different types of reviews.

A change management audit would review access to the libraries used in the change migration process.

An application review would focus on whether access to the applications production resources are adequately secured.

An integrity review of a system software product would focus on whether the product’s system libraries and access privileges are properly restricted.

When performing a compliance test to determine which individuals have access to these sensitive resources, the auditor must possess knowledge of how to determine who has access to the resources. The access to resources could be granted directly to individual users or through profiles which are shared by a group of individuals who share common access requirement. Many of the security products provide commands which can easily be used to determine who has access to the resources. However, if a profile has access to the resources the auditor still must go through the steps to identify the individuals who have access to the profile.

When performing these reviews it is assumed that individuals may be granted inappropriate access to resources. However, if an organization performed an analysis to identify all critical resources and grouped them in a manner in which access is granted based on an individual’s job function, then there is basis of performing one single audit to assess whether system resources have been properly secured.

This approach of restricting access to resources based on the individual’s job function is the most critical control requirement. Determining the manner in which an organization designs its security entitlements is the most critical audit which can be performed in the Security area of auditing.

The first set of questions regardless of the size of an organization is whether the data security area for each of the technical platforms has the responsibility for the security design. In some organizations the data security area simply administers the set-up of security entitlements based on the directive of user and development areas. If this approach is used then in most cases there will not be a consistent approach for allocating security entitlements.

The second set of questions is whether sensitive resources have been identified and whether they have been grouped in a manner to ensure that only appropriate personnel have access to them.

The third area of questions is how individuals are grouped together in order to access specific set of resources. Hopefully, the grouping of individuals is based on a common job function they share.

The final area of questions relates to how the security entitlement approach is being validated and maintained to ensure that proper grouping of resources and individual users are proper. If the design is maintained, then the validation process is quite simple as compared to an organization which used the approach of assigning resources on an individual basis. Assigning resources on an individual basis, requires close analysis and understanding of every resource a person is assigned.

The entitlements matrix approach is an effective method to ensure that sensitive resources are properly secured. However, if the resources are not allocated to maintain compliance to the security design, then the control will be lost very quickly.

For a free proposal to perform an audit of your organization or provide SOX support & testing services, contact Mitchell Levine of Audit Serve at (203) 972-3567 or via e-mail at Levinemh@auditserve.com.

Copyright  2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.

This article appeared in a past issue of the Audit Vision E-Mail Newsletter.