(OS/390 specific but can be used across all platforms)
Control Point Ref #: priveaab ------------- A formal process in place for requesting the establishment of an ID and additional access capabilities Audit Steps ----------- 1) Ensure that a process is in place that requires the following items be included within an access request form prior to establishing an ID or changing the access levels assigned to an existing ID: o signed by the requestor and the requestor's manager o identify the specific resources, access levels, facilities, and attributes required if a template of user access requirements by job function is not utilized o identify the templates by job function that should be granted o requests that are made to resources not within the requestor's defined area of responsibility are approved by the owners of the resource 2) Ensure that this process is being adhered to by selecting a sample of user IDs and ensuring that a request form is present and the above information is included in the request form. F1 - Info Screen Ref #: priveaab Background ---------- A formalized process needs to be in place for requesting an ID and the resources that it requires. A request form should be in place which is authorized by the requestor's manager. To alleviate the amount of paper work, most installations establish profiles by job function of the resources and privileges that are required so that the request form is only used to specify the ID profile that should be established. Requesting access to resources involves many decisions which includes if the person is authorized access to the resources for their job function. As we discussed in another control point, owners should identified for each resource type which are responsible for the integrity of the resources. The owner is the appropriate person to make the decision if an individuals access is appropriate to a resource that they own but in some installation the requestor's manager is considered the appropriate person to make that decision. Regardless, if the owner of the resource or the requestor's manager makes the decision, the security administer should never be the one to make the decision since they would not be familiar enough with the operating environment to make the decision. Audit Step Info --------------- The request form should be detailed enough to identify all of the resources and Security System privileges that a person should be granted. This can be done by specifying all resource types on the form (datasets, volume, commands, facilities, transactions, attributes) or leaving a blank area for the authorizer to fill in. However, it is better to use a form which details the resources since the authorizer might not be familiar with the syntax of the resources that the user requires access to. Control Point Ref #: priveaac ------------- Users access is reassessed when their job function changes and deleted immediately upon their employment termination Audit Steps ----------- 1) Determine if terminated employees still have accounts on the system. 1.1) Determine the process that is used to prevent terminated employees from gaining access to the system (e.g., delete account, disable account). 1.2) Ensure that terminated employees IDs were deleted or suspended in a timely manner. 2) Determine the employees that have changed job functions and review an access listing to ensure that it is commensurate with their job function. F1 - Info Screen Ref #: priveaac Background ---------- A process should be in place for departments or Human Resources to notify the security administrator when an individual changes job functions or terminates their employment in order for their access levels to be changed according to the requirements of the new job function or removed from the system when an employee terminates their employment. Audit Step Info --------------- Unless an employee was recently terminated or changed job functions it would be difficult to systematically identify if their access was terminated in a timely manner. The overall exposure of a terminated employee whose ID was not suspended in a timely manner is dependant on their ability to physically access the center where terminals are located or the availability of dial-up access. Control Point Ref #: priveaaf ------------- Management performs an annual evaluation of access assignments to ensure they are still appropriate Audit Steps ----------- Ensure that management performs an evaluation of the following assignments to ensure that they are still appropriate: o owners of resources o resources that they have access to (e.g., datasets, volumes, CICS transactions, and programs) o sensitive privileges F1 - Info Screen Ref #: priveaaf Background ---------- Although a user's access to specific resources go through an approval process when they are initially established, the changes within an environment might require changes in the users access levels. Therefore, a periodic evaluation of the overall access assignments must be performed in order to ensure that they are still applicable. It is important to understand that the security administrators are not the ones who authenticate the legitimacy of a user's access. A process may be in place for the security administrator to match the individual's job function to a matrix of typical access requirements that the job function requires. However, if the individuals job function changes, and the security administrator is not made aware of this, their abilities to detect inappropriate assignment of entitlements would be circumvented. Audit Step Info --------------- The frequency of the management review is recommended as an annual process but is clearly a decision that should be made within each company. The decision should be made based on the following factors: o number of users o frequency of turnover o frequency of changes in job functions o number of products (system software & application software) that is implemented over a given period of time o risk of the system Control Point Ref #: priveaag ------------- An owner is assigned for all resource types to ensure that all actions that occur to a resource are reviewed by the appropriate person Audit Steps ----------- 1) Ensure that a list is in place which identifies the owners of the following types of resources: o Development programs o Production programs o Production data sets o System datasets o CICS transactions for each application 2) Determine if the owners that have been assigned should be the ones responsible for the resource. F1 - Info Screen Ref #: priveaag Background ---------- Resources that are controlled by the security system are utilized by various departments within your installation. These departments have primary responsibility for the integrity of these resources, therefore they should be the ones to identify the individuals that should have access to them and be the ones notified in the event that access is granted to individuals that normally are not allowed access to the resource. It is important to ensure that the owner of the resource is the proper owner. For example application programmers should not be the owner of production data sets. ************************************************************************ Copyright 1991 - 2000, Audit Serve, Inc. All rights reserved. All Audit Programs are copyrighted and may not be posted electronically or redistributed unless written permission is granted by Audit Serve, Inc. The Audit Programs may be used for internal use within organizations. Audit Programs may not be resold. ************************************************************************
Free Audit Vision Newsletter Since 1991 Join 3,500 other subscribers
Advertise with Us