Identity Management Audit/Assurance Program (Feb …m.isaca.org/Groups/Professional-English/identity... · Web viewIdentity Management Audit/Assurance Program. ... the maturity

Identity Management Audit/Assurance Program


© 2013 ISACA. All rights reserved. Page 2


About ISACA With more than 100,000 constituents in 180 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT®

(CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.

ISACA continually updates and expands the practical guidance and product family based on the COBIT® framework. COBIT helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.

DisclaimerISACA has designed and created this Identity Management Audit/Assurance Program (the “Work”) primarily as an educational resource for governance and assurance professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, governance and assurance professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or information technology environment.

Reservation of Rights© 2013 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of all or portions of this publication are permitted solely for academic, internal and noncommercial use and for consulting/advisory engagements, and must include full attribution of the material’s source. No other right or permission is granted with respect to this work.

ISACA3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USAPhone: +1.847.253.1545Fax: +1.847.253.1443Email: [email protected] site: www.isaca.org

Provide feedback: www.isaca.org/IdentityManagement-APParticipate in the ISACA Knowledge Center: www.isaca.org/knowledge-centerFollow ISACA on Twitter: https://twitter.com/ISACANewsJoin ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficialLike ISACA on Facebook: www.facebook.com/ISACAHQ

ISBN 978-1-60420-298-4Identity Management Audit/Assurance Program



ISACA wishes to recognize:

AuthorsNorm Kelson, CISA, CGEIT, CPA; CPE Interactive, Inc., USAJeff Kalwerisky, CISA, HISP, CA (SA); CPE Interactive, Inc., USA

Expert ReviewersDiane D. Bili, CanadaFrancis Kaitano, CISA, CISM, CISSP, MCSD, Contact Energy, New ZealandKamal Khan, CISA, CISSP, MBCS, CITP, Saudi Aramco, Saudi ArabiaAbility Takuva, CISA, Earnst & Young LLP, USA

ISACA Board of DirectorsGregory T. Grocholski, CISA, The Dow Chemical Co., USA, International PresidentAllan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, Morgan Stanley, UK, Vice PresidentJuan Luis Carselle, CISA, CGEIT, CRISC, Wal-Mart, Mexico, Vice PresidentChristos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Vice PresidentRamses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell,, Spain, Vice PresidentTony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Vice PresidentJeff Spivey, CRISC, CPP, PSP, Security Risk Management Inc., USA, Vice PresidentMarc Vael, Ph.D., CISA, CISM, CGEIT, CISSP, Valuendo, Belgium, Vice PresidentKenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Past International PresidentEmil D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd., (retired), USA, Past International PresidentJohn Ho Chi, CISA, CISM, CRISC, CBCP, CFE, Ernst & Young LLP, Singapore, DirectorKrysten McCabe, CISA, The Home Depot, USA, DirectorJo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, CSEPS, BRM Holdich, Australia, Director

Knowledge Board Marc Vael, Ph.D., CISA, CISM, CGEIT, CRISC, CISSP, Valuendo, Belgium, ChairmanRosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The NetherlandsSteven A. Babb, CGEIT, CRISC, UKThomas E. Borton, CISA, CISM, CRISC, CISSP, Cost Plus, USAPhil J. Lageschulte, CGEIT, CPA, KPMG LLP, USAJamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UKSalomon Rico, CISA, CISM, CGEIT, Deloitte LLP, Mexico

Guidance and Practices Committee Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA, ChairmanDan Haley, CISA, CGEIT, CRISC, MCP, Johnson & Johnson, USAYves Marcel Le Roux, CISM, CISSP, CA Technologies, FranceAureo Monteiro Tavares Da Silva, CISM, CGEIT, Vista Point,, BrazilJotham Nyamari, CISA, Deloitte, USAConnie Lynn Spinelli, CISA, CRISC, CFE, CGMA, CIA, CISSP, CMA, CPA, BKD LLP, USASiang Jun Julia Yeo, CISA, CPA (Australia), Visa Worldwide Pte. Limited., SingaporeNikolaos Zacharopoulos, CISA, DeutschePost–DHL, Germany

ISACA and IT Governance Institute® (ITGI®) Affiliates and SponsorsInformation Security ForumInstitute of Management Accountants Inc.ISACA chaptersITGI FranceITGI JapanNorwich UniversitySocitum Performance Management GroupSolvay Brussels School of Economics and Management



Strategic Technology Management Institute (STMI) of the National University of SingaporeUniversity of Antwerp Management School

ASIS InternationalHewlett-PackardIBMSymantec Corp.



Table of Contents

I. Introduction................................................................................................................................................5II. Using This Document................................................................................................................................6III. Controls Maturity Analysis......................................................................................................................9IV. Assurance and Control Framework.......................................................................................................10V. Executive Summary of Audit/Assurance Focus.....................................................................................11VI. Audit/Assurance Program......................................................................................................................15

1. Planning and Scoping the Audit........................................................................................................152. Risk Management..............................................................................................................................183. Policies..............................................................................................................................................194. Technical Standards..........................................................................................................................215. Identity MAnagement........................................................................................................................226. Single Sign-on (SSO) and Federated Identity Management (FIdM)................................................34

VII. Maturity Assessment............................................................................................................................38VIII. Maturity Assessment vs. Target Assessment......................................................................................41

I. Introduction

OverviewISACA has developed the IT Assurance FrameworkTM (ITAFTM) as a comprehensive and good practice-setting model. ITAF provides standards that are designed to be mandatory, and are the guiding principles under which the IT audit and assurance profession operates. The guidelines provide information and direction for the practice of IT audit and assurance. The tools and techniques provide methodologies, tools and templates to provide direction in the application of IT audit and assurance processes.

PurposeThe audit/assurance program is a tool and template to be used as a roadmap for the completion of a specific assurance process. The ISACA Assurance Committee has commissioned audit/assurance programs to be developed for use by IT audit and assurance practitioners. This audit/assurance program is intended to be utilized by IT audit and assurance professionals with the requisite knowledge of the subject matter under review, as described in ITAF, section 2200—General Standards. The audit/assurance programs are part of ITAF, section 4000—IT Assurance Tools and Techniques.

Control FrameworkThe audit/assurance programs have been developed in alignment with COBIT®—specifically COBIT 4.1—using generally applicable and accepted good practices. They reflect ITAF, sections 3400—IT Management Processes, 3600—IT Audit and Assurance Processes, and 3800—IT Audit and Assurance Management.

Many enterprises have embraced several frameworks at an enterprise level, including the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The importance of the control framework has been enhanced due to regulatory requirements by the US Securities and Exchange Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and similar legislation in other countries. They seek to integrate control framework elements used by the general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used, it



has been selected for inclusion in this audit/assurance program. The reviewer may delete or rename these columns to align with the enterprise’s control framework.

IT Governance, Risk and Control IT Governance, risk and control are critical in the performance of any assurance management process. Governance of the process under review will be evaluated as part of the policies and management oversight controls. Risk plays an important role in evaluating what to audit and how management approaches and manages risk. Both issues will be evaluated as steps in the audit/assurance program. Controls are the primary evaluation point in the process. The audit/assurance program will identify the control objectives and the steps to determine control design and effectiveness.

Responsibilities of IT Audit and Assurance ProfessionalsIT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional holds the Certified Information Systems Auditor (CISA) designation, or has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the CISA designation and necessary subject matter expertise to adequately review the work performed.

II. Using This DocumentThis audit/assurance program was developed to assist the audit and assurance professional in designing and executing a review. Details regarding the format and use of the document follow.

Work Program StepsThe first column of the program describes the steps to be performed. The numbering scheme used provides built-in work paper numbering for ease of cross-reference to the specific work paper for that section. The physical document was designed in Microsoft® Word. The IT audit and assurance professional is encouraged to make modifications to this document to reflect the specific environment under review.

