by the enterprise. Since COSO is the most prevalent internal
control framework, it has been included in this document and is a bridge to align IT audit/assurance with
the rest of the audit/assurance function. Many audit/assurance organizations include the COSO control
components within their report and summarize assurance activities to the audit committee of the board of
directors.
For each control, the audit and assurance professional should indicate the COSO component(s) addressed.
It is possible, but generally not necessary, to extend this analysis to the specific audit step level.
The original COSO internal control framework contained five components. In 2004, COSO issued an
Enterprise Risk Management (ERM) Integrated Framework, which includes eight components. The ERM
framework has a business decision focus when compared to the 2004 Internal Control—Integrated
Framework. Large enterprises are in the process of adopting ERM. The two frameworks are compared in
Figure 1.
The 1992 Internal Control—Integrated Framework addresses the needs of the IT audit and assurance
professional: control environment, risk assessment, control activities, information and communication,
and monitoring. As such, ISACA has elected to utilize the five-component model for these
audit/assurance programs. When completing the COSO component columns, consider the definitions of
the components as described in Figure 1.
Reference/Hyperlink
Good practices require the audit and assurance professional to create a work paper for each line item,
which describes the work performed, issues identified, and conclusions. The reference/hyperlink is to be
used to cross-reference the audit/assurance step to the work paper that supports it. The numbering system
of this document provides a ready numbering scheme for the work papers. If desired, a link to the work
paper can be pasted into this column.
Issue Cross-reference
This column can be used to flag a finding/issue that the IT audit and assurance professional wants to
further investigate or establish as a potential finding. The potential findings should be documented in a
work paper that indicates the disposition of the findings (formally reported, reported as a memo or verbal
finding, or waived).
Comments
The comments column can be used to indicate the waiving of a step or other notations. It is not to be used
in place of a work paper describing the work performed.
The IT Assurance Guide Using COBIT, Appendix VII—Maturity Model for Internal Control, in Figure 2,
provides a generic maturity model showing the status of the internal control environment and the
establishment of internal controls in an enterprise. It shows how the management of internal control, and
an awareness of the need to establish better internal controls, typically develops from an ad hoc to an
optimized level. The model provides a high-level guide to help COBIT users appreciate what is required
for effective internal controls in IT and to help position their enterprise on the maturity scale.
The maturity model evaluation is one of the final steps in the evaluation process. The IT audit and
assurance professional can address the key controls within the scope of the work program and formulate
an objective assessment of the maturity level of the control practices. The maturity assessment can be a
part of the audit/assurance report and can be used as a metric from year to year to document progression
in the enhancement of controls. However, it must be noted that the perception of the maturity level may
vary between the process/IT asset owner and the auditor. Therefore, an auditor should obtain the
concerned stakeholder’s concurrence before submitting the final report to the management.
At the conclusion of the review, once all findings and recommendations are completed, the professional
assesses the current state of the COBIT control framework and assigns it a maturity level using the six-
level scale. Some practitioners utilize decimals (x.25, x.5, x.75) to indicate gradations in the maturity
model. As a further reference, COBIT provides a definition of the maturity designations by control
objective. While this approach is not mandatory, the process is provided as a separate section at the end of
the audit/assurance program for those enterprises that wish to implement it. It is suggested that a maturity
assessment be made at the COBIT control level. To provide further value to the client/customer, the
professional can also obtain maturity targets from the client/customer. Using the assessed and target
maturity levels, the professional can create an effective graphic presentation that describes the
achievement or gaps between that actual and target maturity goals. A graphic is provided as the last page
of the document (section VIII), based on sample assessments.
Utilizing COBIT as the control framework on which IT audit/assurance activities are based aligns IT
audit/assurance with good practices as developed by the enterprise.
The COBIT 4.1 Plan and Organize (PO) and Deliver and Support (DS) domains apply to this evaluation
and include:
PO6.3 IT Policies Management—Develop and maintain a set of policies to support IT strategy.
These policies should include policy intent; roles and responsibilities; exception process; compliance
approach; and references to procedures, standards and guidelines. Their relevance should be
confirmed and approved regularly.
PO6.4 Policy, Standard and Procedures Rollout—Roll out and enforce IT policies to all relevant
staff, so they are built into and are an integral part of enterprise operations.
