Select the search type
  • Site
  • Web
Search

Emergency Access

(Can be used across all platforms)

 

Control Point Ref #: emeraaab new/1.2
-------------
Emergency IDs have been assigned access to the appropriate
resources

Audit Steps
-----------
1) Identify the emergency IDs that have been established and
their purpose

1.1) Ask the security administrator for the following
information:

o names of emergency IDs
o department of area which uses the ID
o overall use of ID (i.e., determine if it was the intent to
set-up the ID to perform specific functions or have access
to broad base of resources in order to address all types of
emergency situations)

2) Determine the access entitlements granted to each emergency
ID (Refer to the corresponding Global Audit Step which has
been established for each security system to determine the
access that granted to a specific ID being reviewed).

3) Determine whether the emergency IDs have access to the
appropriate resources.

3.1) Based on discussions with each department which uses a
specific emergency ID, determine the type of resources that
need to be accessed in an emergency situation.

3.2) Based on the access granted to each emergency ID and its
intended use, determine whether the access granted to each
emergency ID is appropriate.

F1 - Info Screen Ref #:emeraaab
Background
----------
The are two approaches used for establishing emergency IDs. The
first approach is to set-up specific ID for to handle specific
emergency events. This method provides the greatest level of
control since the user is prevented from accessing resources
outside the scope of access granted to the emergency ID. In
addition, detective controls do not need to relied upon to
identify when resources were accessed that were not part of the
resolution requirements.

The disadvantage of this approach is that some emergency
situations could impact multiple areas which require the user to
activate multiple emergency IDs and switch between each emergency
ID depending on the resolution requirements. The other
disadvantage is that each time new resources are defined on the
system the emergency ID would be required to be updated.
Therefore, potentially the emergency IDs may not be updated prior
to the need to use the ID in an emergency situation which will
impact the user's ability to resolve a problem in a timely
manner.

The second approach is to set-up general purpose IDs which can
address all types of emergency situations. However, detective
controls must be relied upon to identify when the unauthorized
actions occurred based on the type of emergency situation.

Audit Step Info
---------------
There is no systematic method available for determining the
emergency IDs that have been established on the system since
there is no special field in any of the security systems which
flags emergency IDs unless the installation itself uses a comment
field to provide this function. Therefore, audit steps are
provided to obtain this information by questioning the security
administrator.

Within the audit steps, it indicates to request information
regarding the overall scope of ID. Since the security
administration group is not necessarily familiar with
applications and its resources, it is not necessarily expected of
them to have knowledge as to whether these IDs have been
established with a granular level of access to the specific
resources of a department or if it is a general purpose ID which
has access to resources throughout the entire department.
Therefore, the information being requested would require each
department to be contacted that is responsible for each emergency
ID.

When reviewing the access granted to each department, the focus
of the review should be to ensure that one department does not
have access to resources of another department.

Control Point Ref #: emeraaac new/1.2
-------------
Adequate controls are in place for the release and revocation of
emergency IDs

Audit Steps
-----------
1) Determine the emergency IDs that have been established and
their purpose.

1.1) Ask the security administrator for the names of emergency
IDs and determine if they have been setup to perform
specific functions or have access to broad base of resources
in order to address all types of emergency situations.

1.2) Determine the area which uses each emergency ID.

2) Determine whether there is a centralized or decentralized
(i.e., by individual departments) process for handling the
activation of emergency IDs.

Note:
No audits steps are provided to review the adequacy of controls
for the decentralized activation of ID.

Perform remaining steps for the centralized activation of
emergency IDs
3) Determine whether there is an adequate method for activating
emergency IDs which prevents the use of the emergency ID
until it is required.

3.1) Determine the method used for the activation of emergency
IDs

o Operator unsuspends ID

Note:
The same password would need to be maintained by users of the
emergency ID.

o password maintained in envelope which is opened when
required which requires the password to be changed each time

4) Determine whether there are controls in place to ensure that
only authorized personnel can request the activation of an
emergency ID through such methods as follows:

o manager authorization

o list of authorized individuals allows to use each emergency
ID

5) Ensure that there is a process in place to ensure that the
emergency ID cannot be used after emergency situation has
been resolved.

5.1) Determine whether that a process is in place to restrict the
number hours in which an ID can be used.