Step 1 is part of the fact gathering and pre-fieldwork preparation. Because the pre-fieldwork is essential to a successful and professional review, the steps have been itemized in this plan. The first-level steps, e.g., 1.1, are in bold type and provide the reviewer with a scope or high-level explanation of the purpose for the subsidiary steps.

Beginning in step 2, the steps associated with the work program are itemized. To simplify the use of the program, the audit/assurance program describes the audit/assurance objective—the reason for performing the steps in the topic area. Each review step is listed below the control. These steps may include assessing the control design by walking through a process, interviewing, observing or otherwise verifying the process and the controls that address that process. In many cases, once the control design has been verified, specific tests need to be performed to provide assurance that the process associated with the control is being followed.

The maturity assessment, which is described in more detail later in this document, makes up the last section of the program.

The audit/assurance plan wrap-up—those processes associated with the completion and review of work papers, preparation of issues and recommendations, report writing and report clearing—has been



excluded from this document, since it is standard for the audit/assurance function and should be identified elsewhere in the enterprise’s standards.

COBIT 4.1 Cross-referenceThe COBIT cross-reference provides the audit and assurance professional with the ability to refer to the specific COBIT control objective that supports the audit/assurance step. The COBIT control objective should be identified for each audit/assurance step in the section. Multiple cross-references are not uncommon. Processes at lower levels in the work program are too granular to be cross-referenced to COBIT. The audit/assurance program is organized in a manner to facilitate an evaluation through a structure parallel to the development process. COBIT provides in-depth control objectives and suggested control practices at each level. As the professional reviews each control, he/she should refer to COBIT 4.1 or the IT Assurance Guide: Using COBIT for good-practice control guidance.

COSO ComponentsAs noted in the introduction, COSO and similar frameworks have become increasingly popular among audit and assurance professionals. This ties the assurance work to the enterprise’s control framework. While the IT audit/assurance function uses COBIT as a framework, operational audit and assurance professionals use the framework established by the enterprise. Since COSO is the most prevalent internal control framework, it has been included in this document and is a bridge to align IT audit/assurance with the rest of the audit/assurance function. Many audit/assurance organizations include the COSO control components within their report and summarize assurance activities to the audit committee of the board of directors.

For each control, the audit and assurance professional should indicate the COSO component(s) addressed. It is possible, but generally not necessary, to extend this analysis to the specific audit step level.

The original COSO internal control framework contained five components. In 2004, COSO issued an Enterprise Risk Management (ERM) Integrated Framework, which includes eight components. The ERM framework has a business decision focus when compared to the 2004 Internal Control—Integrated Framework. Large enterprises are in the process of adopting ERM. The two frameworks are compared in Figure 1.

Figure 1—Comparison of COSO Internal Control and ERM Integrated FrameworksInternal Control Integrated Framework ERM Integrated Framework

Control Environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, management’s operating style, delegation of authority systems, as well as the processes for managing and developing people in the organization.

Internal Environment: The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.

Objective Setting: Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.Event Identification: Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.



Figure 1—Comparison of COSO Internal Control and ERM Integrated FrameworksInternal Control Integrated Framework ERM Integrated Framework

Risk Assessment: Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, and, thus, risk assessment is the identification and analysis of relevant risks to achievement of assigned objectives. Risk assessment is a prerequisite for determining how the risks should be managed.

Risk Assessment: Risks are analyzed, considering the likelihood and impact, as a basis for determining how they could be managed. Risk areas are assessed on an inherent and residual basis.

Risk Response: Management selects risk responses—avoiding, accepting, reducing or sharing risk—developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.

Control Activities: Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

Control Activities: Policies and procedures are established and implemented to help ensure the risk responses are carried out in an effective manner.

Information and Communication: Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organization. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders.

Information and Communication: Relevant information is identified, captured and communicated in a form and time frame that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across and up the entity.

Monitoring: Internal control systems need to be monitored—a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities should be reported upstream and corrective actions should be taken to ensure continuous improvement of the system.

Monitoring: The entirety of enterprise risk management is monitored and modifications are made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations or both.

Information for Figure 1 was obtained from the COSO web site, www.coso.org/aboutus.htm.

The 1992 Internal Control—Integrated Framework addresses the needs of the IT audit and assurance professional: control environment, risk assessment, control activities, information and communication, and monitoring. As such, ISACA has elected to utilize the five-component model for these audit/assurance programs. When completing the COSO component columns, consider the definitions of the components as described in Figure 1.

Reference/HyperlinkGood practices require the audit and assurance professional to create a work paper for each line item, which describes the work performed, issues identified, and conclusions. The reference/hyperlink is to be used to cross-reference the audit/assurance step to the work paper that supports it. The numbering system of this document provides a ready numbering scheme for the work papers. If desired, a link to the work paper can be pasted into this column.

Issue Cross-referenceThis column can be used to flag a finding/issue that the IT audit and assurance professional wants to further investigate or establish as a potential finding. The potential findings should be documented in a work paper that indicates the disposition of the findings (formally reported, reported as a memo or verbal finding, or waived).


http://www.coso.org/aboutus.htm


CommentsThe comments column can be used to indicate the waiving of a step or other notations. It is not to be used in place of a work paper describing the work performed.

III. Controls Maturity AnalysisOne of the consistent requests of stakeholders who have undergone IT audit/assurance reviews is a desire to understand how their performance compares to good practices. Audit and assurance professionals must provide an objective basis for the review conclusions. Maturity modeling for management and control over IT processes is based on a method of evaluating the organization, so it can be rated from a maturity level of non-existent (0) to optimized (5). This approach is derived from the maturity model that the Software Engineering Institute (SEI) of Carnegie Mellon University defined for the maturity of software development.

The IT Assurance Guide Using COBIT, Appendix VII—Maturity Model for Internal Control, in Figure 2, provides a generic maturity model showing the status of the internal control environment and the establishment of internal controls in an enterprise. It shows how the management of internal control, and an awareness of the need to establish better internal controls, typically develops from an ad hoc to an optimized level. The model provides a high-level guide to help COBIT users appreciate what is required for effective internal controls in IT and to help position their enterprise on the maturity scale.

Figure 2—Maturity Model for Internal ControlMaturity Level Status of the Internal Control Environment Establishment of Internal Controls0 Non-existent There is no recognition of the need for internal control.

Control is not part of the organisation’s culture or mission. There is a high risk of control deficiencies and incidents.

There is no intent to assess the need for internal control. Incidents are dealt with as they arise.

1 Initial/ad hoc There is some recognition of the need for internal control. The approach to risk and control requirements is ad hoc and disorganised, without communication or monitoring. Deficiencies are not identified. Employees are not aware of their responsibilities.

There is no awareness of the need for assessment of what is needed in terms of IT controls. When performed, it is only on an ad hoc basis, at a high level and in reaction to significant incidents. Assessment addresses only the actual incident.

2 Repeatable but Intuitive

Controls are in place but are not documented. Their operation is dependent on the knowledge and motivation of individuals. Effectiveness is not adequately evaluated. Many control weaknesses exist and are not adequately addressed; the impact can be severe. Management actions to resolve control issues are not prioritised or consistent. Employees may not be aware of their responsibilities.

Assessment of control needs occurs only when needed for selected IT processes to determine the current level of control maturity, the target level that should be reached and the gaps that exist. An informal workshop approach, involving IT managers and the team involved in the process, is used to define an adequate approach to controls for the process and to motivate an agreed-upon action plan.

3 Defined Controls are in place and adequately documented. Operating effectiveness is evaluated on a periodic basis and there is an average number of issues. However, the evaluation process is not documented. While management is able to deal predictably with most control issues, some control weaknesses persist and impacts could still be severe. Employees are aware of their responsibilities for control.