PO9.4 Risk Assessment—Assess on a recurrent basis the likelihood and impact of all identified risk,
using qualitative and quantitative methods. The likelihood and impact associated with inherent and
residual risk should be determined individually, by category and on a portfolio basis.
DS5.3 Identity Management—Ensure that all users (internal, external and temporary) and their
activity on it systems (business application, it environment, system operations, development and
maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms.
Confirm that user access rights to systems and data are in line with defined and documented business
needs and that job requirements are attached to user identities. Ensure that user access rights are
requested by user management, approved by system owners and implemented by the security-
responsible person. Maintain user identities and access rights in a central repository. Deploy cost-
effective technical and procedural measures and keep them current to establish user identification,
implement authentication and enforce access rights.
DS5.4 User Account Management—Address requesting, establishing, issuing, suspending,
modifying and closing user accounts and related user privileges with a set of user account
management procedures. Include an approval procedure outlining the data or system owner granting
the access privileges. These procedures should apply for all users, including administrators
(privileged users) and internal and external users, for normal and emergency cases. Rights and
obligations relative to access to enterprise systems and information should be contractually arranged
for all types of users. Perform regular management review of all accounts and related privileges.
Refer to the IT Governance Institute’s COBIT Control Practices: Guidance to Achieve Control
Objectives for Successful IT Governance, 2nd Edition, published in 2007, for the related control practice
value and risk drivers.
Identity Management
Identity Management (IdM)1—also known as Identity and Access Management, (IAM)—is the set of
procedures to issue and manage digital identities (identifiers) of people and systems so that they can be
uniquely authenticated (identified) to IT systems before being granted online access to sensitive IT assets.
Such assets include computer systems, digital information in structured or unstructured formats,
databases, web and database servers, email and video systems, report generation capabilities, etc.
1
Because access control is not a focus of this audit/assurance review, “IdM” is the preferred acronym in this
document.
IdM processes involve the establishment (provisioning) and maintenance of user identities (IDs),
associated authentication and monitoring processes, and user permissions, so as to provide assurance that
only authorized users have access to sensitive business applications, information and operating
environments. Unique user identity also ensures that no user can repudiate a past transaction, i.e., the
individual assigned to a particular user ID can be held accountable for the activity performed with that ID.
A closely associated process, known as access control, ensures that properly authenticated users may
conduct only previously authorized transactions. This ensures the confidentiality of sensitive information
by allowing only users with a genuine “need to know” to view or change such information. This is also
critical for maintaining the privacy of sensitive personal information, e.g., an individual’s financial
records, medical history, or other nonpublic information that could be used to commit crimes, including
blackmail, industrial espionage and identity fraud.
A key issue in the IdM process is the alignment of the IdM strategy with the organization’s identity policy
and IT architecture. If there is misalignment, the organization is at risk of ineffective security over user
access with associated expensive alternative control procedures.
A central authentication system, often referred to as a single sign-on (SSO) system, removes the
responsibility of access control from the individual applications and replaces it with a single
organizationwide IdM solution. Under this approach, all user authentication and maintenance processes
are directed to one automated system, which frees users from having to remember multiple user ID and
password combinations and eliminates maintenance of identity from individual applications. SSO
solutions may not integrate with legacy applications and systems, which either limits their usefulness or
requires interim application-specific access control solutions until an interface is available or the legacy
solution is replaced. The SSO capability can be expanded to include access to third-party IdM systems
(e.g., other web sites); this capability is known as federated identity management (FIdM).
2
For more on digital certificates; see ISACA’s Ecommerce and PKI Audit/Assurance Program, 2012
The organization’s access control policy establishes how often passwords must be changed; the
complexity and history of passwords to reduce the risk of a successful password “hacking” attack;
and limitations on, or logging of, the activities of administrators with so-called superuser privileges
(i.e., system and database administrators) who may be able to bypass traditional controls.
User provisioning includes the approvals necessary to create new users; to ensure that when users’ job
functions change, their corresponding access privileges are changed in alignment with their new job
functions; and to ensure that terminated users’ access privileges are removed immediately on
termination.
Appropriate monitoring is essential to ensure that access violations are identified, evaluated for risk,
and escalated to the appropriate information security professional for investigation or addressed to
prevent recurrence. The latter may include retraining or disciplinary processes.