5.2) Ensure that a process is in place to revoke the person's
access once they have resolved the problem

F1 - Info Screen Ref #:emeraaac
Background
----------
Emergency IDs are typically used to a provide a greater level of
control for access to sensitive resources. Emergency IDs are
typically used by Data Center and application development
personnel. However, it also could be used by general users.

The first decision is to determine whether the control of the
activation of emergency IDs is performed centrally by the data
center or is decentralized to the department level.

The distribution of emergency IDs consists of one of the
following methods:

o the ID is enabled by a independent person who either has
knowledge of the ID

o the emergency security administrator ID enables an ID

o emergency ID's password is stored in a lockbox box which is
retrieved when it is required to be used

Another method for distributing passwords is store the password
in its own dataset, whereby read access to the dataset is
restricted to the individuals who are responsible for
distributing the password.

Granting routine access to emergency IDs by the users who are
required to use the emergency ID is not provided as an
alternative since there should be a control to prevent its use.
However, there may be cases where the risk related to resources
that are restricted through an emergency access is not warranted.

Audit Step Info
---------------
One of the audit steps reviews the controls to ensure that only
authorized personnel can request the activation of an emergency
ID in which the user requesting the release of the emergency ID
is authenticated by a list of authorized individuals allowed to
use each emergency ID. However, a compliance test is not
indicated to be performed to ensure that appropriate personnel
are on the list based on job function because in many cases it
may be at a department level.

Control Point Ref #: emeraaad new/1.2
-------------
Sensitive resources that are controlled by emergency IDs are
restricted from other users

Audit Steps
----------
1) Determine the sensitive resources that the emergency ID is
assigned.

1.1) Obtain a list of the emergency IDs from the security
administrator.

1.2) Use the Global Audit Steps to determine the access
entitlements granted to the emergency ID based on the
security system used.

1.3) Based on the access granted to emergency IDs determine the
privileges and resources that are considered sensitive.

2) Determine whether other users are granted access to the
sensitive resources assigned to the emergency ID.

2.1) For datasets, determine the users that have update access
to the sensitive datasets in which the emergency ID has
access to by using the Global Audit Steps to determine the
users that have access to a specific dataset being reviewed.

2.2) For other general resources, determine the users that have
access to the sensitive resources in which the emergency ID
has access to by using the Global Audit Steps to determine
the users that have access to a specific resource being
reviewed.

F1 - Info Screen Ref #:emeraaad
Background
----------
There are different approaches used for identifying sensitive
resources to determine whether access is appropriate. Since
emergency IDs are used to restrict access to sensitive resource
that are not required to be accessed by individuals on a routine
basis, it is an effective method for identifying sensitive
resources which should be restricted from all users.

It should be noted that all resources that emergency IDs have
access to are not sensitive. To perform certain programming and
troubleshooting functions access to non-sensitive resources would
be required.

Audit Step Info
---------------
Instead of repeatedly providing audit steps for each security
system to determine access entitlements granted to an ID and the
IDs which are granted access to a specific resource, the
information is centrally stored in the Global Audit Steps.

Control Point Ref #: emeraaaf maj/1.2
-------------
Activity performed by using the emergency ID is logged,
documented and reviewed by management

Audit Steps
-----------
1) Determine if there is a systematic method to identify when
the emergency was used and the resources that were accessed.

1.1) Obtain a list of the emergency IDs from the security
administrator.

1.2) Determine whether the emergency ID is set-up to have all of
its activity logged.

1.3) Determine the report process that is used to extract the
logged events and ensure the report set-up extracts all
sensitive events.

1.4) Determine the process that is used to automatically provide
daily reports to the area responsible for performing the
review of the emergency ID use to ensure that all activity
was appropriate.

2) Ensure that there is a process in place to document the
reason for the use of an emergency ID which describes the
problem and steps taken for resolution which is approved by
management.

2.1) Determine whether there is a process to perform an
independent review of the usage of all emergency IDs.

2.2) Determine whether there are standards and procedures which
specifies the requirements of the review process.

2.3) Select the emergency reports from a sample period and
determine whether an adequate level documentation exists to
support the review process.

F1 - Info Screen Ref #:emeraaaf
Background
----------
The only effective method to identify the sensitive actions
performed by an emergency ID is to log all emergency ID's
activity

Logging the individual sensitive resources is not an effective
method for identifying the sensitive activity performed by the
emergency ID because it might not reflect all of the sensitive
actions performed by the emergency ID. In addition, a more
sophisticated filtering process would be required to exclude the
logging of authorized processed that update these sensitive
resources.