Critical IT processes are identified based on value and risk drivers. A detailed analysis is performed to identify control requirements and the root cause of gaps and to develop improvement opportunities. In addition to facilitated workshops, tools are used and interviews are performed to support the analysis and ensure that an IT process owner owns and drives the assessment and improvement process.

4 Managed and Measurable

There is an effective internal control and risk management environment. A formal, documented evaluation of controls occurs frequently. Many controls are automated and regularly reviewed. Management is likely to detect most control issues, but not all issues are routinely identified. There is consistent follow-up to address identified control weaknesses. A limited, tactical use of technology is applied to automate controls.

IT process criticality is regularly defined with full support and agreement from the relevant business process owners. Assessment of control requirements is based on policy and the actual maturity of these processes, following a thorough and measured analysis involving key stakeholders. Accountability for these assessments is clear and enforced. Improvement strategies are supported by business cases. Performance in achieving the desired outcomes is consistently monitored. External control reviews are



Figure 2—Maturity Model for Internal ControlMaturity Level Status of the Internal Control Environment Establishment of Internal Controls

organised occasionally.5 Optimised An enterprisewide risk and control program provides

continuous and effective control and risk issues resolution. Internal control and risk management are integrated with enterprise practices, supported with automated real-time monitoring with full accountability for control monitoring, risk management and compliance enforcement. Control evaluation is continuous, based on self-assessments and gap and root cause analyses. Employees are proactively involved in control improvements.

Business changes consider the criticality of IT processes and cover any need to reassess process control capability. IT process owners regularly perform self-assessments to confirm that controls are at the right level of maturity to meet business needs and they consider maturity attributes to find ways to make controls more efficient and effective. The organisation benchmarks to external best practices and seeks external advice on internal control effectiveness. For critical processes, independent reviews take place to provide assurance that the controls are at the desired level of maturity and working as planned.

The maturity model evaluation is one of the final steps in the evaluation process. The IT audit and assurance professional can address the key controls within the scope of the work program and formulate an objective assessment of the maturity level of the control practices. The maturity assessment can be a part of the audit/assurance report and can be used as a metric from year to year to document progression in the enhancement of controls. However, it must be noted that the perception of the maturity level may vary between the process/IT asset owner and the auditor. Therefore, an auditor should obtain the concerned stakeholder’s concurrence before submitting the final report to the management.

At the conclusion of the review, once all findings and recommendations are completed, the professional assesses the current state of the COBIT control framework and assigns it a maturity level using the six-level scale. Some practitioners utilize decimals (x.25, x.5, x.75) to indicate gradations in the maturity model. As a further reference, COBIT provides a definition of the maturity designations by control objective. While this approach is not mandatory, the process is provided as a separate section at the end of the audit/assurance program for those enterprises that wish to implement it. It is suggested that a maturity assessment be made at the COBIT control level. To provide further value to the client/customer, the professional can also obtain maturity targets from the client/customer. Using the assessed and target maturity levels, the professional can create an effective graphic presentation that describes the achievement or gaps between that actual and target maturity goals. A graphic is provided as the last page of the document (section VIII), based on sample assessments.

IV. Assurance and Control Framework

ISACA IT Assurance Framework and StandardsThe following sections in ITAF are relevant to Identity Management: 3427—IT Information Management 3450—IT Processes 3490—IT Support of Regulatory Compliance 3630.4—Information Systems Operations 3630.7—Information Security Management 3630.11—Network Management and Controls 3630.17—Identification and Authentication

ISACA Control FrameworkCOBIT is an IT governance framework and supporting tool set that allows managers to bridge the gap among control requirements, technical issues and business risk. COBIT enables clear policy development and good practice for IT control throughout enterprises.



Utilizing COBIT as the control framework on which IT audit/assurance activities are based aligns IT audit/assurance with good practices as developed by the enterprise.

The COBIT 4.1 Plan and Organize (PO) and Deliver and Support (DS) domains apply to this evaluation and include: PO6.3 IT Policies Management—Develop and maintain a set of policies to support IT strategy.

These policies should include policy intent; roles and responsibilities; exception process; compliance approach; and references to procedures, standards and guidelines. Their relevance should be confirmed and approved regularly.

PO6.4 Policy, Standard and Procedures Rollout—Roll out and enforce IT policies to all relevant staff, so they are built into and are an integral part of enterprise operations.

PO9.4 Risk Assessment—Assess on a recurrent basis the likelihood and impact of all identified risk, using qualitative and quantitative methods. The likelihood and impact associated with inherent and residual risk should be determined individually, by category and on a portfolio basis.

DS5.3 Identity Management—Ensure that all users (internal, external and temporary) and their activity on it systems (business application, it environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms. Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. Ensure that user access rights are requested by user management, approved by system owners and implemented by the security-responsible person. Maintain user identities and access rights in a central repository. Deploy cost-effective technical and procedural measures and keep them current to establish user identification, implement authentication and enforce access rights.

DS5.4 User Account Management—Address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges with a set of user account management procedures. Include an approval procedure outlining the data or system owner granting the access privileges. These procedures should apply for all users, including administrators (privileged users) and internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information should be contractually arranged for all types of users. Perform regular management review of all accounts and related privileges.

Refer to the IT Governance Institute’s COBIT Control Practices: Guidance to Achieve Control Objectives for Successful IT Governance, 2nd Edition, published in 2007, for the related control practice value and risk drivers.

V. Executive Summary of Audit/Assurance Focus

Identity ManagementIdentity Management (IdM)1—also known as Identity and Access Management, (IAM)—is the set of procedures to issue and manage digital identities (identifiers) of people and systems so that they can be uniquely authenticated (identified) to IT systems before being granted online access to sensitive IT assets. Such assets include computer systems, digital information in structured or unstructured formats, databases, web and database servers, email and video systems, report generation capabilities, etc.

IdM processes involve the establishment (provisioning) and maintenance of user identities (IDs), associated authentication and monitoring processes, and user permissions, so as to provide assurance that

1 Because access control is not a focus of this audit/assurance review, “IdM” is the preferred acronym in this document.



only authorized users have access to sensitive business applications, information and operating environments. Unique user identity also ensures that no user can repudiate a past transaction, i.e., the individual assigned to a particular user ID can be held accountable for the activity performed with that ID.

A closely associated process, known as access control, ensures that properly authenticated users may conduct only previously authorized transactions. This ensures the confidentiality of sensitive information by allowing only users with a genuine “need to know” to view or change such information. This is also critical for maintaining the privacy of sensitive personal information, e.g., an individual’s financial records, medical history, or other nonpublic information that could be used to commit crimes, including blackmail, industrial espionage and identity fraud.

A key issue in the IdM process is the alignment of the IdM strategy with the organization’s identity policy and IT architecture. If there is misalignment, the organization is at risk of ineffective security over user access with associated expensive alternative control procedures.

A central authentication system, often referred to as a single sign-on (SSO) system, removes the responsibility of access control from the individual applications and replaces it with a single organizationwide IdM solution. Under this approach, all user authentication and maintenance processes are directed to one automated system, which frees users from having to remember multiple user ID and password combinations and eliminates maintenance of identity from individual applications. SSO solutions may not integrate with legacy applications and systems, which either limits their usefulness or requires interim application-specific access control solutions until an interface is available or the legacy solution is replaced. The SSO capability can be expanded to include access to third-party IdM systems (e.g., other web sites); this capability is known as federated identity management (FIdM).

The scope of the IdM function includes the following issues: The authentication process should include a risk assessment of the sensitivity of the information

available to users, the locations from which the users may request access (i.e., secure internal network or nonsecure public network) and the selection of an authentication process commensurate with the risk. The solutions may include a traditional user ID and password combination; use of a physical token with a one-time password (such as an RSA SecurID® token or a smart card with an embedded electronic chip); or a biometric mechanism, which ties the user to a physical attribute (such as fingerprint, hand geometry, retina, facial geometry or voiceprint scan).

