(Can be used across all platforms)
Control Point Ref #: emeraaab new/1.2 ------------- Emergency IDs have been assigned access to the appropriate resources Audit Steps ----------- 1) Identify the emergency IDs that have been established and their purpose 1.1) Ask the security administrator for the following information: o names of emergency IDs o department of area which uses the ID o overall use of ID (i.e., determine if it was the intent to set-up the ID to perform specific functions or have access to broad base of resources in order to address all types of emergency situations) 2) Determine the access entitlements granted to each emergency ID (Refer to the corresponding Global Audit Step which has been established for each security system to determine the access that granted to a specific ID being reviewed). 3) Determine whether the emergency IDs have access to the appropriate resources. 3.1) Based on discussions with each department which uses a specific emergency ID, determine the type of resources that need to be accessed in an emergency situation. 3.2) Based on the access granted to each emergency ID and its intended use, determine whether the access granted to each emergency ID is appropriate. F1 - Info Screen Ref #:emeraaab Background ---------- The are two approaches used for establishing emergency IDs. The first approach is to set-up specific ID for to handle specific emergency events. This method provides the greatest level of control since the user is prevented from accessing resources outside the scope of access granted to the emergency ID. In addition, detective controls do not need to relied upon to identify when resources were accessed that were not part of the resolution requirements. The disadvantage of this approach is that some emergency situations could impact multiple areas which require the user to activate multiple emergency IDs and switch between each emergency ID depending on the resolution requirements. The other disadvantage is that each time new resources are defined on the system the emergency ID would be required to be updated. Therefore, potentially the emergency IDs may not be updated prior to the need to use the ID in an emergency situation which will impact the user's ability to resolve a problem in a timely manner. The second approach is to set-up general purpose IDs which can address all types of emergency situations. However, detective controls must be relied upon to identify when the unauthorized actions occurred based on the type of emergency situation. Audit Step Info --------------- There is no systematic method available for determining the emergency IDs that have been established on the system since there is no special field in any of the security systems which flags emergency IDs unless the installation itself uses a comment field to provide this function. Therefore, audit steps are provided to obtain this information by questioning the security administrator. Within the audit steps, it indicates to request information regarding the overall scope of ID. Since the security administration group is not necessarily familiar with applications and its resources, it is not necessarily expected of them to have knowledge as to whether these IDs have been established with a granular level of access to the specific resources of a department or if it is a general purpose ID which has access to resources throughout the entire department. Therefore, the information being requested would require each department to be contacted that is responsible for each emergency ID. When reviewing the access granted to each department, the focus of the review should be to ensure that one department does not have access to resources of another department. Control Point Ref #: emeraaac new/1.2 ------------- Adequate controls are in place for the release and revocation of emergency IDs Audit Steps ----------- 1) Determine the emergency IDs that have been established and their purpose. 1.1) Ask the security administrator for the names of emergency IDs and determine if they have been setup to perform specific functions or have access to broad base of resources in order to address all types of emergency situations. 1.2) Determine the area which uses each emergency ID. 2) Determine whether there is a centralized or decentralized (i.e., by individual departments) process for handling the activation of emergency IDs. Note: No audits steps are provided to review the adequacy of controls for the decentralized activation of ID. Perform remaining steps for the centralized activation of emergency IDs 3) Determine whether there is an adequate method for activating emergency IDs which prevents the use of the emergency ID until it is required. 3.1) Determine the method used for the activation of emergency IDs o Operator unsuspends ID Note: The same password would need to be maintained by users of the emergency ID. o password maintained in envelope which is opened when required which requires the password to be changed each time 4) Determine whether there are controls in place to ensure that only authorized personnel can request the activation of an emergency ID through such methods as follows: o manager authorization o list of authorized individuals allows to use each emergency ID 5) Ensure that there is a process in place to ensure that the emergency ID cannot be used after emergency situation has been resolved. 