Accounts are linked to unique user IDs, which will give the organization the ability to react to orphan
accounts (accounts without an owner).
Roles are linked to accounts/with unique user IDs.
Role management exists, specifying roles from initiation to revocation as user IDs are managed.
A recent new twist in IdM is the impact of mobility, i.e., the fact that uses can connect to sensitive
systems from mobile devices like smartphones and tablet computers.
Scope—The review will focus on IdM standards, guidelines and procedures as well as on the
implementation and governance of these activities. Application-specific user access management—
typically the task of the respective application and not that of the IdM system—is outside the scope of this
review.3
3 The line of demarcation between the two tends to get blurred in a complex enterprise IT infrastructure environment. It would
be prudent to include a disclaimer in the audit report, as appropriate, to indicate that the engagement scope does not include
review of user access management of individual applications.
Feedback
Visit www.isaca.org/IdentityManagement-AP and use the feedback function to provide your comments
and suggestions on this document. Your feedback is a very important element in the development of
ISACA guidance for its constituents and is greatly appreciated.
Control Activities
Risk Assessment
Information and
Communication
COBIT Reference Issue
Environment
Monitoring
Control
Audit/Assurance Program Step Cross- Hyper- Cross- Comments
reference link reference
COSO
Control Activities
Risk Assessment
Information and
Communication
COBIT Reference Issue
Environment
Monitoring
Control
Audit/Assurance Program Step Cross- Hyper- Cross- Comments
reference link reference
COSO
Control Activities
Risk Assessment
Information and
Communication
COBIT Reference Issue
Environment
Monitoring
Control
Audit/Assurance Program Step Cross- Hyper- Cross- Comments
reference link reference
COSO
Control Activities
Risk Assessment
Information and
Communication
COBIT Reference Issue
Environment
Monitoring
Control
Audit/Assurance Program Step Cross- Hyper- Cross- Comments
reference link reference
1.9.1 Conduct an opening conference to discuss the review’s objectives with the
executive responsible for operating systems and infrastructure.
2. RISK MANAGEMENT
2.1 Risk Assessment
Audit/Assurance Objective: IdM is subject to routine risk assessment processes.
2.1.1 IdM Initial Risk Assessment
Control: Management performed a risk assessment prior to implementing the IdM PO9.4 X
program.
2.1.1.1 Determine whether a risk assessment of IdM was performed before
acceptance of the program.
COSO
Control Activities
Risk Assessment
Information and
Communication
COBIT Reference Issue
Environment
Monitoring
Control
Audit/Assurance Program Step Cross- Hyper- Cross- Comments
reference link reference
3. POLICIES
3.1 IdM Policies
Audit/Assurance Objective: The organization has defined, disseminated and deployed
management policies supporting the IdM initiative.
3.1.1 Formal IdM Policy
Control: The IdM policies have been defined by management, documented, PO6.3 X
approved at an appropriate senior level, disseminated to all relevant employees and
third parties, and deployed across the organization.
3.1.1.1 Verify that an appropriate IdM policy was drafted and deployed before the
IdM initiative was deployed into production.
3.1.1.2 Verify that senior business management formally approved the IdM policy.
3.1.1.3 Verify that all employees are appropriately informed of the IdM policy, e.g.,
during initial orientation and in information security training.
3.1.2 Human Resources (HR) Support for IdM
PO6.4 X
Control: IdM processes are integrated into HR services, policies and compliance.
3.1.2.1 Obtain a copy of the organization’s Code of Conduct and determine
whether it specifically states that a violation of the IdM policy is considered
a violation of the Code of Conduct with applicable sanctions.
3.1.2.2 Determine whether disciplinary policies and supporting processes are in
effect for violations of IdM policy. These should include:
Established penalties for infringements
Uniform application of penalty policy
Establish whether awareness campaigns are conducted periodically
3.1.3 Third Parties
Control: Third parties, such as contractors, are contractually required to comply DS2.2 X
with the organization’s IdM and access control policies.