Unique identity is necessary to track the initiator of every transaction and provide the basis for forensic capabilities if it becomes necessary to investigate an initiator for legal or operational reasons. It is important that the identity be unambiguous to satisfy the requirements of both human resources (HR) termination and potential litigation. A new user can be either a casual Internet user or a potential business partner. The challenge lies in trying to distinguish between the two and initiate appropriate action. The risk assessment exercise should bear this in mind.

IdM also encompasses access by nonhuman entities, such as a computer server that communicates electronically with another server that hosts sensitive information. The originating server should uniquely authenticate itself to the destination server, which is typically done by presenting a digital certificate which is an unforgeable electronic proof of identity.2

The organization’s access control policy establishes how often passwords must be changed; the complexity and history of passwords to reduce the risk of a successful password “hacking” attack; and limitations on, or logging of, the activities of administrators with so-called superuser privileges (i.e., system and database administrators) who may be able to bypass traditional controls.

User provisioning includes the approvals necessary to create new users; to ensure that when users’ job functions change, their corresponding access privileges are changed in alignment with their new

2 For more on digital certificates; see ISACA’s Ecommerce and PKI Audit/Assurance Program, 2012



job functions; and to ensure that terminated users’ access privileges are removed immediately on termination.

Appropriate monitoring is essential to ensure that access violations are identified, evaluated for risk, and escalated to the appropriate information security professional for investigation or addressed to prevent recurrence. The latter may include retraining or disciplinary processes.

Accounts are linked to unique user IDs, which will give the organization the ability to react to orphan accounts (accounts without an owner).

Roles are linked to accounts/with unique user IDs. Role management exists, specifying roles from initiation to revocation as user IDs are managed. A recent new twist in IdM is the impact of mobility, i.e., the fact that uses can connect to sensitive

systems from mobile devices like smartphones and tablet computers.

Business Impact and RiskThe impact on the business and the accompanying risk is significant. IdM and its processes are the keys to the organization’s information doors. Unauthorized access can result in loss of assets or intellectual property, distribution of sensitive data and information, loss of data integrity, or business disruption. As a result, the organization might be exposed to reputational risk (public relations issues with customers or the public at large), regulatory risk (inability to comply with regulatory requirements, due to an outage or violation of a regulation), operational risk (inability to process critical business functions), internal human relations issues (relating to payroll and employee privacy) and financial risk (either loss of physical assets or the costs to remediate the other risk identified). IdM seeks to minimize the risk by identifying each user uniquely and establishing uniform access controls, managed centrally, with appropriate reporting and actions to remediate unauthorized access. In the absence of a centrally administered system, IdM seeks to establish standard access and identity methods that are used by application systems to achieve the identity policies.

Objective and ScopeObjective—The primary objective of the audit/assurance review is to provide management with an independent assessment relating to the effectiveness of identity management and its policies, procedures and governance activities.

Scope—The review will focus on IdM standards, guidelines and procedures as well as on the implementation and governance of these activities. Application-specific user access management—typically the task of the respective application and not that of the IdM system—is outside the scope of this review.3

Minimum Audit SkillsThe IT audit and assurance professional must have an understanding of good-practice information security processes, IdM practices, and user authentication processes and techniques. Professionals who have achieved CISA certification should have these skills. Technical skills necessary to perform some audit steps may require specific understanding of information security, network analysis, operating systems and database tools. However, given the size and operational complexity of typical organizationwide IdM systems, the audit and assurance professional should seek additional training or assistance from competent technical subject matter experts as appropriate.

Feedback 3 The line of demarcation between the two tends to get blurred in a complex enterprise IT infrastructure environment. It would

be prudent to include a disclaimer in the audit report, as appropriate, to indicate that the engagement scope does not include review of user access management of individual applications.



Visit www.isaca.org/IdentityManagement-AP and use the feedback function to provide your comments and suggestions on this document. Your feedback is a very important element in the development of ISACA guidance for its constituents and is greatly appreciated.



VI. Audit/Assurance Program

Audit/Assurance Program StepCOBIT Cross-

reference

COSO

Reference

Hyper-link

IssueCross-

reference

Comments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

1. PLANNING AND SCOPING THE AUDIT

1.1 Define audit/assurance objectives.The audit/assurance objectives are high level and describe the overall audit goals.

1.1.1 Review the audit/assurance objectives in the introduction to this audit/assurance program.

1.1.2 Modify the audit/assurance objectives to align with the audit/assurance universe, annual plan and charter.

1.2 Define boundaries of review.The review must have a defined scope. The reviewer must understand the operating environment and prepare a proposed scope, subject to a later risk assessment.

1.2.1 Perform a high-level walk-through of the identity management (IdM) initiative, its goals, strategy, policy and processes.

1.2.2 Determine the applications and operating environments affected by the IdM initiative.

1.2.2.1 Obtain and review the organization’s network diagram(s) to gain an overall understanding of the network components likely to impact/support of the IdM system.

1.2.3 Establish initial boundaries of the audit/assurance review.

1.2.3.1 Identify any limitations and/or constraints affecting the audit of specific systems and subsystems.




reference

COSO

Reference

Hyper-link

IssueCross-

reference

Comments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

1.3 Define assurance.The review requires two sources of standards. The corporate standards defined in policy and procedure documentation establish the corporate expectations. At minimum, corporate standards should be implemented. The second source, a good-practice reference, establishes prevailing industry standards. Enhancements should be proposed to address gaps between the two.

1.3.1 Obtain the organization’s IdM policy and standards documentation.

1.3.2 Determine whether an appropriate security management framework, such as ISO/IEC 27002 or the NIST 800 series, will be used as a good-practice reference.

1.3.3 Determine whether COBIT or an appropriate IdM framework, such as NIST 800-63, will be used as a good-practice reference.

1.3.4 If the organization requires federated identity management (FIdM) capabilities, determine whether an FIdM framework, such as Security Assertion Markup Language (SAML2) or OpenID, will be used as a good practice reference.

1.4 Identify and document risk.The risk assessment is necessary to evaluate where audit resources should be focused. The risk-based approach assures utilization of audit resources in the most effective manner.

1.4.1 Identify and document the relevant business risk associated with the use of an IdM system.

1.4.2 Identify the technology risk associated with the IdM threats.

1.4.3 Discuss the risk with management of IT, business and operational audit, and adjust the risk assessment as appropriate.

1.4.4 Based on the risk assessment, revise the scope.




reference

COSO

Reference

Hyper-link

IssueCross-

reference

Comments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

1.5 Define the change process.The initial audit approach is based on the reviewer’s understanding of the operating environment and associated risk. As further research and analysis are performed, changes to the scope and approach will result.

1.5.1 Identify the senior IT audit/assurance resource responsible for the review.

1.5.2 Establish the process for suggesting and implementing changes to the audit/assurance program, and list the authorizations required.

1.6 Define assignment success.Identify the relevant success factors and communicate to the organization, the IT audit/assurance team and other assurance teams.

1.6.1 Identify the drivers for a successful review (this should exist in the audit/assurance function’s standards and procedures).

1.6.2 Communicate success attributes to the process owner(s) or stakeholder(s), and obtain agreement.

1.7 Define audit/assurance resources required.The resources required are defined in the introduction to this audit/assurance program.

1.7.1 Determine the audit/assurance skills necessary for the review.

1.7.2 Estimate the total resources (hours), time frame (start and end dates), and milestones (e.g., interim and draft reports) required for the review.

1.8 Define deliverables.The deliverable is not limited to the final report. Communication between the audit/assurance teams and the process owner is essential to assignment success.

1.8.1 Determine the interim deliverables, including initial findings, status reports, draft reports, due dates for responses and the final report.

