By: Mitchell H.Levine.CISA
Audit Serve, Inc.

With the predominant use of 3^rd party vendor application systems used to support key business processes, many organization have accepted the limitation of security capabilities within these systems that violate the basic principles of being able to restrict the specific functions and access to data based on the requirements of an individual’s job function which also meets the required level of segregation of duties.

This breakdown of accepting security limitations is the reason for operation inefficiencies because oversight reviews are necessary to ensure that individual users which cannot be restricted to only the actual components needed to perform their job function.  These limitations potentially forces an organization to establish a process in which audit trails are generated at the application or database level to ensure proper actions were taken by individuals which did not extend beyond their job responsibilities. Organizations have been stuck with the extreme measure of using keystroke loggers to capture all actions performed by privileged individuals.  This type data collection which is used to support a review process can only be effective if there are specific actions which would trigger suspicious use of a “privileged ID” (i.e., once a user has access to functions outside their responsibilities it is considered a privileged ID).  With this approach, assuming that the key stroke logger generates a file structure, a query could be written using predefined character strings.   Expecting the person responsible for this review process to analyze a keystroke logger of an entire session is too voluminous and will not be an effective review process.  If the session capture used a video logger to capture the keystrokes of a session, this is the least desirable source for data to support a review process because specific events cannot be selected for review.  Overall, unless there is a specific selection criteria that can be used to support a key logger source type, this type of audit trail could only be considered for a forensic analysis to support a specific investigate where the time is allocated to review every keystroke from a session.  One overall inherent issue with depending on a key stroke logger to support a review process is that commands can be issued which execute other scripts or personally written programs which can be changed by the individual who is subject to this review process.  Therefore, the actions taken by these scripts and programs at the time of execution will be unknown.  The desired method to support any review process needs to be embedded within the application which allows for easy interpretation by the reviewer of the actions performed.  At a database level, the review process would need to focus in on those tables of consequence which ties to the potential impact of unauthorized changes (e.g., perpetrating a fraud).

Overall an application security design needs to provide the following fundamental components:

(1) Provides the desired level of logon security controls (i.e., assuming single signon process is not used)

(2) Establishes an effective mechanisms for administering security which provides accountability for all changes

(3) Ensures that the person administrating the resources cannot directly alter the resources they are provision

(4) Provides an application security design that allows for access components to be tied to individual user or user group based on providing flexible resource roles which allows for roles to be tailored to individual functions which are tied to key business processes.   This mechanism could then be used to map these access components to job functions which provide for consistent access entitlement assignments which can also be bridged to the security access provisioning process.