3.1.3.1 Determine the policies in effect to permit third parties to use the
COSO
Control Activities
Risk Assessment
Information and
Communication
COBIT Reference Issue
Environment
Monitoring
Control
Audit/Assurance Program Step Cross- Hyper- Cross- Comments
reference link reference
4
Sensitive information includes personally identifiable information (PII); see ISACA’s Personally Identifiable Information (PII) Audit/Assurance Program, 2012
COSO
Control Activities
Risk Assessment
Information and
Communication
COBIT Reference Issue
Environment
Monitoring
Control
Audit/Assurance Program Step Cross- Hyper- Cross- Comments
reference link reference
3.2.1.2 Determine that exemptions are granted only for a limited time period,
maximum one year.
3.2.1.3 Determine that each IdM exemption is regularly reviewed for continuing
applicability.
3.2.1.4 Determine that a new application for exemption was submitted and
approved in each case where the applying party needed a time extension for
the exemption.
3.2.1.5 Determine whether a risk assessment was performed before access is
granted and compensating controls are in place, if necessary.
4. TECHNICAL STANDARDS
4.1 The Organization’s Technical Standards Apply to IdM
Audit/Assurance Objective: IdM is supported by the organization’s technical standards,
processes and procedures.
4.1.1 Technical Standards
PO6.3 X
Control: IdM technical standards are aligned with the organization’s standards.
4.1.1.1 Obtain and review the current organizational chart for the IT department
and the relevant business units.
4.1.1.2 Interview the senior security officer, legal officer, data privacy officer and
IT security administrator.
4.1.1.3 Identify who has responsibility for IdM.
4.1.1.4 Obtain a copy of each of the following:
Policies and procedures relating to IdM, access control and authentication
IdM systems specifications (if applicable)
User provisioning procedures
User transfer and termination procedures (from IdM and HR departments)
User revalidation procedures (department managers’ routine regular review
of subordinates’ access privileges)
COSO
Control Activities
Risk Assessment
Information and
Communication
COBIT Reference Issue
Environment
Monitoring
Control
Audit/Assurance Program Step Cross- Hyper- Cross- Comments
reference link reference
5. IDENTITY MANAGEMENT
5.1 IdM Strategy
Cost-effective technical and procedural measures are deployed and kept current to
establish user identification, implement authentication and enforce access permissions.
Audit/assurance objective: The deployed IdM system aligns with the organization‘s IT
architecture.
5.1.1 IdM Systems
PO2.1
Control: The IdM system selection process took the following into consideration: PO3.2
The organization’s IT strategy and infrastructure X
PO3.4
Interim procedures for identity in legacy applications
DS5.3
IT skills, experience, and training needed to deploy and maintain the system
5.1.1.1 Verify that the selected IdM systems support the organization’s IT operating
platforms and applications in use or planned in the IT strategy.
5.1.1.2 Verify that the selection process considered growth and scalability of the
solution to meet anticipated future business needs.
5.1.1.3 Verify that the IdM system is subject to the organization’s policies and
procedures for change control and backup and recovery.
COSO
Control Activities
Risk Assessment
Information and
Communication
COBIT Reference Issue
Environment
Monitoring
Control
Audit/Assurance Program Step Cross- Hyper- Cross- Comments
reference link reference
COSO
Control Activities
Risk Assessment
Information and
Communication
COBIT Reference Issue
Environment
Monitoring
Control
Audit/Assurance Program Step Cross- Hyper- Cross- Comments
reference link reference
5.2.1.6 Prior to acquisition and implementation, verify that there is a review and
test process of the integration of new applications and operating systems
into the IdM system.
5.2.2 Source of Identity
Control: The organization has defined a trusted source for all identity verification, DS5.3 X
usually HR and the HR employee database.
5.2.2.1 Determine that the organization has defined a trusted identity source, such
as the HR database.
5.2.2.2 Determine that the IdM system verifies every request for a new or changed
identify against the trusted source.
5.2.3 Nonstandard Authentication
Control: Applications that cannot be managed by the IdM system either have DS5.3
authentication controls similar to the functionality within the IdM system, or the X
DS5.4
organization has plans to upgrade or replace the application systems to achieve
compliance with the IdM policy.
5.2.3.1 For each application without platform-based IdM, determine whether the
application’s IdM conforms to the IdM policy.
5.2.3.2 Verify that legacy applications not adhering to the IdM policy have been
formally approved by an IT executive at an appropriately senior level.