1.9 CommunicationsThe audit/assurance process is clearly communicated to the customer/client.




reference

COSO

Reference

Hyper-link

IssueCross-

reference

Comments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

1.9.1 Conduct an opening conference to discuss the review’s objectives with the executive responsible for operating systems and infrastructure.

2. RISK MANAGEMENT

2.1 Risk AssessmentAudit/Assurance Objective: IdM is subject to routine risk assessment processes.

2.1.1 IdM Initial Risk AssessmentControl: Management performed a risk assessment prior to implementing the IdM program.

PO9.4 X

2.1.1.1 Determine whether a risk assessment of IdM was performed before acceptance of the program.

2.1.1.2 Obtain and review risk assessment documentation, if available, to determine whether the control level is adequate to support the IdM program.

2.1.1.3 Obtain board minutes or other documentation to support the approval of the risk assessment.

2.1.2 IdM Ongoing Risk AssessmentControl: A risk assessment is performed and approved by management to initiate major changes to the IdM program or to reaffirm the previous risk assessment.

PO9.4 X

2.1.2.1 Determine whether subsequent risk assessment has been performed as per the planned cycle (annually/biannually)on a regularly scheduled frequency.

2.1.2.2 Obtain and review the relevant risk assessment documentation to determine whether the risk assessment scope is: (a) adequate to support the changes in the IdM program, and (b) protects the organization appropriately.




reference

COSO

Reference

Hyper-link

IssueCross-

reference

Comments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

3. POLICIES

3.1 IdM PoliciesAudit/Assurance Objective: The organization has defined, disseminated and deployed management policies supporting the IdM initiative.

3.1.1 Formal IdM PolicyControl: The IdM policies have been defined by management, documented, approved at an appropriate senior level, disseminated to all relevant employees and third parties, and deployed across the organization.

PO6.3 X

3.1.1.1 Verify that an appropriate IdM policy was drafted and deployed before the IdM initiative was deployed into production.

3.1.1.2 Verify that senior business management formally approved the IdM policy.

3.1.1.3 Verify that all employees are appropriately informed of the IdM policy, e.g., during initial orientation and in information security training.

3.1.2 Human Resources (HR) Support for IdMControl: IdM processes are integrated into HR services, policies and compliance.

PO6.4 X

3.1.2.1 Obtain a copy of the organization’s Code of Conduct and determine whether it specifically states that a violation of the IdM policy is considered a violation of the Code of Conduct with applicable sanctions.

3.1.2.2 Determine whether disciplinary policies and supporting processes are in effect for violations of IdM policy. These should include: Established penalties for infringements Uniform application of penalty policy Establish whether awareness campaigns are conducted periodically

3.1.3 Third PartiesControl: Third parties, such as contractors, are contractually required to comply with the organization’s IdM and access control policies.

DS2.2 X

3.1.3.1 Determine the policies in effect to permit third parties to use the




reference

COSO

Reference

Hyper-link

IssueCross-

reference

Comments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

organization’s IT resources, and to protect the organization’s assets and intellectual property from unauthorized access.

3.1.3.2 Evaluate the effectiveness of IdM controls upon third parties and determine whether additional controls, policies or procedures are required to protect the organization’s assets.

3.1.4 Communication Among Computer ServersControl: The organization’s IT architecture framework requires that every server be authenticated before connecting to another server that contains or processes sensitive information.

PO2.1PO6.3DS5.3

X

3.1.4.1 Review the IT architecture framework document to verify that, before making a connection to a remote server that stores or processes sensitive information, an originating server must authenticate itself with an active X.509-standard digital certificate.4

The destination server must reject the connection if the certificate fails to meet any of the predefined criteria, i.e., issued by the correct certification authority, and not expired, suspended or revoked.

3.2 Exemptions From IdM PoliciesAudit/Assurance Objective: Exemptions from IdM policy are appropriately controlled in conformance with the organization’s Exemptions to Policy procedures.

3.2.1 Exemptions to PoliciesControl: Exemptions from IdM policy are applied for, reviewed and authorized in conformance with the organization’s Exceptions to Policy procedures.

PO6.3 X

3.2.1.1 If the organization grants exemptions from IdM policy, obtain a copy of the list of currently authorized exemptions and a copy of the procedure for Exemptions to Policy.

3.2.1.2 Determine that exemptions are granted only for a limited time period, maximum one year.

4 Sensitive information includes personally identifiable information (PII); see ISACA’s Personally Identifiable Information (PII) Audit/Assurance Program, 2012




reference

COSO

Reference

Hyper-link

IssueCross-

reference

Comments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

3.2.1.3 Determine that each IdM exemption is regularly reviewed for continuing applicability.

3.2.1.4 Determine that a new application for exemption was submitted and approved in each case where the applying party needed a time extension for the exemption.

3.2.1.5 Determine whether a risk assessment was performed before access is granted and compensating controls are in place, if necessary.

4. TECHNICAL STANDARDS

4.1 The Organization’s Technical Standards Apply to IdMAudit/Assurance Objective: IdM is supported by the organization’s technical standards, processes and procedures.

4.1.1 Technical StandardsControl: IdM technical standards are aligned with the organization’s standards.

PO6.3 X

4.1.1.1 Obtain and review the current organizational chart for the IT department and the relevant business units.

4.1.1.2 Interview the senior security officer, legal officer, data privacy officer and IT security administrator.

4.1.1.3 Identify who has responsibility for IdM.

4.1.1.4 Obtain a copy of each of the following: Policies and procedures relating to IdM, access control and authentication IdM systems specifications (if applicable) User provisioning procedures User transfer and termination procedures (from IdM and HR departments) User revalidation procedures (department managers’ routine regular review

of subordinates’ access privileges) Data owner revalidation procedures (data owners’ routine regular review of

user access privileges to owned data) IT information security strategy and architecture documentation




reference

COSO

Reference

Hyper-link

IssueCross-

reference

Comments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

Segregation of duties (SoD) tables by application Access and authorization violation reports and management review

procedures List of external entities, such as contractors, vendors, partners and

customers, that have current user IDs for access to the organization’s networks and applications

Role owners Role procedures Role policies

5. IDENTITY MANAGEMENT

5.1 IdM StrategyCost-effective technical and procedural measures are deployed and kept current to establish user identification, implement authentication and enforce access permissions.Audit/assurance objective: The deployed IdM system aligns with the organization‘s IT architecture.

5.1.1 IdM SystemsControl: The IdM system selection process took the following into consideration: The organization’s IT strategy and infrastructure Interim procedures for identity in legacy applications IT skills, experience, and training needed to deploy and maintain the system

PO2.1PO3.2PO3.4DS5.3

X

5.1.1.1 Verify that the selected IdM systems support the organization’s IT operating platforms and applications in use or planned in the IT strategy.

5.1.1.2 Verify that the selection process considered growth and scalability of the solution to meet anticipated future business needs.

5.1.1.3 Verify that the IdM system is subject to the organization’s policies and procedures for change control and backup and recovery.

5.1.1.4 Obtain the IdM system’s functionality specifications.




reference

COSO

Reference

Hyper-link

IssueCross-

reference

Comments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

5.1.1.5 Determine whether there are interfaces to the authentication system and, if so, obtain and review the relevant specifications.

5.1.1.6 Determine whether the IdM systems comply with the overall IT architecture and strategy.

5.1.1.7 Determine whether there is an alternative strategy for legacy applications that are not (or cannot be) in compliance.

5.1.1.8 Determine that the organization has an adequate number of IdM specialists with the requisite skills, experience and training to deploy and maintain the selected IdM system(s).

5.2 Central Authentication SystemAudit/assurance objective: All applications within the review’s scope have their authentication function validated through the IdM system.

5.2.1 Primary AuthenticationControl: The IdM system is the primary authentication controller for operating systems and applications.