5.1) Determine whether that a process is in place to restrict the number hours in which an ID can be used. 5.2) Ensure that a process is in place to revoke the person's access once they have resolved the problem F1 - Info Screen Ref #:emeraaac Background ---------- Emergency IDs are typically used to a provide a greater level of control for access to sensitive resources. Emergency IDs are typically used by Data Center and application development personnel. However, it also could be used by general users. The first decision is to determine whether the control of the activation of emergency IDs is performed centrally by the data center or is decentralized to the department level. The distribution of emergency IDs consists of one of the following methods: o the ID is enabled by a independent person who either has knowledge of the ID o the emergency security administrator ID enables an ID o emergency ID's password is stored in a lockbox box which is retrieved when it is required to be used Another method for distributing passwords is store the password in its own dataset, whereby read access to the dataset is restricted to the individuals who are responsible for distributing the password. Granting routine access to emergency IDs by the users who are required to use the emergency ID is not provided as an alternative since there should be a control to prevent its use. However, there may be cases where the risk related to resources that are restricted through an emergency access is not warranted. Audit Step Info --------------- One of the audit steps reviews the controls to ensure that only authorized personnel can request the activation of an emergency ID in which the user requesting the release of the emergency ID is authenticated by a list of authorized individuals allowed to use each emergency ID. However, a compliance test is not indicated to be performed to ensure that appropriate personnel are on the list based on job function because in many cases it may be at a department level. Control Point Ref #: emeraaad new/1.2 ------------- Sensitive resources that are controlled by emergency IDs are restricted from other users Audit Steps ---------- 1) Determine the sensitive resources that the emergency ID is assigned. 1.1) Obtain a list of the emergency IDs from the security administrator. 1.2) Use the Global Audit Steps to determine the access entitlements granted to the emergency ID based on the security system used. 1.3) Based on the access granted to emergency IDs determine the privileges and resources that are considered sensitive. 2) Determine whether other users are granted access to the sensitive resources assigned to the emergency ID. 2.1) For datasets, determine the users that have update access to the sensitive datasets in which the emergency ID has access to by using the Global Audit Steps to determine the users that have access to a specific dataset being reviewed. 2.2) For other general resources, determine the users that have access to the sensitive resources in which the emergency ID has access to by using the Global Audit Steps to determine the users that have access to a specific resource being reviewed. F1 - Info Screen Ref #:emeraaad Background ---------- There are different approaches used for identifying sensitive resources to determine whether access is appropriate. Since emergency IDs are used to restrict access to sensitive resource that are not required to be accessed by individuals on a routine basis, it is an effective method for identifying sensitive resources which should be restricted from all users. It should be noted that all resources that emergency IDs have access to are not sensitive. To perform certain programming and troubleshooting functions access to non-sensitive resources would be required. Audit Step Info --------------- Instead of repeatedly providing audit steps for each security system to determine access entitlements granted to an ID and the IDs which are granted access to a specific resource, the information is centrally stored in the Global Audit Steps. Control Point Ref #: emeraaaf maj/1.2 ------------- Activity performed by using the emergency ID is logged, documented and reviewed by management Audit Steps ----------- 1) Determine if there is a systematic method to identify when the emergency was used and the resources that were accessed. 1.1) Obtain a list of the emergency IDs from the security administrator. 1.2) Determine whether the emergency ID is set-up to have all of its activity logged. 1.3) Determine the report process that is used to extract the logged events and ensure the report set-up extracts all sensitive events. 1.4) Determine the process that is used to automatically provide daily reports to the area responsible for performing the review of the emergency ID use to ensure that all activity was appropriate. 2) Ensure that there is a process in place to document the reason for the use of an emergency ID which describes the problem and steps taken for resolution which is approved by management. 2.1) Determine whether there is a process to perform an independent review of the usage of all emergency IDs. 2.2) Determine whether there are standards and procedures which specifies the requirements of the review process. 