5.2.3.3 For noncomplying applications, verify that there is either (a) an action plan
for future compliance, or (b) a planned conversion to a fully compliant
application.
5.2.3.4 Determine the procedures for bypassing authentication systems. If bypass is
permitted, determine the approval and monitoring process.
COSO
Control Activities
Risk Assessment
Information and
Communication
COBIT Reference Issue
Environment
Monitoring
Control
Audit/Assurance Program Step Cross- Hyper- Cross- Comments
reference link reference
5.3 Authentication
Audit/assurance objective: User authentication methods are based on assessed risk.
Multi-factor authentication sis required to access sensitive or personally identifiable
information (PII). If feasible, single sign-on (SSO) technology is deployed to limit the
number of user IDs and passwords that users must remember. If SSO is not feasible,
compensating controls equivalent to SSO functionality are in place.
5.3.1 Risk Assessment
PO9.4
Control: Risk assessment is conducted to determine whether single-factor or X X
DS5.3
multifactor authentication is required.
5.3.1.1 Verify (a) that a risk assessment has been performed to determine the
authentication mechanism to be employed (simple user ID and password, or
user ID and password with either a physical token or biometric verification)
for each class of user, and (b) the risk assessment defines the users and
profiles within each class.
5.3.1.1.1 Select a sample of in-scope applications and operating systems.
5.3.1.1.2 For each selected item, obtain the risk assessment used to
determine authentication requirements.
5.3.1.1.3 Select users from the various risk classes.
5.3.1.1.4 Verify that the appropriate authentication has been determined and
deployed based on risk and the related policy.
5.4 Identity Repository
Audit/Assurance Objective: Details of user IDs and the related access privileges are
maintained in a secure central repository.
5.4.1 IdM Databases
Control: Identity databases are secure to prevent unauthorized access or DS5.3 X
modification.
5.4.1.1 Verify that the directory services databases are behind a firewall and the
demilitarized zone (DMZ).
COSO
Control Activities
Risk Assessment
Information and
Communication
COBIT Reference Issue
Environment
Monitoring
Control
Audit/Assurance Program Step Cross- Hyper- Cross- Comments
reference link reference
5.4.1.2 Review access permissions to the databases and database utilities to verify
that only authorized administrators have access to these sensitive resources.
5.4.1.3 Verify that appropriate software tools are deployed to review access
permissions and that access permissions are evaluated regularly.
5.5 Unique Identity
Audit/assurance Objective: All users (internal, external and temporary) and their activity
on IT systems (business applications, IT environments, system operations, development
and maintenance) are uniquely identifiable.
5.5.1 Unique User IDs
Control: Unique user IDs are assigned, the naming convention does not identify DS5.3 X
the user’s name or any private information about the user and shared user IDs are
prohibited.
5.5.1.1 Verify that only unique identifiers are assigned and that a user ID does not
also include any sensitive personal identifiers, e.g., employee, social or
medical identifiers.
5.5.1.2 Determine whether any users IDs (administrator, application, system or
user) are shared. If shared, determine how the users concerned can be
identified and held accountable for the activities performed with a shared
ID.
5.5.1.3 Determine whether shared user IDs are justified and approved.
5.5.1.4 Determine whether users with multiple IDs are monitored regularly.
5.5.1.4.1 Obtain reports associated with multiple ID usage.
5.5.1.4.2 Review reports for evidence of IT management review of ID
usage.
5.5.1.4.3 Determine whether the review process adequately identifies and
monitors multiple user ID activity.
COSO
Control Activities
Risk Assessment
Information and
Communication
COBIT Reference Issue
Environment
Monitoring
Control
Audit/Assurance Program Step Cross- Hyper- Cross- Comments
reference link reference
COSO
Control Activities
Risk Assessment
Information and
Communication
COBIT Reference Issue
Environment
Monitoring
Control
Audit/Assurance Program Step Cross- Hyper- Cross- Comments
reference link reference
COSO
Control Activities
Risk Assessment
Information and
Communication
COBIT Reference Issue
Environment
Monitoring
Control
Audit/Assurance Program Step Cross- Hyper- Cross- Comments
reference link reference
COSO
Control Activities
Risk Assessment
Information and
Communication
COBIT Reference Issue
Environment
Monitoring
Control
Audit/Assurance Program Step Cross- Hyper- Cross- Comments
reference link reference
5.7.1.3 Confirm that user access permissions to systems and information are in line
with defined and documented business needs and that job requirements are
attached to user identities.