DS5.3DS5.4

X

5.2.1.1 Determine, from the IdM policy, that all operating systems and business applications are required to use the IdM system for authentication and access control.

5.2.1.2 Identify applications within the scope and their levels of business risk and operating platforms that support these applications.

5.2.1.3 Determine whether each platform conforms to IdM policy.

5.2.1.4 For each in-scope application, verify that its IdM is managed by the IdM system.

5.2.1.5 Verify that, prior to acquiring any new application that will not use the IdM system, approval for such exceptions is obtained in compliance with the organization’s Exemptions to Policy procedures.

5.2.1.6 Prior to acquisition and implementation, verify that there is a review and test process of the integration of new applications and operating systems




reference

COSO

Reference

Hyper-link

IssueCross-

reference

Comments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

into the IdM system.

5.2.2 Source of IdentityControl: The organization has defined a trusted source for all identity verification, usually HR and the HR employee database.

DS5.3 X

5.2.2.1 Determine that the organization has defined a trusted identity source, such as the HR database.

5.2.2.2 Determine that the IdM system verifies every request for a new or changed identify against the trusted source.

5.2.3 Nonstandard AuthenticationControl: Applications that cannot be managed by the IdM system either have authentication controls similar to the functionality within the IdM system, or the organization has plans to upgrade or replace the application systems to achieve compliance with the IdM policy.

DS5.3DS5.4

X

5.2.3.1 For each application without platform-based IdM, determine whether the application’s IdM conforms to the IdM policy.

5.2.3.2 Verify that legacy applications not adhering to the IdM policy have been formally approved by an IT executive at an appropriately senior level.

5.2.3.3 For noncomplying applications, verify that there is either (a) an action plan for future compliance, or (b) a planned conversion to a fully compliant application.

5.2.3.4 Determine the procedures for bypassing authentication systems. If bypass is permitted, determine the approval and monitoring process.




reference

COSO

Reference

Hyper-link

IssueCross-

reference

Comments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

5.3 AuthenticationAudit/assurance objective: User authentication methods are based on assessed risk. Multi-factor authentication sis required to access sensitive or personally identifiable information (PII). If feasible, single sign-on (SSO) technology is deployed to limit the number of user IDs and passwords that users must remember. If SSO is not feasible, compensating controls equivalent to SSO functionality are in place.

5.3.1 Risk AssessmentControl: Risk assessment is conducted to determine whether single-factor or multifactor authentication is required.

PO9.4DS5.3

X X

5.3.1.1 Verify (a) that a risk assessment has been performed to determine the authentication mechanism to be employed (simple user ID and password, or user ID and password with either a physical token or biometric verification) for each class of user, and (b) the risk assessment defines the users and profiles within each class.

5.3.1.1.1 Select a sample of in-scope applications and operating systems.

5.3.1.1.2 For each selected item, obtain the risk assessment used to determine authentication requirements.

5.3.1.1.3 Select users from the various risk classes.

5.3.1.1.4 Verify that the appropriate authentication has been determined and deployed based on risk and the related policy.

5.4 Identity RepositoryAudit/Assurance Objective: Details of user IDs and the related access privileges are maintained in a secure central repository.

5.4.1 IdM DatabasesControl: Identity databases are secure to prevent unauthorized access or modification.

DS5.3 X

5.4.1.1 Verify that the directory services databases are behind a firewall and the demilitarized zone (DMZ).




reference

COSO

Reference

Hyper-link

IssueCross-

reference

Comments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

5.4.1.2 Review access permissions to the databases and database utilities to verify that only authorized administrators have access to these sensitive resources.

5.4.1.3 Verify that appropriate software tools are deployed to review access permissions and that access permissions are evaluated regularly.

5.5 Unique IdentityAudit/assurance Objective: All users (internal, external and temporary) and their activity on IT systems (business applications, IT environments, system operations, development and maintenance) are uniquely identifiable.

5.5.1 Unique User IDsControl: Unique user IDs are assigned, the naming convention does not identify the user’s name or any private information about the user and shared user IDs are prohibited.

DS5.3 X

5.5.1.1 Verify that only unique identifiers are assigned and that a user ID does not also include any sensitive personal identifiers, e.g., employee, social or medical identifiers.

5.5.1.2 Determine whether any users IDs (administrator, application, system or user) are shared. If shared, determine how the users concerned can be identified and held accountable for the activities performed with a shared ID.

5.5.1.3 Determine whether shared user IDs are justified and approved.

5.5.1.4 Determine whether users with multiple IDs are monitored regularly.

5.5.1.4.1 Obtain reports associated with multiple ID usage.

5.5.1.4.2 Review reports for evidence of IT management review of ID usage.

5.5.1.4.3 Determine whether the review process adequately identifies and monitors multiple user ID activity.




reference

COSO

Reference

Hyper-link

IssueCross-

reference

Comments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

5.5.2 Superuser IDsControl: System and database administrators are assigned unique superuser IDs for systems maintenance, and standard user IDs for their routine general activities.

DS5.3X

5.5.2.1 Determine whether all superusers have been assigned unique IDs to be used for systems maintenance and separate general user IDs for their non-system administration routine job functions.

5.5.2.1.1 Select a sample of user IDs assigned to superusers (systems and database administrators).

5.5.2.1.2 Determine whether superuser IDs are being used for general purposes where superuser access is not required.

5.6 Access PolicyAudit/assurance objective: An access control policy has been established and enforced.

5.6.1 User ID PolicyControl: “Strong” passwords are enforced and passwords are required to be changed routinely.

DS5.3DS5.4

X

5.6.1.1 Determine that IdM software and operating systems enforce rules for “strong” passwords, i.e., minimum length of eight characters, combination of upper and lower case, numeric, and special characters, etc.

5.6.1.2 Determine whether the access policy requires user IDs to be disabled after a preestablished number of failed logon attempts (good practices recommend the failed logon attempts be set at three).

5.6.1.3 Verify whether the user ID lockout policy is being enforced.

5.6.1.3.1 Generate a report describing default user lockout settings.

5.6.1.3.2 Generate a report describing users not in compliance with default lockout settings. Obtain explanations.

5.6.1.4 Determine whether user sessions are automatically disconnected or locked after a predefined idle period (depending on data sensitivity, good-practice




reference

COSO

Reference

Hyper-link

IssueCross-

reference

Comments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

maximum idle time is between five and 30 minutes).

5.6.1.4.1 Generate a report describing default idle lockout settings.

5.6.1.4.2 Generate a report identifying users not in compliance with idle lockout settings. Obtain explanations.

5.6.1.5 Determine whether passwords and user IDs can be the same or if the password can contain the user ID.

5.6.1.6 Determine whether users are prohibited from being logged in on multiple computers simultaneously. For users who require this feature, determine whether their usage is monitored.

5.6.1.6.1 Generate a report describing users who may operate multiple concurrent terminal sessions.

5.6.1.6.2 Determine whether appropriate management approval to permit this practice is documented and revalidated at least annually.

5.6.1.7 Determine whether users must change their passwords after a defined number of days depending on their duties and the sensitivity of information accessible to them (good practices: seven days for highly sensitive information and superusers, 45 to 60 days for general users).

5.6.1.7.1 Obtain the policy for the required intervals between password changes.

5.6.1.7.2 Determine whether each interval is tied to the sensitivity of information for that user or class of users.

5.6.1.7.3 Generate a report by class of user, and identify users not in compliance with the policy, i.e., users who have not changed their passwords within the required time. Obtain explanations.

5.6.1.8 Determine whether password reuse is restricted (good practice: a password may not be reused for ten generations).

5.6.1.8.1 Generate a report identifying users who are not required to limit password reuse, or for whom the number of generations is fewer




reference

COSO

Reference

Hyper-link

IssueCross-

reference

Comments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

than the policy.

5.6.1.9 Determine whether the password reset policy requires the user to provide previously documented challenge and response questions that only a valid user would know.