The review process to ensure that functions performed by the
emergency ID were appropriate should contain the following
components:

o An independent review of the activity performed by the
person using the emergency ID.

o Process to document the event which triggered the need to
use the emergency ID

o Process to document the actual resources that were required
to be updates (e.g., records changed, fields changed)

o Process to document the facility used to update the
sensitive resources (i.e., program used, editor used,
utility used)

Although not indicated within the audit steps, the owner of the
resource should be alerted of the problem and they should approve
the steps taken to resolve the problem.

Control Point Ref #: emeraaag new/1.2
-------------
All resources that are restricted to emergency IDs are warranted

Audit Steps
----------
1) Identify the emergency IDs that have been established and
their purpose

1.1) Ask the security administrator for the following
information:

o names of emergency IDs
o department of area which uses the ID
o overall use of ID (i.e., determine if it was the intent to
set-up the ID to perform specific functions or have access
to broad base of resources in order to address all types of
emergency situations)

2) Determine whether the resources that are restricted to the
emergency IDs are warranted based on the risk level of the
resource.

2.1) Determine the sensitive resources that the emergency ID is
assigned.

Use the Global Audit Steps to determine the access
entitlements granted to the emergency ID based on the
security system used.

Based on the access granted to emergency IDs determine the
privileges and resources that are considered sensitive.

2.2) Based on the intended use of each emergency ID, the access
granted and the risk level of the resources, determine
whether an alternative method should be used for controlling
access to the resources.

F1 - Info Ref #: emeraaag
Background
----------
Emergency IDs are typically used by Data Center and application
development personnel. However, it also could be used by general
users. Emergency IDs are used to a provide a greater level of
control for access to sensitive resources. Access to specific
resources are assigned to emergency IDs in order to establish a
preventive control prior to its use and a level of accountability
of changes that occur to these sensitive resources.

Some emergency IDs do not require the same level of control in
terms pre-authorization for its use and the post-review of
actions performed using the emergency to ensure that it is
appropriate. For instance, the use of an emergency ID to gain
access to the QA dataset to establish test conditions would not
be considered sensitive enough to require a post-review by
management to ensure only the proper functions were performed.

The need to use emergency IDs should be reserved for resources
that are sensitive since there are other mechanisms available for
providing the same type of control as emergency IDs but they do
not offer preventive controls in regards to the use of the ID.

The other mechanisms available include:

o Alternate IDs that are audited

Users that require access to a resource sensitive resources on a
frequent basis but not require pre-authorization prior to
accessing the resource can be placed in an alternate ID. By
assigning the user access to sensitive resources through their
alternate ID, the ID can be audited to log all of its activity
which can then be reviewed by management. The user should be
instructed to only use the alternate ID when access to sensitive
resources are required and not for their normal job activity.
Otherwise, the unwarranted logging will be picked up on the
management review process which could create voluminous reports
and cause a breakdown in the overall review process.

o Logged access to Resources

When sensitive resources can be identified, the access to the
resource can be logged. However, effective logging can only
occur if there are not authorized processes that also require
access to the sensitive resources which will be picked up in the
logging. In this case, the sensitive resources can only be
logged if the authorized process can be excluded. ACF2, Top
Secret, and RACF do not provide the ability to exclude logging.
A third party package (Legent-PDSMAN or Action Software-Change
Action) would be required to perform this filtered logging. An
example of an authorized process which requires access to
sensitive resources which should not be included as a logged
event is the CICS region's or job scheduling system's access to
production datasets.

If continuous access is required to an emergency ID, then
alternative approaches must be considered to reduce the need to
have a review process to support each time the emergency ID is
used. Otherwise, to much reliance is placed upon the review
process which is detective control that could be subject to
breakdown. For example if complete access to a dataset is
required to reorganize a database, the access could be removed
from the individual responsible for this function and granted to
the job scheduling system.
************************************************************************
Copyright 1991 - 2000, Audit Serve, Inc. All rights reserved. All Audit
Programs are copyrighted and may not be posted electronically or
redistributed unless written permission is granted by Audit Serve, Inc.
The Audit Programs may be used for internal use within organizations.
Audit Programs may not be resold.
************************************************************************