5.7.1.4 Verify that new user access permissions are not copied from existing users
(this practice raises the potential for accidentally granting special
privileges).
5.7.2 Supervisory Approval of User Provisioning
Control: User provisioning requires supervisory or management approval and is DS5.3
routinely reviewed by management. Information owners are responsible for X X X
DS5.4
approving and monitoring users who access the information under their
custodianship.
5.7.2.1 Determine whether every request to provision a user (or change previous
provisioning) requires a supervisor’s approval.
5.7.2.2 Determine whether access requirements in excess of those established for
the job function require a supervisor’s approval.
5.7.2.3 Determine whether information owners must formally authorize access to
their information.
5.7.2.4 Determine whether information owners routinely review access permissions
to their information.
5.7.2.5 Select a sample of provisioning requests that includes platforms and
applications with varying levels of associated business risk.
5.7.2.6 For hard copy approvals, verify the dates and signatures of supervisors and
information owners. For electronic approvals, verify that approvals can
only be given with the approvers’ user IDs.
5.7.2.7 Determine whether user access is routinely reviewed and explicitly
approved by the user’s supervisor.
5.7.2.7.1 Select a sample of departments and obtain corresponding reports
of their routine review of user access privileges (generally a
report of access rules distributed to supervisors).
COSO
Control Activities
Risk Assessment
Information and
Communication
COBIT Reference Issue
Environment
Monitoring
Control
Audit/Assurance Program Step Cross- Hyper- Cross- Comments
reference link reference
COSO
Control Activities
Risk Assessment
Information and
Communication
COBIT Reference Issue
Environment
Monitoring
Control
Audit/Assurance Program Step Cross- Hyper- Cross- Comments
reference link reference
COSO
Control Activities
Risk Assessment
Information and
Communication
COBIT Reference Issue
Environment
Monitoring
Control
Audit/Assurance Program Step Cross- Hyper- Cross- Comments
reference link reference
COSO
Control Activities
Risk Assessment
Information and
Communication
COBIT Reference Issue
Environment
Monitoring
Control
Audit/Assurance Program Step Cross- Hyper- Cross- Comments
reference link reference
COSO
Control Activities
Risk Assessment
Information and
Communication
COBIT Reference Issue
Environment
Monitoring
Control
Audit/Assurance Program Step Cross- Hyper- Cross- Comments
reference link reference
COSO
Control Activities
Risk Assessment
Information and
Communication
COBIT Reference Issue
Environment
Monitoring
Control
Audit/Assurance Program Step Cross- Hyper- Cross- Comments
reference link reference
6.2 FIdM
Audit/Assurance Objective: FIdM, if deployed, uses an industry-standard framework.
6.2.1 The FIdM framework adheres to industry standards.
Control: The organization permits federated connections (i.e., passes identity) to DS5.3 X
third-party web sites only by means of an industry-standard protocol.
6.2.1.1 Review the IdM framework document and determine whether FIdM
requires use of one of the industry-standard protocols, namely:
SAML2
Liberty Alliance Identity Assurance Framework
OpenID
WS-Federation
Ping Identity
6.2.2 Appropriate security controls are in place to protect FIdM and to deter hacking
DS5.3
attacks
DS5.10 X
Control: FIdM servers are included in the organization’s standard network
protection mechanisms.
6.2.2.1 Determine that an global time-out of appropriate length is in place, i.e. the
period of inactivity after which online users are timed out
6.2.2.2 Identify sensitive applications where individual time-outs less than the
global standard should be in place. Obtain explanations.
6.2.2.3 Determine that FIdM uses the organization’s authoritative identity store,
e.g., the Active Directory database.
6.2.2.4 Determine that FIdM servers are covered under the organization’s standard
protection mechanisms, e.g., firewalls, restricted VLANs, IDSs/IPSs,
backup and recovery, and failover strategies.
6.2.2.5 Determine whether the FIdM servers and trusted authentication store (e.g.,
the Active Directory database) are included in a regular disaster recovery
testing process.
2
PO6.4 Policy, Standard, and
DS5.4 User Account Management
Procedures Rollout
1
Assessment
Target