5.6.1.10 Determine whether users must immediately reset the temporary password on initial login.

5.6.1.11 Determine whether a random temporary password is provided to the user when a suspended user ID is reset. If not, determine how users are prevented from accessing user IDs with pending password resets.

5.6.1.12 Verify whether the challenge and response questions do not include prohibited PII, such as social identity or credit card numbers.

5.7 User ProvisioningAudit/assurance Objective: User access permissions are requested by user management, approved by information owners, implemented by designated access control specialists and are the minimum permissions needed by the users to do their jobs.

5.7.1 User Access and Job FunctionControl: User access is determined based on job function, considers SoD and utilizes job profiles to simplify granting and maintaining access rights.

DS5.3DS5.4

X

5.7.1.1 Determine whether an SoD chart has been established for each job function, identifying incompatible roles, user profiles and permissions.

5.7.1.1.1 Obtain the SoD tables for a selection of job functions (use risk basis for selection and include applications and platforms within scope). Verify the appropriateness of the SoD tables by interviewing department management and information security staff, and by observing operations.

5.7.1.2 Determine whether job profiles, identifying the access requirements for each position, are established and used to provide uniformity in granting access to systems, applications, transactions and directory/folders.




reference

COSO

Reference

Hyper-link

IssueCross-

reference

Comments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

5.7.1.3 Confirm that user access permissions to systems and information are in line with defined and documented business needs and that job requirements are attached to user identities.

5.7.1.4 Verify that new user access permissions are not copied from existing users (this practice raises the potential for accidentally granting special privileges).

5.7.2 Supervisory Approval of User ProvisioningControl: User provisioning requires supervisory or management approval and is routinely reviewed by management. Information owners are responsible for approving and monitoring users who access the information under their custodianship.

DS5.3DS5.4

X X X

5.7.2.1 Determine whether every request to provision a user (or change previous provisioning) requires a supervisor’s approval.

5.7.2.2 Determine whether access requirements in excess of those established for the job function require a supervisor’s approval.

5.7.2.3 Determine whether information owners must formally authorize access to their information.

5.7.2.4 Determine whether information owners routinely review access permissions to their information.

5.7.2.5 Select a sample of provisioning requests that includes platforms and applications with varying levels of associated business risk.

5.7.2.6 For hard copy approvals, verify the dates and signatures of supervisors and information owners. For electronic approvals, verify that approvals can only be given with the approvers’ user IDs.

5.7.2.7 Determine whether user access is routinely reviewed and explicitly approved by the user’s supervisor.

5.7.2.7.1 Select a sample of departments and obtain corresponding reports of their routine review of user access privileges (generally a report of access rules distributed to supervisors).




reference

COSO

Reference

Hyper-link

IssueCross-

reference

Comments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

5.7.2.7.2 Verify that the responsible supervisor(s) approved the access permissions, and note any changes requested.

5.7.2.7.3 If changes were requested, determine reasons, e.g., transfer or termination request was not processed.

5.7.2.8 If users may establish their own identities, e.g., via a restricted employee portal, verify that such identities and access permissions are reviewed and approved before being enabled.

5.7.3 Monitoring of Access ChangesControl: Access changes are monitored by security staff, information owners and department managers.

DS5.3DS5.4

X X X

5.7.3.1 Determine how activity logs are generated, monitored and reviewed by management.

5.7.3.1.1 Select a sample, based on business risk, from the in-scope various systems and applications. For each item in the sample, select a sample of activity logs for one or more periods within the scope of the review.

5.7.3.1.2 Review each log for evidence of management review and issue escalation.

5.7.3.2 Determine whether information owners, information security specialists, internal auditors, and departmental managers receive reports on access changes within their areas of responsibility.

5.7.3.3 Determine whether reviews and follow-up are evidenced either by hard copy signatures or by online use of the reviewers’ IDs.




reference

COSO

Reference

Hyper-link

IssueCross-

reference

Comments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

5.7.4 Contractor and Third-party AccessControl: Access to systems or information resources by a contractor or other third party (e.g., vendor, customer, attorney involved in e-discovery) requires managerial approval and is reviewed frequently. Contractors’ and third parties’ user IDs and access permissions are immediately disabled at the conclusion of the contract or termination of the third party relationship.

DS5.3DS5.4

X X X

5.7.4.1 Determine whether a policy has been established for access by contractors and other third parties that requires: Authorization by management before a user ID is assigned Approval by the relevant information owners for all such access

permissions Automatic disabling of such IDs and permissions immediately upon

expiration of the contract or termination of the third-party relationship

5.7.4.2 Verify adherence to the contractor access policy.

5.7.4.2.1 Obtain the list of contractors and third parties with access to the organization’s systems and information.

5.7.4.2.2 Select a sample of requests for contractor and third-party access.

5.7.4.2.3 Verify signatures and expiration dates.

5.7.4.2.4 Determine whether the contractor ID had been disabled according to request.

5.7.4.2.5 Determine whether the contractor access request is in alignment with agreed-on duties.

5.7.4.2.6 For a sample of completed contracts or termination of third-party relationships, determine whether the corresponding user IDs were disabled immediately, in compliance with the policy.




reference

COSO

Reference

Hyper-link

IssueCross-

reference

Comments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

5.8 User Termination and TransferAudit/assurance objective: User access is disabled, immediately, upon termination. When a user’s duties change, access permissions are immediately modified in accordance with the user’s new job functions.

5.8.1 User TerminationControl: User IDs are immediately disabled upon termination of employment.

DS5.3DS5.4

X X X

5.8.1.1 Determine whether user termination procedures trigger automatic updates to the IdM system to remove access permissions.

5.8.1.2 Determine whether end-of-contract procedures trigger automatic updates to the IdM system to remove access permissions.

5.8.1.3 If termination and end-of-contract events do not trigger automatic IdM updates, determine how the IdM administrator receives notification of these events.

5.8.1.4 Determine whether the procedures are the same for voluntary and involuntary terminations. If not, obtain explanations.

5.8.1.5 Interview IdM and HR staff to ensure that there are no gaps in the notification process.

5.8.1.6 Determine whether formal procedures exist for periodic reviews of termination of temporary users.

5.8.1.7 Determine whether formal procedures are in place for the periodic review and follow-up of the list of terminated users.

5.8.1.8 Determine whether the disabling of the user ID is formally confirmed by the IdM administrator to the terminated user’s supervisor.

5.8.1.9 Obtain a list of terminated users, including contractors. If necessary, select a sample from the list.

5.8.1.9.1 For involuntary terminations and end-of-contract cases, determine the date and time of the termination, and compare them to the date and time that the user ID was disabled. Obtain explanations




reference

COSO

Reference

Hyper-link

IssueCross-

reference

Comments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

for unexpected delays.

5.8.1.9.2 For voluntary terminations, determine whether the user ID was disabled within a reasonable period after the termination.

5.8.2 Reconciliation of User ID TransfersControl: The former supervisor of the transferred user and the new supervisor notify the IdM administrator of the transfer.

DS5.3DS5.4

X X X

5.8.2.1 Determine that a procedure exists to match the transferring and receiving department access request to ensure that transferred user IDs do not retain old access permissions.

5.8.2.2 Obtain a list of transferred users.

5.8.2.3 Select a sample of such users from the list.

5.8.2.4 Obtain requests for transfer from the previous and current manager.

5.8.2.5 Determine whether they are signed (if hard copy) or were generated only with the user IDs of the previous and current supervisor (if electronic).

5.8.2.6 In each sampled case, determine whether the users’ permissions were immediately changed to meet the requirements of the new position.

6. SINGLE SIGN-ON (SSO) AND FEDERATED IDENTITY MANAGEMENT (FIdM)

6.1 SSOAudit Assurance Objective: The process of deploying an SSO solution is controlled and monitored in full compliance with IdM policy and procedures.