2.3) Select the emergency reports from a sample period and determine whether an adequate level documentation exists to support the review process. F1 - Info Screen Ref #:emeraaaf Background ---------- The only effective method to identify the sensitive actions performed by an emergency ID is to log all emergency ID's activity Logging the individual sensitive resources is not an effective method for identifying the sensitive activity performed by the emergency ID because it might not reflect all of the sensitive actions performed by the emergency ID. In addition, a more sophisticated filtering process would be required to exclude the logging of authorized processed that update these sensitive resources. The review process to ensure that functions performed by the emergency ID were appropriate should contain the following components: o An independent review of the activity performed by the person using the emergency ID. o Process to document the event which triggered the need to use the emergency ID o Process to document the actual resources that were required to be updates (e.g., records changed, fields changed) o Process to document the facility used to update the sensitive resources (i.e., program used, editor used, utility used) Although not indicated within the audit steps, the owner of the resource should be alerted of the problem and they should approve the steps taken to resolve the problem. Control Point Ref #: emeraaag new/1.2 ------------- All resources that are restricted to emergency IDs are warranted Audit Steps ---------- 1) Identify the emergency IDs that have been established and their purpose 1.1) Ask the security administrator for the following information: o names of emergency IDs o department of area which uses the ID o overall use of ID (i.e., determine if it was the intent to set-up the ID to perform specific functions or have access to broad base of resources in order to address all types of emergency situations) 2) Determine whether the resources that are restricted to the emergency IDs are warranted based on the risk level of the resource. 2.1) Determine the sensitive resources that the emergency ID is assigned. Use the Global Audit Steps to determine the access entitlements granted to the emergency ID based on the security system used. Based on the access granted to emergency IDs determine the privileges and resources that are considered sensitive. 2.2) Based on the intended use of each emergency ID, the access granted and the risk level of the resources, determine whether an alternative method should be used for controlling access to the resources. F1 - Info Ref #: emeraaag Background ---------- Emergency IDs are typically used by Data Center and application development personnel. However, it also could be used by general users. Emergency IDs are used to a provide a greater level of control for access to sensitive resources. Access to specific resources are assigned to emergency IDs in order to establish a preventive control prior to its use and a level of accountability of changes that occur to these sensitive resources. Some emergency IDs do not require the same level of control in terms pre-authorization for its use and the post-review of actions performed using the emergency to ensure that it is appropriate. For instance, the use of an emergency ID to gain access to the QA dataset to establish test conditions would not be considered sensitive enough to require a post-review by management to ensure only the proper functions were performed. The need to use emergency IDs should be reserved for resources that are sensitive since there are other mechanisms available for providing the same type of control as emergency IDs but they do not offer preventive controls in regards to the use of the ID. The other mechanisms available include: o Alternate IDs that are audited Users that require access to a resource sensitive resources on a frequent basis but not require pre-authorization prior to accessing the resource can be placed in an alternate ID. By assigning the user access to sensitive resources through their alternate ID, the ID can be audited to log all of its activity which can then be reviewed by management. The user should be instructed to only use the alternate ID when access to sensitive resources are required and not for their normal job activity. Otherwise, the unwarranted logging will be picked up on the management review process which could create voluminous reports and cause a breakdown in the overall review process. o Logged access to Resources When sensitive resources can be identified, the access to the resource can be logged. However, effective logging can only occur if there are not authorized processes that also require access to the sensitive resources which will be picked up in the logging. In this case, the sensitive resources can only be logged if the authorized process can be excluded. ACF2, Top Secret, and RACF do not provide the ability to exclude logging. A third party package (Legent-PDSMAN or Action Software-Change Action) would be required to perform this filtered logging. An example of an authorized process which requires access to sensitive resources which should not be included as a logged event is the CICS region's or job scheduling system's access to production datasets. If continuous access is required to an emergency ID, then alternative approaches must be considered to reduce the need to have a review process to support each time the emergency ID is used. Otherwise, to much reliance is placed upon the review process which is detective control that could be subject to breakdown. For example if complete access to a dataset is required to reorganize a database, the access could be removed from the individual responsible for this function and granted to the job scheduling system. ************************************************************************ Copyright 1991 - 2000, Audit Serve, Inc. All rights reserved. All Audit Programs are copyrighted and may not be posted electronically or redistributed unless written permission is granted by Audit Serve, Inc. The Audit Programs may be used for internal use within organizations. Audit Programs may not be resold. ************************************************************************
Free Audit Vision Newsletter Since 1991 Join 3,500 other subscribers
Advertise with Us