6.1.1 SSOControl: An SSO system is deployed to ensure uniform application of access control.

DS5.3DS5.4

X

6.1.1.1 Determine whether the SSO system automatically synchronizes user IDs and passwords across applications and systems.




reference

COSO

Reference

Hyper-link

IssueCross-

reference

Comments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

6.1.1.2 If a scripting or macro process is used to emulate SSO, determine whether the scripting process is secure to prevent unauthorized changes to the scripting process.

6.1.2 Non-SSO ApplicationsControl: Where SSO is not feasible or certain applications or operating systems are not technically compatible with SSO technology, affected applications and systems remain in compliance with IdM policy and good practices.

DS5.3DS5.4

X

6.1.2.1 For affected systems and applications, verify that user authentication is in compliance with IdM policy and good practices.

6.1.2.1.1 Identify the applications and operating systems that do not comply with SSO policy to technology.

6.1.2.1.2 Select a sample of standard and superuser IDs from each major application (using the established risk criteria selected for the audit/assurance review).

6.1.2.1.3 For each selected user, verify that authentication for users and other systems complies with both IdM policy and good practices.

6.1.3 RecoverabilityControl: SSO servers are covered under the organization’s standard protections, backup, and failover strategies.

6.1.3.1 Determine whether all SSO servers are covered under the organization’s standard protection mechanisms (e.g., firewalls, restricted VLANs, intrusion detection systems (IDSs)/intrusion protection systems (IPSs), backup and recovery, and failover strategies.

6.1.3.2 Determine whether the SSO servers and trusted authentication store (e.g., the Active Directory database) are included in a regular disaster recovery testing process.




reference

COSO

Reference

Hyper-link

IssueCross-

reference

Comments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

6.2 FIdMAudit/Assurance Objective: FIdM, if deployed, uses an industry-standard framework.

6.2.1 The FIdM framework adheres to industry standards.Control: The organization permits federated connections (i.e., passes identity) to third-party web sites only by means of an industry-standard protocol.

DS5.3 X

6.2.1.1 Review the IdM framework document and determine whether FIdM requires use of one of the industry-standard protocols, namely: SAML2 Liberty Alliance Identity Assurance Framework OpenID WS-Federation Ping Identity

6.2.2 Appropriate security controls are in place to protect FIdM and to deter hacking attacksControl: FIdM servers are included in the organization’s standard network protection mechanisms.

DS5.3DS5.10 X

6.2.2.1 Determine that an global time-out of appropriate length is in place, i.e. the period of inactivity after which online users are timed out

6.2.2.2 Identify sensitive applications where individual time-outs less than the global standard should be in place. Obtain explanations.

6.2.2.3 Determine that FIdM uses the organization’s authoritative identity store, e.g., the Active Directory database.

6.2.2.4 Determine that FIdM servers are covered under the organization’s standard protection mechanisms, e.g., firewalls, restricted VLANs, IDSs/IPSs, backup and recovery, and failover strategies.

6.2.2.5 Determine whether the FIdM servers and trusted authentication store (e.g., the Active Directory database) are included in a regular disaster recovery testing process.



VII. Maturity Assessment

The maturity assessment is an opportunity for the reviewer to assess the maturity of the processes reviewed. Based on the results of audit/assurance reviews and the reviewer’s observations, assign a maturity level to each of the following COBIT 4.1 control practices. When completing this assessment, focus the evaluation on how the IdM implementation relates to each of the issues identified below.

COBIT Control ObjectiveAssessed Maturity

Target Maturity

ReferenceHyperlink

Comments

PO6.3 IT Policies Management1. Create a hierarchical set of policies, standards and procedures to manage the IT control

environment. The form and style of the policies should align to the IT control environment.2. Develop specific policies on relevant key topics such as quality, security, confidentiality,

internal controls, ethics and intellectual property rights.3. Evaluate and update the policies at least yearly to accommodate changing operating or

business environments. The re-evaluation should assess the policies’ adequacy and appropriateness, and they should be amended as necessary.

4. Ensure that procedures are in place to track compliance with policies and define the consequences of non-compliance.

5. Ensure that accountability has been defined through roles and responsibilities.PO6.4 Policy, Standard and Procedures Rollout1. Ensure that policies are effectively translated into operational standards.2. Ensure that employment contracts are aligned with policies.3. Capture explicit acknowledgement from users as to their receipt and understanding of the

policies, procedures and standards.4. Ensure that sufficient and skilled resources are available to support the rollout process.

Rollout methods should address resource and awareness needs and implications.PO9.4 Risk Assessment1. Ensure that policies are effectively translated into operational standards.2. Ensure that employment contracts are aligned with policies.3. Capture explicit acknowledgement from users as to their receipt and understanding of the

policies, procedures and standards.4. Ensure that sufficient and skilled resources are available to support the rollout process.

Rollout methods should address resource and awareness needs and implications.




Target Maturity

ReferenceHyperlink

Comments

DS5.3 Identity Management1. Establish and communicate policies and procedures to uniquely identify, authenticate and

authorize access mechanisms and access rights for all users on a need-to-know/need-to-have basis, based on predetermined and preapproved roles. Clearly state accountability of any user for any action on any of the systems and/or applications involved.

2. Ensure that roles and access authorization criteria for assigning user access rights take into account:

• Sensitivity of information and applications involved (data classification)• Policies for information protection and dissemination (legal, regulatory, internal policies

and contractual requirements)• Roles and responsibilities as defined within the enterprise• The need-to-have access rights associated with the function• Standard but individual user access profiles for common job roles in the organization• Requirements to guarantee appropriate segregation of duties

3. Establish a method for authenticating and authorizing users to establish responsibility and enforce access rights in line with sensitivity of information and functional application requirements and infrastructure components, and in compliance with applicable laws, regulations, internal policies and contractual agreements.

4. Define and implement a procedure for identifying new users and recording, approving and maintaining access rights. This needs to be requested by user management, approved by the system owner and implemented by the responsible security person.

5. Ensure that a timely information flow is in place that reports changes in jobs (i.e., people in, people out, people change). Grant, revoke and adapt user access rights in co-ordination with human resources and user departments for users who are new, who have left the organization, or who have changed roles or jobs.




Target Maturity

ReferenceHyperlink

Comments

DS5.4 User Account Management1. Ensure that access control procedures include but are not limited to:

• Using unique user IDs to enable users to be linked to and held accountable for their actions.• Awareness that the use of group IDs results in the loss of individual accountability and are

permitted only when justified for business or operational reasons and compensated by mitigating controls. Group IDs must be approved and documented.

• Checking that the user has authorization from the system owner for the use of the information system or service, and the level of access granted is appropriate to the business purpose and consistent with the organizational security policy

• A procedure to require users to understand and acknowledge their access rights and the conditions of such access

• Ensuring that internal and external service providers do not provide access until authorization procedures have been completed

• Maintaining a formal record, including access levels, of all persons registered to use the service

• A timely and regular review of user IDs and access rights2. Ensure that management reviews or reallocates user access rights at regular intervals using a

formal process. User access rights should be reviewed or reallocated after any job changes, such as transfer, promotion, demotion or termination of employment. Authorizations for special privileged access rights should be reviewed independently at more frequent intervals.



VIII. Maturity Assessment vs. Target Assessment

This spider graph is an example of the assessment results and maturity target for an IdM assessment:


PO6.3 IT Policies Management

PO6.4 Policy, Standard, and Procedures Rollout

PO9.4 Risk AssessmentDS5.3 Identity Management

DS5.4 User Account Management

0

1

2

3

4

5

AssessmentTarget

Documents

Identity Management Audit/Assurance Program (Feb …m.isaca.org/Groups/Professional-English/identity... · Web viewIdentity Management Audit/Assurance Program. ... the maturity